Skip to content

Commit

Permalink
[fix](kerberos)fix and refactor ugi login for kerberos and simple aut…
Browse files Browse the repository at this point in the history 
…hentication (#37301)

## Proposed changes
optimize kerberos ugi login:
1. support authentication framework for external table
2. cache ugi to avoid conflicts when set configuration for ugi login 
3. do ugi login just on creating catalog, which reduces the ugi create
times
4. only simple authentication will use getloginUser, which avoids
conflicts between simple and kerberos authentication

<!--Describe your changes.-->
  • Loading branch information
@wsjz @dataroaring
wsjz authored and dataroaring committed Jul 19, 2024
1 parent 580eb67 commit ee4dbc0
Show file tree
Hide file tree
Showing 15 changed files with 427 additions and 94 deletions.
2 changes: 1 addition & 1 deletion docker/thirdparties/docker-compose/kerberos/common/conf/doris-krb5.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
default_realm = LABS.TERADATA.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
ticket_lifetime = 5s
# this setting is causing a Message stream modified (41) error when talking to KDC running on CentOS 7: https://stackoverflow.com/a/60978520
# renew_lifetime = 7d
forwardable = true
Expand Down
2 changes: 2 additions & 0 deletions ...n/src/main/java/org/apache/doris/common/security/authentication/AuthenticationConfig.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ public abstract class AuthenticationConfig {
public static String HADOOP_KERBEROS_KEYTAB = "hadoop.kerberos.keytab";
public static String HIVE_KERBEROS_PRINCIPAL = "hive.metastore.kerberos.principal";
public static String HIVE_KERBEROS_KEYTAB = "hive.metastore.kerberos.keytab.file";
public static String DORIS_KRB5_DEBUG = "doris.krb5.debug";

/**
* @return true if the config is valid, otherwise false.
Expand Down Expand Up @@ -57,6 +58,7 @@ public static AuthenticationConfig getKerberosConfig(Configuration conf,
krbConfig.setKerberosPrincipal(conf.get(krbPrincipalKey));
krbConfig.setKerberosKeytab(conf.get(krbKeytabKey));
krbConfig.setConf(conf);
krbConfig.setPrintDebugLog(Boolean.parseBoolean(conf.get(DORIS_KRB5_DEBUG, "false")));
return krbConfig;
} else {
// AuthType.SIMPLE
Expand Down
44 changes: 44 additions & 0 deletions ...on/src/main/java/org/apache/doris/common/security/authentication/HadoopAuthenticator.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

package org.apache.doris.common.security.authentication;

import org.apache.hadoop.security.UserGroupInformation;

import java.io.IOException;
import java.security.PrivilegedExceptionAction;

public interface HadoopAuthenticator {

UserGroupInformation getUGI() throws IOException;

default <T> T doAs(PrivilegedExceptionAction<T> action) throws IOException {
try {
return getUGI().doAs(action);
} catch (InterruptedException e) {
throw new IOException(e);
}
}

static HadoopAuthenticator getHadoopAuthenticator(AuthenticationConfig config) {
if (config instanceof KerberosAuthenticationConfig) {
return new HadoopKerberosAuthenticator((KerberosAuthenticationConfig) config);
} else {
return new HadoopSimpleAuthenticator((SimpleAuthenticationConfig) config);
}
}
}
163 changes: 163 additions & 0 deletions ...ain/java/org/apache/doris/common/security/authentication/HadoopKerberosAuthenticator.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

package org.apache.doris.common.security.authentication;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import io.trino.plugin.base.authentication.KerberosTicketUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import java.io.IOException;
import java.util.Collections;
import java.util.Date;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

public class HadoopKerberosAuthenticator implements HadoopAuthenticator {
private static final Logger LOG = LogManager.getLogger(HadoopKerberosAuthenticator.class);
private final KerberosAuthenticationConfig config;
private Subject subject;
private long nextRefreshTime;
private UserGroupInformation ugi;

public HadoopKerberosAuthenticator(KerberosAuthenticationConfig config) {
this.config = config;
}

public static void initializeAuthConfig(Configuration hadoopConf) {
hadoopConf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, "true");
synchronized (HadoopKerberosAuthenticator.class) {
// avoid other catalog set conf at the same time
UserGroupInformation.setConfiguration(hadoopConf);
}
}

