Add kerberos auth support to kudu connector #10953
Conversation
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/KuduModule.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/KuduAuthenticationType.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/KuduModule.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/KuduModule.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/KuduRecordCursor.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/schema/NoSchemaEmulation.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/KuduClientConfig.java
Outdated
Show resolved
Hide resolved
grantatspothero
force-pushed
the
gn/kuduKerberosSupport
branch
6 times, most recently
from
433567c to
d3bb26e
Compare
...oduct-tests/src/main/java/io/trino/tests/product/kudu/TestKuduConnectoKerberosSmokeTest.java
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/KerberizedKuduClient.java
Outdated
Show resolved
Hide resolved
...toolkit/src/main/java/io/trino/plugin/base/authentication/CachingKerberosAuthentication.java
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/IKuduClient.java
Outdated
Show resolved
Hide resolved
...plugin-toolkit/src/main/java/io/trino/plugin/base/authentication/KerberosAuthentication.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/DelegatingKuduClient.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/KerberizedKuduClient.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/KerberizedKuduClient.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/KerberizedKuduClient.java
Show resolved
Hide resolved
grantatspothero
force-pushed
the
gn/kuduKerberosSupport
branch
4 times, most recently
from
775e009 to
09ed27d
Compare
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/DelegatingKuduClient.java
Outdated
Show resolved
Hide resolved
...toolkit/src/main/java/io/trino/plugin/base/authentication/CachingKerberosAuthentication.java
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/KuduClientConfig.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/KuduSecurityModule.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/PassthroughKuduClient.java
Outdated
Show resolved
Hide resolved
plugin/trino-kudu/src/main/java/io/trino/plugin/kudu/SystemProperties.java
Outdated
Show resolved
Hide resolved
...roduct-tests-launcher/src/main/java/io/trino/tests/product/launcher/env/common/Kerberos.java
Show resolved
Hide resolved
.../src/main/java/io/trino/tests/product/launcher/env/environment/EnvMultinodeKerberosKudu.java
Outdated
Show resolved
Hide resolved
...ts-launcher/src/main/java/io/trino/tests/product/launcher/suite/suites/Suite7NonGeneric.java
Outdated
Show resolved
Hide resolved
grantatspothero
force-pushed
the
gn/kuduKerberosSupport
branch
5 times, most recently
from
eb79cba to
a2893f4
Compare
There was a problem hiding this comment.
Generally LGTM, some config names/descriptions improvements. Nice work @grantatspothero !
grantatspothero
force-pushed
the
gn/kuduKerberosSupport
branch
2 times, most recently
from
8eb137a to
63265ae
Compare
A subsequent commit will then introduce a kerberizedkuduclient that handles kerberos ticket renewal
Subsequent commit will add kerberos config support to the kudumodule
grantatspothero
force-pushed
the
gn/kuduKerberosSupport
branch
2 times, most recently
from
d4cbf8e to
9960f8a
Compare
|
Rebased and created docs. I also tried to take the suggestions on the config properties, let me know if the feedback I provided does not make sense. |
| Kerberos support | ||
| ---------------- | ||
|
|
||
| In order to connect to a kudu cluster that uses ``kerberos`` | ||
| authentication, you need to configure the following kudu properties: | ||
|
|
||
| .. code-block:: properties | ||
|
|
||
| kudu.authentication.type = KERBEROS | ||
|
|
||
| kudu.authentication.client.principal = clientprincipalname | ||
|
|
||
| kudu.authentication.client.keytab = /path/to/keytab/file.keytab | ||
|
|
||
| kudu.authentication.config = /path/to/kerberos/krb5.conf | ||
|
|
||
| ## Optional and defaults to "kudu" | ||
| ## If kudu is running with a custom SPN this needs to be configured | ||
| kudu.authentication.server.principal.primary = kudu |
There was a problem hiding this comment.
@mosabua Can you PTAL?
@grantatspothero are the newlines between consecutive properties needed?
There was a problem hiding this comment.
