[jira] [Commented] (KUDU-3558) Error out when ranger subprocess is started with kerberos disabled

Fri, 01 Mar 2024 16:45:06 -0800 


    [ 
https://issues.apache.org/jira/browse/KUDU-3558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17822733#comment-17822733
 ] 

ASF subversion and git services commented on KUDU-3558:
-------------------------------------------------------

Commit 647726ad6b2aab0c6a6d34e16e027debd8a827eb in kudu's branch 
refs/heads/master from Ashwani Raina
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=647726ad6 ]

[ranger] KUDU-3558 Error out early when keytab file flag is empty

This patch enables ranger client to catch a missing keytab file
scenario early on before even starting the Ranger subprocess.
Upon detection, log the error message and avoid spawning the
Ranger subprocess. This helps in debugging of scenario when
Kerberos is disabled and Ranger subprocess is started without doing
prechecks only to find out in later stage during Ranger plugin init.

The patch also modifies two existing tests by adding dummy keytab
file path to make it pass as before. Also, add a test to empty keytab
file scenario.

Change-Id: Iaf4df18f91a479f5d1ce4d959bd2dbb5e395eb1b
Reviewed-on: http://gerrit.cloudera.org:8080/21097
Tested-by: Alexey Serbin <ale...@apache.org>
Reviewed-by: Alexey Serbin <ale...@apache.org>


> Error out when ranger subprocess is started with kerberos disabled
> ------------------------------------------------------------------
>
>                 Key: KUDU-3558
>                 URL: https://issues.apache.org/jira/browse/KUDU-3558
>             Project: Kudu
>          Issue Type: Bug
>            Reporter: Ashwani Raina
>            Assignee: Ashwani Raina
>            Priority: Minor
>
> Today, when kudu cluster (with disabled authentication), is started with Kudu 
> ranger, the ranger subprocess doesn't start because of missing keytab file.
> We do catch this error but it happens pretty late in java subprocess init 
> routine. And sometimes can be pretty confusing during investigation if not 
> looking at the right log file.
> The error message looks like this in stderr log file:
> ++
> Exception in thread "main" 
> org.apache.kudu.subprocess.KuduSubprocessException: Kudu principal and Keytab 
> file must be provided when Kerberos is enabled in Ranger
>         at 
> org.apache.kudu.subprocess.ranger.authorization.RangerKuduAuthorizer.init(RangerKuduAuthorizer.java:78)
>         at 
> org.apache.kudu.subprocess.ranger.RangerProtocolHandler.<init>(RangerProtocolHandler.java:45)
>         at 
> org.apache.kudu.subprocess.ranger.RangerSubprocessMain.main(RangerSubprocessMain.java:39)
> ++
> This Jira will be used to detect this error pretty early in the process and 
> log some actionable information inside kudu master logs.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to