[jira] [Commented] (ATLAS-2548) Use of IBM JDK results in kafka login exceptions in a kerberized environment

Fri, 07 Sep 2018 17:35:43 -0700 


    [ 
https://issues.apache.org/jira/browse/ATLAS-2548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16607818#comment-16607818
 ] 

Madhan Neethiraj commented on ATLAS-2548:
-----------------------------------------

[~sailajanch] - thanks for the patch. Atlas team uses Review Board for 
code-review. Can you please create a review with your patch? It will make it a 
lot easier to review and comment.

Here are few comments:
{noformat}
+    private static final boolean IBM_JAVA = 
System.getProperty("java.vendor").contains("IBM");
+    private static final String IBM_LOGIN_MODULE = 
"com.ibm.security.auth.module.Krb5LoginModule";
...
-                String loginModuleName = properties.getProperty(keyParam);
+                
+                String loginModuleName;
+                if (IBM_JAVA)
+                    loginModuleName = IBM_LOGIN_MODULE;
+                else
+                    loginModuleName = properties.getProperty(keyParam);

{noformat}
Instead of overwriting loginModuleName, why not update the Atlas configuration 
(in file atlas-application.properties) with correct login module name?

{noformat}
+                        /**
+                         * IBM JDK's Krb5LoginModule security module accepts 
only certain JAAS configuration parameters.
+                         * Filtering those out appropriately.
+                         */
...
+                if (IBM_JAVA) {
+                    options.put(JAAS_CREDSTYPE_PROP, JAAS_CREDSTYPE_VALUE);
+                }
+

{noformat}
Again, I think it will be clearer to update Atlas configuration file to 
remove/add necessary options. No code change should be necessary here. Please 
let me know if you run into any issues with this approach.

> Use of IBM JDK results in kafka login exceptions in a kerberized environment
> ----------------------------------------------------------------------------
>
>                 Key: ATLAS-2548
>                 URL: https://issues.apache.org/jira/browse/ATLAS-2548
>             Project: Atlas
>          Issue Type: Bug
>          Components: atlas-intg
>    Affects Versions: 0.8-incubating
>            Reporter: Sailaja Navvluru
>            Priority: Major
>              Labels: security
>         Attachments: InMemoryJAASConfiguration.java.patch
>
>
> Our product uses IBM JDK while interacting with hive metastore directly to 
> create metadata. When Atlas-Hive hook is enabled in kerberized environment, 
> our application logs are filled with the following errors as the Kerberos 
> login module is not found in the path specified by atlas application 
> properties file. IBM JDK has some more restrictions on Kerberos support where 
> some of the options supported by sun JDK are not available.
> ERROR - Failed to notify atlas for entity [[{Id='(type: hive_db, id: 
> <unassigned>)', traits=[], values={owner=bigsql, ownerType=1, 
> qualifiedName=tpcdsorc1000@bigsql502
> org.apache.kafka.common.KafkaException: Failed to construct kafka producer
>     at 
> org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:338)
>     at 
> org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:188)
>     at 
> org.apache.atlas.kafka.KafkaNotification.createProducer(KafkaNotification.java:289)
>     at 
> org.apache.atlas.kafka.KafkaNotification.sendInternal(KafkaNotification.java:210)
>     at 
> org.apache.atlas.notification.AbstractNotification.send(AbstractNotification.java:84)
>     at 
> org.apache.atlas.hook.AtlasHook.notifyEntitiesInternal(AtlasHook.java:133)
>     at org.apache.atlas.hook.AtlasHook.notifyEntities(AtlasHook.java:118)
>     at org.apache.atlas.hook.AtlasHook.notifyEntities(AtlasHook.java:171)
>     at org.apache.atlas.hive.hook.HiveHook.access$300(HiveHook.java:83)
>     at org.apache.atlas.hive.hook.HiveHook$3.run(HiveHook.java:221)
>     at java.security.AccessController.doPrivileged(AccessController.java:686)
>     at javax.security.auth.Subject.doAs(Subject.java:569)
>     at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)
>     at 
> org.apache.atlas.hive.hook.HiveHook.notifyAsPrivilegedAction(HiveHook.java:233)
>     at org.apache.atlas.hive.hook.HiveHook$2.run(HiveHook.java:203)
>     at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:522)
>     at java.util.concurrent.FutureTask.run(FutureTask.java:277)
>     at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
>     at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
>     at java.lang.Thread.run(Thread.java:785)
> Caused by: org.apache.kafka.common.KafkaException: 
> javax.security.auth.login.LoginException: unable to find LoginModule class: 
> com.sun.security.auth.module.Krb5LoginModule
>     at 
> org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:86)
>     at 
> org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:71)
>     at 
> org.apache.kafka.clients.ClientUtils.createChannelBuilder(ClientUtils.java:85)
>     at 
> org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:302)
>     ... 19 more
> Caused by: javax.security.auth.login.LoginException: unable to find 
> LoginModule class: com.sun.security.auth.module.Krb5LoginModule
> Attaching a patch to the defect we have tested to support IBM JDK and 
> Kerberos on 0.8 level of Atlas



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to