No, just thought that made this more readable, can change.
grantatspothero
force-pushed
the
gn/kuduKerberosSupport
branch
from
9960f8a to
57d25c8
Compare
|
Had to rebase this commit: fca8b7b to fix the kudu product test CI failure. There was a race condition where we reported kerberos startup was successful before the kerberos init script finished running. |
|
See failures in suite-1: |
...oduct-tests/src/main/java/io/trino/tests/product/kudu/TestKuduConnectoKerberosSmokeTest.java
Outdated
Show resolved
Hide resolved
| assertThat(result).updatedRowsCountIsEqualTo(25); | ||
| assertThat(onTrino().executeQuery(format("SELECT count(*) FROM %s", kuduTable))).containsExactlyInOrder(row(25)); | ||
| // Kerberos tickets are configured to expire after 60 seconds, this should expire the ticket | ||
| Thread.sleep(120_000L); |
There was a problem hiding this comment.
can we make it shorter? (configurable)? Can we expire it programmatically
There was a problem hiding this comment.
I configured the default ticket expiry in tests to be 1 min, see kerberos_init.sh, I can make this lower just wanted to be very safe.
I'll look a bit more into useTicketCache in JAAS, it is possible we can force jaas to use the ticket cache then destroy the ticket cache programmatically
https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
There was a problem hiding this comment.
When I tried to configure useTicketCache with debug logs on, it attempted to read a ticket cache file that did not exist.
It looks like the java kerberos client implementation does not ever write tickets to the ticket cache, it only supports reading from an existing ticket cache, see here for some more details:
https://stackoverflow.com/questions/45463635/jaas-fails-to-persist-kerberos-ticket-to-cache-file-and-unable-to-create-cach/45618313#45618313
Going down that path doesn't seem promising.
I'm not a kerberos expert, if other people have ideas let me know! Revocation of kerberos tickets is not usually done because ticket lifetimes are so short.
grantatspothero
force-pushed
the
gn/kuduKerberosSupport
branch
from
57d25c8 to
e0ffaab
Compare
|
@wendigo there were permissions problems with the kudu keytab files that only happened in CI for some reason, fixed and tests are green now. |
There was a problem hiding this comment.
LGTM % modernizer violations:
Error: /home/runner/work/trino/trino/plugin/trino-kudu/src/test/java/io/trino/plugin/kudu/TestKuduAuthenticationConfig.java:39: Use buildOrThrow() instead, as it makes it clear that it will throw on duplicated values
Error: /home/runner/work/trino/trino/plugin/trino-kudu/src/test/java/io/trino/plugin/kudu/TestKuduKerberosConfig.java:55: Use buildOrThrow() instead, as it makes it clear that it will throw on duplicated values
Error: /home/runner/work/trino/trino/plugin/trino-kudu/src/test/java/io/trino/plugin/kudu/TestKuduKerberosConfig.java:74: Use buildOrThrow() instead, as it makes it clear that it will throw on duplicated values
Includes handling of kerberos ticket expiration and product tests demonstrating ticket renewal
Allows reduction of boilerplate related to system properties
grantatspothero
force-pushed
the
gn/kuduKerberosSupport
branch
from
e0ffaab to
44b872c
Compare
| assertThat(result).updatedRowsCountIsEqualTo(25); | ||
| assertThat(onTrino().executeQuery(format("SELECT count(*) FROM %s", kuduTable))).containsExactlyInOrder(row(25)); | ||
| // Kerberos tickets are configured to expire after 60 seconds, this should expire the ticket | ||
| Thread.sleep(70_000L); |
There was a problem hiding this comment.
We shouldn't have a test that sleeps 70 seconds, should we?
There was a problem hiding this comment.
@findepi We could reduce the max ticket lifetime a bit, see MAX_TICKET_LIFETIME="1min" in kerberos init.
You cannot set this ticket lifetime too low or problems can occur. For example, setting the max ticket lifetime to 5s will cause the ticket to get refreshed repeatedly.
|
FYI, the product test is or started to be flaky -- #14441 |
Fixes: #1237
This PR is currently blocked by upgrading the kudu client version to 1.15.0 in this PR: https://github.com/trinodb/trino/pull/10940/filesThis is because support for customizing the kerberos service principal primary name was only added in java client 1.15.0:
apache/kudu@e69b3c6
Documentation
( ) No documentation is needed.
(x) Sufficient documentation is included in this PR.
( ) Documentation PR is available with #prnumber.
( ) Documentation issue #issuenumber is filed, and can be handled later.
Release notes
( ) No release notes entries required.
(x) Release notes entries required with the following suggested text: