LamiumAmplexicaule commented on PR #7349:
URL: https://github.com/apache/kyuubi/pull/7349#issuecomment-4064611012
It turned out that the `Cannot locate default realm` error occurs for the
following reason.
In `org.apache.kyuubi.KerberizedTestHelper#tryWithSecurityEnabled`,
`System.clearProperty("java.security.krb5.conf")` is called in the finally
block.
-
https://github.com/apache/kyuubi/blob/52b038b93cb5e214fcd4a1ed9d1fa8cd3ae8abbc/kyuubi-common/src/test/scala/org/apache/kyuubi/KerberizedTestHelper.scala#L159
In `org.apache.kyuubi.ha.client.zookeeper.ZookeeperClientProvider`,
`org.apache.hadoop.security.authentication.util.JaasConfiguration` or
`org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager$JaasConfiguration`
is used,
-
https://github.com/apache/kyuubi/blob/52b038b93cb5e214fcd4a1ed9d1fa8cd3ae8abbc/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/zookeeper/ZookeeperClientProvider.scala#L124-L144
and inside it there is a line:
```java
options.put("refreshKrb5Config", "true");
```
-
https://github.com/apache/hadoop/blob/a178eb780f5c983ab7e5c5a4add8a3027060c68d/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/JaasConfiguration.java#L51
-
https://github.com/apache/hadoop/blob/15621e34155ff41b3bfaefec066cde2b37eaff64/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/ZKDelegationTokenSecretManager.java#L280
Because of this, `sun.security.krb5.Config#refresh` is invoked before
`com.sun.security.auth.module.Krb5LoginModule#login`.
-
https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java#L533
-
https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L150-L158
At that point, since `java.security.krb5.conf` does not exist,
-
https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L213
-
https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L867-L868
it attempts to read `/etc/krb5.conf`.
-
https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L234
-
https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L939
As `/etc/krb5.conf` does not exist, nothing is loaded, and the singleton
instance maintained by `sun.security.krb5.Config` is overwritten (the
stanzaTable becomes empty).
-
https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L152
As a result, `get("libdefaults", "default_realm")` returns `null`, which
causes a `KrbException("Cannot locate default realm")` to be thrown.
-
https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L1196
We need logic that either uses `tryWithSecurityEnabled` or, for unit tests
that use JAAS (e.g., tests that `set up zookeeper auth` and `set up zookeeper
auth for engine`), saves the current `javax.security.auth.login.Configuration`
before the test and restores it afterwards.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
