If multiple key tabs are distributed on the connect server, authentication errors may occur.
UserGroupInformation.loginUserFromKeytab(principal, connectorConfig.connectHdfsKeytab()); // problem point
final UserGroupInformation ugi = UserGroupInformation.getLoginUser(); // problem point
log.info("Login as: " + ugi.getUserName());
isRunning = true;
ticketRenewThread = new Thread(() -> renewKerberosTicket(ugi));
example) A connector uses the test user keytab (write path: /hdfs/user/test), and B connector uses the test2 user keytab (write path: /hdfs/user/test2).
If both connectors are restarted due to certain circumstances, different key tab information can be imported with thread-based behavior.
If the B connector calls loginUserFromKeytab('test2@EXAMPLE.COM' , '/../test2.keytab') when the A connector calls getLoginUser(), A login as test2 user. So you can face the error as below.
Caused by: org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException: Permission denied: user=test2, access=EXECUTE, inode="/hdfs/user/test"
zeun0725
commented
7 months ago
If multiple key tabs are distributed on the connect server, authentication errors may occur.
example) A connector uses the test user keytab (write path: /hdfs/user/test), and B connector uses the test2 user keytab (write path: /hdfs/user/test2). If both connectors are restarted due to certain circumstances, different key tab information can be imported with thread-based behavior. If the B connector calls loginUserFromKeytab('test2@EXAMPLE.COM' , '/../test2.keytab') when the A connector calls getLoginUser(), A login as test2 user. So you can face the error as below. Caused by: org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException: Permission denied: user=test2, access=EXECUTE, inode="/hdfs/user/test"