@Override
public synchronized UserGroupInformation getUGI() throws IOException {
if (ugi == null) {
subject = getSubject(config.getKerberosKeytab(), config.getKerberosPrincipal(), config.isPrintDebugLog());
ugi = Objects.requireNonNull(login(subject), "login result is null");
return ugi;
}
if (nextRefreshTime < System.currentTimeMillis()) {
long lastRefreshTime = nextRefreshTime;
Subject existingSubject = subject;
if (LOG.isDebugEnabled()) {
Date lastTicketEndTime = getTicketEndTime(subject);
LOG.debug("Current ticket expired time is {}", lastTicketEndTime);
}
// renew subject
Subject newSubject = getSubject(config.getKerberosKeytab(), config.getKerberosPrincipal(),
config.isPrintDebugLog());
Objects.requireNonNull(login(newSubject), "re-login result is null");
// modify UGI instead of returning new UGI
existingSubject.getPrincipals().addAll(newSubject.getPrincipals());
Set<Object> privateCredentials = existingSubject.getPrivateCredentials();
// clear the old credentials
synchronized (privateCredentials) {
privateCredentials.clear();
privateCredentials.addAll(newSubject.getPrivateCredentials());
}
Set<Object> publicCredentials = existingSubject.getPublicCredentials();
synchronized (publicCredentials) {
publicCredentials.clear();
publicCredentials.addAll(newSubject.getPublicCredentials());
}
nextRefreshTime = calculateNextRefreshTime(newSubject);
if (LOG.isDebugEnabled()) {
Date lastTicketEndTime = getTicketEndTime(newSubject);
LOG.debug("Next ticket expired time is {}", lastTicketEndTime);
LOG.debug("Refresh kerberos ticket succeeded, last time is {}, next time is {}",
lastRefreshTime, nextRefreshTime);
}
}
return ugi;
}

private UserGroupInformation login(Subject subject) throws IOException {
// login and get ugi when catalog is initialized
initializeAuthConfig(config.getConf());
String principal = config.getKerberosPrincipal();
if (LOG.isDebugEnabled()) {
LOG.debug("Login by kerberos authentication with principal: {}", principal);
}
return UserGroupInformation.getUGIFromSubject(subject);
}

private static long calculateNextRefreshTime(Subject subject) {
Preconditions.checkArgument(subject != null, "subject must be present in kerberos based UGI");
KerberosTicket tgtTicket = KerberosTicketUtils.getTicketGrantingTicket(subject);
return KerberosTicketUtils.getRefreshTime(tgtTicket);
}

private static Date getTicketEndTime(Subject subject) {
Preconditions.checkArgument(subject != null, "subject must be present in kerberos based UGI");
KerberosTicket tgtTicket = KerberosTicketUtils.getTicketGrantingTicket(subject);
return tgtTicket.getEndTime();
}

private static Subject getSubject(String keytab, String principal, boolean printDebugLog) {
Subject subject = new Subject(false, ImmutableSet.of(new KerberosPrincipal(principal)),
Collections.emptySet(), Collections.emptySet());
javax.security.auth.login.Configuration conf = getConfiguration(keytab, principal, printDebugLog);
try {
LoginContext loginContext = new LoginContext("", subject, null, conf);
loginContext.login();
return loginContext.getSubject();
} catch (LoginException e) {
throw new RuntimeException(e);
}
}

private static javax.security.auth.login.Configuration getConfiguration(String keytab, String principal,
boolean printDebugLog) {
return new javax.security.auth.login.Configuration() {
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
ImmutableMap.Builder<String, String> builder = ImmutableMap.<String, String>builder()
.put("doNotPrompt", "true")
.put("isInitiator", "true")
.put("useKeyTab", "true")
.put("storeKey", "true")
.put("keyTab", keytab)
.put("principal", principal);
if (printDebugLog) {
builder.put("debug", "true");
}
Map<String, String> options = builder.build();
return new AppConfigurationEntry[]{
new AppConfigurationEntry(
"com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
options)};
}
};
}
}
47 changes: 47 additions & 0 deletions .../main/java/org/apache/doris/common/security/authentication/HadoopSimpleAuthenticator.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements. See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership. The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied. See the License for the
// specific language governing permissions and limitations
// under the License.

package org.apache.doris.common.security.authentication;

import org.apache.hadoop.security.UserGroupInformation;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

public class HadoopSimpleAuthenticator implements HadoopAuthenticator {
private static final Logger LOG = LogManager.getLogger(HadoopSimpleAuthenticator.class);
private final UserGroupInformation ugi;

public HadoopSimpleAuthenticator(SimpleAuthenticationConfig config) {
String hadoopUserName = config.getUsername();
if (hadoopUserName == null) {
hadoopUserName = "hadoop";
config.setUsername(hadoopUserName);
if (LOG.isDebugEnabled()) {
LOG.debug("{} is unset, use default user: hadoop", AuthenticationConfig.HADOOP_USER_NAME);
}
}
ugi = UserGroupInformation.createRemoteUser(hadoopUserName);
if (LOG.isDebugEnabled()) {
LOG.debug("Login by proxy user, hadoop.username: {}", hadoopUserName);
}
}

@Override
public UserGroupInformation getUGI() {
return ugi;
}
}
89 changes: 18 additions & 71 deletions fe/fe-common/src/main/java/org/apache/doris/common/security/authentication/HadoopUGI.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,14 @@
package org.apache.doris.common.security.authentication;

import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import java.io.IOException;
import java.security.PrivilegedExceptionAction;

