ATLAS-1546: Hive hook should choose appropriate JAAS config when host uses kerberos ticket-cache

common/src/main/java/org/apache/atlas/security/InMemoryJAASConfiguration.java

@@ -127,12 +127,15 @@ public final class InMemoryJAASConfiguration extends Configuration {
     private static final String JAAS_CONFIG_LOGIN_MODULE_CONTROL_FLAG_PARAM = "loginModuleControlFlag";
     private static final String JAAS_CONFIG_LOGIN_OPTIONS_PREFIX = "option";
     private static final String JAAS_PRINCIPAL_PROP = "principal";
+    private static final Map<String, String> configSectionRedirects = new HashMap<>();
 
     private Configuration parent = null;
     private Map<String, List<AppConfigurationEntry>> applicationConfigEntryMap = new HashMap<>();
 
     public static void init(String propFile) throws AtlasException {
-        LOG.debug("==> InMemoryJAASConfiguration.init( {} )", propFile);
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("==> InMemoryJAASConfiguration.init({})", propFile);
+        }
 
         InputStream in = null;
 
@@ -161,7 +164,9 @@ public final class InMemoryJAASConfiguration extends Configuration {
             }
         }
 
-        LOG.debug("<== InMemoryJAASConfiguration.init( {} )", propFile);
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("<== InMemoryJAASConfiguration.init({})", propFile);
+        }
     }
 
     public static void init(org.apache.commons.configuration.Configuration atlasConfiguration) throws AtlasException {
@@ -192,10 +197,26 @@ public final class InMemoryJAASConfiguration extends Configuration {
 
     @Override
     public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
-        LOG.trace("==> InMemoryJAASConfiguration.getAppConfigurationEntry( {} )", name);
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("==> InMemoryJAASConfiguration.getAppConfigurationEntry({})", name);
+        }
 
         AppConfigurationEntry[] ret = null;
-        List<AppConfigurationEntry> retList = applicationConfigEntryMap.get(name);
+        List<AppConfigurationEntry> retList = null;
+        String redirectedName = getConfigSectionRedirect(name);
+
+        if (redirectedName != null) {
+            retList = applicationConfigEntryMap.get(redirectedName);
+
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("Redirected jaasConfigSection ({} -> {}): ", name, redirectedName, retList);
+            }
+        }
+
+        if (retList == null || retList.size() == 0) {
+            retList = applicationConfigEntryMap.get(name);
+        }
+
         if (retList == null || retList.size() == 0) {
             if (parent != null) {
                 ret = parent.getAppConfigurationEntry(name);
@@ -206,7 +227,9 @@ public final class InMemoryJAASConfiguration extends Configuration {
             ret = retList.toArray(ret);
         }
 
-        LOG.trace("==> InMemoryJAASConfiguration.getAppConfigurationEntry( {} ) : {}", name, ArrayUtils.toString(ret));
+		if (LOG.isDebugEnabled()) {
+            LOG.debug("<== InMemoryJAASConfiguration.getAppConfigurationEntry({}): {}", name, ArrayUtils.toString(ret));
+		}
 
         return ret;
     }
@@ -344,10 +367,28 @@ public final class InMemoryJAASConfiguration extends Configuration {
             }
         }
 
-        LOG.debug("<== InMemoryJAASConfiguration.initialize()");
+        LOG.debug("<== InMemoryJAASConfiguration.initialize({})", applicationConfigEntryMap);
     }
 
     private static boolean isNumeric(String str) {
         return str.matches("-?\\d+(\\.\\d+)?");  //match a number with optional '-' and decimal.
     }
+
+    public static void setConfigSectionRedirect(String name, String redirectTo) {
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("setConfigSectionRedirect({}, {})", name, redirectTo);
+        }
+
+        if (name != null) {
+            if (redirectTo != null) {
+                configSectionRedirects.put(name, redirectTo);
+            } else {
+                configSectionRedirects.remove(name);
+            }
+        }
+    }
+
+    private static String getConfigSectionRedirect(String name) {
+        return name != null ? configSectionRedirects.get(name) : null;
+    }
 }

common/src/test/java/org/apache/atlas/security/InMemoryJAASConfigurationTicketBasedKafkaClientTest.java

