[Fix][Connector-V2] Fix iceberg throw java: package sun.security.krb5 does not exist when use jdk 11#7734
Conversation
87f340b to
1c3f33c
Compare
| "Start Kerberos authentication using principal {} and keytab {}", | ||
| principal, | ||
| keytabPath); | ||
| sun.security.krb5.Config.refresh(); |
There was a problem hiding this comment.
Is this logic invalid?
@hailin0 when using loginUserFromKeytabAndReturnUGI, refreshKrb5Config=true will be added by default. So I think there is no need to call refresh
There was a problem hiding this comment.
If your application is running and you modify the krb5.conf file at the same time. LoginUserFromKeytabAndReturnUGI will not reload the changes. It will only read and load the current Kerberos configuration when the application starts.
I think the correct way to modify it is to find out why this error is reported instead of directly removing it
There was a problem hiding this comment.
If your application is running and you modify the krb5.conf file at the same time. LoginUserFromKeytabAndReturnUGI will not reload the changes. It will only read and load the current Kerberos configuration when the application starts.
I think the correct way to modify it is to find out why this error is reported instead of directly removing it
@dailai apache/uniffle#625 ,https://stackoverflow.com/questions/1437281/reload-kerberos-config-in-java-without-restarting-jvm It would be best to explain the necessity of the existence of this code
There was a problem hiding this comment.
If your application is running and you modify the krb5.conf file at the same time. LoginUserFromKeytabAndReturnUGI will not reload the changes. It will only read and load the current Kerberos configuration when the application starts.
I think the correct way to modify it is to find out why this error is reported instead of directly removing it@dailai apache/incubator-uniffle#625 , It would be best to explain the necessity of the existence of this code
It's wight. You can refer this way apache/uniffle#932
There was a problem hiding this comment.
If your application is running and you modify the krb5.conf file at the same time. LoginUserFromKeytabAndReturnUGI will not reload the changes. It will only read and load the current Kerberos configuration when the application starts.
I think the correct way to modify it is to find out why this error is reported instead of directly removing it@dailai apache/incubator-uniffle#625 , It would be best to explain the necessity of the existence of this code
It's wight. You can refer this way apache/incubator-uniffle#932
@dailai Why not call Config.refresh() JDK>8? So isn't this necessary?
Have 2 ways to solve the issue.
- Remove sun.security.krb5.Config.refresh(); code.
- Add --add-exports java.security.jgss/sun.security.krb5=ALL-UNNAMED in the pom.xml of the project.
Firstly, explain the necessity of calling refresh clearly
There was a problem hiding this comment.
I mean that. @hailin0 It's right. The calling procedure is that:
org.apache.seatunnel.connectors.seatunnel.iceberg.IcebergCatalogLoader#doKerberosAuthentication
org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytab
org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytabAndReturnUGI
org.apache.hadoop.security.UserGroupInformation#doSubjectLogin
org.apache.hadoop.security.UserGroupInformation#newLoginContext
javax.security.auth.login.LoginContext#LoginContext(java.lang.String, javax.security.auth.Subject, javax.security.auth.callback.CallbackHandler, javax.security.auth.login.Configuration)
javax.security.auth.login.LoginContext#init
org.apache.hadoop.security.UserGroupInformation.HadoopConfiguration#getAppConfigurationEntry
org.apache.hadoop.security.UserGroupInformation.HadoopConfiguration#getKerberosEntry
which made refreshKrb5Config is true
Finally, org.apache.hadoop.security.UserGroupInformation.HadoopLoginContext#login
call the method named com.sun.security.auth.module.Krb5LoginModule#login

… does not exist when use jdk 11 (apache#7734)
Purpose of this pull request
closed #7731
Does this PR introduce any user-facing change?
How was this patch tested?
Check list
New License Guide
release-note.