@Deprecated
public class HadoopUGI {
private static final Logger LOG = LogManager.getLogger(HadoopUGI.class);

Expand All @@ -39,82 +38,30 @@ private static UserGroupInformation loginWithUGI(AuthenticationConfig config) {
if (config == null || !config.isValid()) {
return null;
}
UserGroupInformation ugi;
if (config instanceof KerberosAuthenticationConfig) {
KerberosAuthenticationConfig krbConfig = (KerberosAuthenticationConfig) config;
Configuration hadoopConf = krbConfig.getConf();
hadoopConf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, "true");
hadoopConf.set(CommonConfigurationKeysPublic.HADOOP_KERBEROS_KEYTAB_LOGIN_AUTORENEWAL_ENABLED, "true");
UserGroupInformation.setConfiguration(hadoopConf);
String principal = krbConfig.getKerberosPrincipal();
try {
// login hadoop with keytab and try checking TGT
ugi = UserGroupInformation.getLoginUser();
LOG.debug("Current login user: {}", ugi.getUserName());
if (ugi.hasKerberosCredentials() && StringUtils.equals(ugi.getUserName(), principal)) {
// if the current user is logged by kerberos and is the same user
// just use checkTGTAndReloginFromKeytab because this method will only relogin
// when the TGT is expired or is close to expiry
ugi.checkTGTAndReloginFromKeytab();
return ugi;
// TODO: remove after iceberg and hudi kerberos test case pass
try {
// login hadoop with keytab and try checking TGT
UserGroupInformation ugi = UserGroupInformation.getCurrentUser();
LOG.debug("Current login user: {}", ugi.getUserName());
String principal = ((KerberosAuthenticationConfig) config).getKerberosPrincipal();
if (ugi.hasKerberosCredentials() && StringUtils.equals(ugi.getUserName(), principal)) {
// if the current user is logged by kerberos and is the same user
// just use checkTGTAndReloginFromKeytab because this method will only relogin
// when the TGT is expired or is close to expiry
ugi.checkTGTAndReloginFromKeytab();
return ugi;
}
} catch (IOException e) {
LOG.warn("A SecurityException occurs with kerberos, do login immediately.", e);
}
} catch (IOException e) {
LOG.warn("A SecurityException occurs with kerberos, do login immediately.", e);
}
try {
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, krbConfig.getKerberosKeytab());
UserGroupInformation.setLoginUser(ugi);
LOG.debug("Login by kerberos authentication with principal: {}", principal);
return ugi;
return new HadoopKerberosAuthenticator((KerberosAuthenticationConfig) config).getUGI();
} catch (IOException e) {
throw new RuntimeException(e);
}
} else {
String hadoopUserName = ((SimpleAuthenticationConfig) config).getUsername();
if (hadoopUserName == null) {
hadoopUserName = "hadoop";
((SimpleAuthenticationConfig) config).setUsername(hadoopUserName);
LOG.debug(AuthenticationConfig.HADOOP_USER_NAME + " is unset, use default user: hadoop");
}

try {
ugi = UserGroupInformation.getLoginUser();
if (ugi.getUserName().equals(hadoopUserName)) {
return ugi;
}
} catch (IOException e) {
LOG.warn("A SecurityException occurs with simple, do login immediately.", e);
}

ugi = UserGroupInformation.createRemoteUser(hadoopUserName);
UserGroupInformation.setLoginUser(ugi);
LOG.debug("Login by proxy user, hadoop.username: {}", hadoopUserName);
return ugi;
}
}

/**
* use for HMSExternalCatalog to login
* @param config auth config
*/
public static void tryKrbLogin(String catalogName, AuthenticationConfig config) {
if (config instanceof KerberosAuthenticationConfig) {
KerberosAuthenticationConfig krbConfig = (KerberosAuthenticationConfig) config;
try {
Configuration hadoopConf = krbConfig.getConf();
hadoopConf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, "true");
hadoopConf.set(CommonConfigurationKeysPublic.HADOOP_KERBEROS_KEYTAB_LOGIN_AUTORENEWAL_ENABLED, "true");
UserGroupInformation.setConfiguration(hadoopConf);
/**
* Because metastore client is created by using
* {@link org.apache.hadoop.hive.metastore.RetryingMetaStoreClient#getProxy}
* it will relogin when TGT is expired, so we don't need to relogin manually.
*/
UserGroupInformation.loginUserFromKeytab(krbConfig.getKerberosPrincipal(),
krbConfig.getKerberosKeytab());
} catch (IOException e) {
throw new RuntimeException("login with kerberos auth failed for catalog: " + catalogName, e);
}
return new HadoopSimpleAuthenticator((SimpleAuthenticationConfig) config).getUGI();
}
}

Expand Down
Loading

0 comments on commit ee4dbc0

Please sign in to comment.