+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.atlas.security;
+
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+
+import junit.framework.Assert;
+import junit.framework.TestCase;
+import org.testng.annotations.Test;
+
+
+@Test
+public class InMemoryJAASConfigurationTicketBasedKafkaClientTest extends TestCase {
+
+    private static final String ATLAS_JAAS_PROP_FILE = "atlas-jaas.properties";
+
+    protected void setUp() throws Exception {
+        super.setUp();
+        try {
+            InMemoryJAASConfiguration.init(ATLAS_JAAS_PROP_FILE);
+            InMemoryJAASConfiguration.setConfigSectionRedirect("KafkaClient", "ticketBased-KafkaClient");
+        } catch (Throwable t) {
+            fail("InMemoryJAASConfiguration.init() is not expected to throw Exception:" + t);
+        }
+    }
+
+    protected void tearDown() throws Exception {
+        super.tearDown();
+    }
+
+
+    @Test
+    public void testGetAppConfigurationEntryStringForticketBasedKafkaClient() {
+
+        AppConfigurationEntry[] entries =
+                Configuration.getConfiguration().getAppConfigurationEntry("KafkaClient");
+        Assert.assertNotNull(entries);
+        Assert.assertEquals((String) entries[0].getOptions().get("useTicketCache"), "true");
+    }
+
+
+}
+

common/src/test/resources/atlas-jaas.properties

@@ -55,3 +55,8 @@ atlas.jaas.myClient.1.option.storeKey = true
 atlas.jaas.myClient.1.option.serviceName = kafka
 atlas.jaas.myClient.1.option.keyTab = /etc/security/keytabs/kafka_client.keytab
 atlas.jaas.myClient.1.option.principal = kafka-client-1@EXAMPLE.COM
+
+
+atlas.jaas.ticketBased-KafkaClient.loginModuleControlFlag=required
+atlas.jaas.ticketBased-KafkaClient.loginModuleName=com.sun.security.auth.module.Krb5LoginModule
+atlas.jaas.ticketBased-KafkaClient.option.useTicketCache=true
\ No newline at end of file

notification/src/main/java/org/apache/atlas/hook/AtlasHook.java

@@ -26,6 +26,7 @@ import org.apache.atlas.notification.NotificationException;
 import org.apache.atlas.notification.NotificationInterface;
 import org.apache.atlas.notification.NotificationModule;
 import org.apache.atlas.notification.hook.HookNotification;
+import org.apache.atlas.security.InMemoryJAASConfiguration;
 import org.apache.atlas.typesystem.Referenceable;
 import org.apache.atlas.typesystem.json.InstanceSerialization;
 import org.apache.commons.configuration.Configuration;
@@ -78,6 +79,12 @@ public abstract class AtlasHook {
             failedMessagesLogger.init();
         }
 
+        if (!isLoginKeytabBased()) {
+            if (isLoginTicketBased()) {
+                InMemoryJAASConfiguration.setConfigSectionRedirect("KafkaClient", "ticketBased-KafkaClient");
+            }
+        }
+
         notificationRetryInterval = atlasProperties.getInt(ATLAS_NOTIFICATION_RETRY_INTERVAL, 1000);
         Injector injector = Guice.createInjector(new NotificationModule());
         notifInterface = injector.getInstance(NotificationInterface.class);
@@ -210,4 +217,28 @@ public abstract class AtlasHook {
         }
     }
 
+    private static boolean isLoginKeytabBased() {
+        boolean ret = false;
+
+        try {
+            ret = UserGroupInformation.isLoginKeytabBased();
+        } catch (Exception excp) {
+            LOG.error("error in determining whether to use ticket-cache or keytab for KafkaClient JAAS configuration", excp);
+        }
+
+        return ret;
+    }
+
+    private static boolean isLoginTicketBased() {
+        boolean ret = false;
+
+        try {
+            ret = UserGroupInformation.isLoginTicketBased();
+        } catch (Exception excp) {
+            LOG.error("error in determining whether to use ticket-cache or keytab for KafkaClient JAAS configuration", excp);
+        }
+
+        return ret;
+    }
+
 }

release-log.txt

@@ -9,6 +9,7 @@ ATLAS-1060 Add composite indexes for exact match performance improvements for al
 ATLAS-1127 Modify creation and modification timestamps to Date instead of Long(sumasai)
 
 ALL CHANGES:
+ATLAS-1546 Hive hook should choose appropriate JAAS config when host uses kerberos ticket-cache (nixonrodrigues,gss2002 via mneethiraj)
 ATLAS-1539 Integration tests in projects which use the typesystem test jar (e.g. webapp) can now be run successfully when invoked in the project directory (dkantor)
 ATLAS-1542 Atlas server fails to start if duplicate types are found during Typesystem bootstrap (svimal2106)
 ATLAS-1535 Some webapp tests are failing due to a stale Titan transaction (jnhagelberg)