Multiple keytab kerberos issue

[zeun0725]

Problem

If multiple key tabs are distributed on the connect server, authentication errors may occur.

      UserGroupInformation.loginUserFromKeytab(principal, connectorConfig.connectHdfsKeytab()); // problem point
      final UserGroupInformation ugi = UserGroupInformation.getLoginUser();  // problem point
      log.info("Login as: " + ugi.getUserName());

      isRunning = true;
      ticketRenewThread = new Thread(() -> renewKerberosTicket(ugi));

example) A connector uses the test user keytab (write path: /hdfs/user/test), and B connector uses the test2 user keytab (write path: /hdfs/user/test2).
If both connectors are restarted due to certain circumstances, different key tab information can be imported with thread-based behavior.
If the B connector calls loginUserFromKeytab('test2@EXAMPLE.COM' , '/../test2.keytab') when the A connector calls getLoginUser(), A login as test2 user. So you can face the error as below.
Caused by: org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException: Permission denied: user=test2, access=EXECUTE, inode="/hdfs/user/test"

Solution

final UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, connectorConfig.connectHdfsKeytab());

When receiving an ugi instance, it was changed to authenticate with a keytab and receive it.
Change to use loginUserFromKeytabAndReturnUGI() func.

Does this solution apply anywhere else?

• yes
• [ X ] no

If yes, where?

Test Strategy

Testing done:

• [ X ] Unit tests
• Integration tests
• System tests
• [ X ] Manual tests

Release Plan

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

박지은 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[lala7573]

@kkonstantine @snehashisp
Could you please review this PR? Related to this issue #325

@zeun0725
Please sign the cla and fix checkstyle issue to make this valid pr.

[lala7573]

If the line exceeds 100 characters, mvn checkstyle error occurs, so it would be a good idea to change it like this.

Suggested change

	final UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, connectorConfig.connectHdfsKeytab());
	final UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
	principal,
	connectorConfig.connectHdfsKeytab()
	);

[lala7573]

@zeun0725
I build this and tested it.
It seems that there are other problems besides this issue. This changes only affect on relogin.
When I try to create a connector with different user, lease permission error still occurs.

[zeun0725]

@lala7573
Can you share the test code or config value?