Josh Elser created HBASE-26212: ---------------------------------- Summary: Allow AuthUtil automatic renewal to be disabled Key: HBASE-26212 URL: https://issues.apache.org/jira/browse/HBASE-26212 Project: HBase Issue Type: Improvement Components: Client, security Reporter: Josh Elser Assignee: Josh Elser
Talking with [~bbende] who was looking at some "spam" in the NiFi log where AuthUtil was complaining that it couldn't renew the UGI. This is did not cause him problems (NiFi could always read/write to HBase), but it generated a lot of noise in the NiFi log. NiFi is special in that it's managing renewals on its own (for all services it can communicate with), rather than letting each client do it on its own. Specifically, one way they do this is by doing a keytab-based login via JAAS, constructing a UGI object from that JAAS login, and then invoking HBase in a normal UGI.doAs(). The problem comes in that AuthUtil _thinks_ that it is capable of renewing this UGI instance on its own. AuthUtil can determine that the current UGI came from a keytab, and thus thinks that it can renew it. However, this actually fails because the LoginContext inside UGI *isn't* actually something that UGI can renew (remember: because NiFI did it directly via JAAS and not via UGI) {noformat} 2021-08-19 17:32:19,438 ERROR [Relogin service.Chore.1] org.apache.hadoop.hbase.AuthUtil Got exception while trying to refresh credentials: loginUserFromKeyTab must be done first java.io.IOException: loginUserFromKeyTab must be done first at org.apache.hadoop.security.UserGroupInformation.reloginFromKeytab(UserGroupInformation.java:1194) at org.apache.hadoop.security.UserGroupInformation.checkTGTAndReloginFromKeytab(UserGroupInformation.java:1125) at org.apache.hadoop.hbase.AuthUtil$1.chore(AuthUtil.java:206) {noformat} After talking with Bryan about this: we don't see a good way for HBase to detect this specific "A UGI instance, but not created by UGI" case because the LoginContext inside UGI is private. It is great that AuthUtil will automatically try to renew keytab logins, even if not using {{hbase.client.keytab.file}} and {{hbase.client.keytab.principal}}, so I don't want to break that functionality{{.}} NiFi is unique in this case that it is fully managing the renewals, so I think the best path forward is to add an option which lets NiFi disable AuthUtil since it knows it can safely do this. This should affect any others users (but also give us an option if AuthUtil ever does cause problems). -- This message was sent by Atlassian Jira (v8.3.4#803005)