ISSUE 568 : Synchronize Kerberos ticket renewal for non-renewable ticket

Author: raju-saravanan

common-auth/src/main/java/com/hortonworks/registries/auth/KerberosLogin.java

@@ -1,12 +1,12 @@
 /**
  * Copyright 2017 Hortonworks.
- *
+ * <p>
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
-
- *   http://www.apache.org/licenses/LICENSE-2.0
-
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -30,6 +30,8 @@
 import java.util.Map;
 import java.util.Random;
 import java.util.Set;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.locks.Lock;
 
 /**
  * This class is responsible for logging in to Kerberos and refreshing credentials for
@@ -62,6 +64,9 @@ public class KerberosLogin extends AbstractLogin {
     private long minTimeBeforeRelogin = 1 * 60 * 1000;
     private String kinitCmd = "/usr/bin/kinit";
 
+    private Lock kerberosTGTRenewalLock;
+    private long kerberosTGTRenewalTimeoutMS;
+
     /**
      * Method to configure this instance with specific properties
      * @param loginContextName
@@ -85,6 +90,15 @@ public void configure(Map<String, ?> configs, final String loginContextName) {
         }
     }
 
+    public KerberosLogin() {
+
+    }
+
+    public KerberosLogin(Lock kerberosTGTRenewalLock, long kerberosTGTRenewalTimeoutMS) {
+        this.kerberosTGTRenewalLock = kerberosTGTRenewalLock;
+        this.kerberosTGTRenewalTimeoutMS = kerberosTGTRenewalTimeoutMS;
+    }
+
     /**
      * Method called once initially to login. It also starts the thread used
      * to periodically re-login to the Kerberos Authentication Server.
@@ -147,7 +161,7 @@ public void close() {
         }
     }
 
-    private void spawnReloginThread () {
+    private void spawnReloginThread() {
         // Refresh the Ticket Granting Ticket (TGT) periodically. How often to refresh is determined by the
         // TGT's existing expiry date and the configured minTimeBeforeRelogin. For testing and development,
         // you can decrease the interval of expiration of tickets (for example, to 3 minutes) by running:
@@ -208,7 +222,7 @@ public void run() {
                         }
                     }
                     try {
-                        reLogin();
+                        synchronizeReLogin();
                     } catch (LoginException le) {
                         log.error("Failed to refresh TGT: refresh thread exiting now.", le);
                         return;
@@ -246,6 +260,26 @@ private KerberosTicket getTGT() {
         return null;
     }
 
+    private void synchronizeReLogin() throws LoginException {
+        if (kerberosTGTRenewalLock != null) {
+            try {
+                if (kerberosTGTRenewalLock.tryLock(kerberosTGTRenewalTimeoutMS, TimeUnit.MILLISECONDS)) {
+                    try {
+                        reLogin();
+                    } finally {
+                        kerberosTGTRenewalLock.unlock();
+                    }
+                } else {
+                    throw new LoginException("Timed out while waiting to acquire a lock for renewing Kerberos TGT");
+                }
+            } catch (InterruptedException e) {
+                throw new LoginException("Error while acquiring lock for renewing Kerberos TGT : " + e.getMessage());
+            }
+        } else {
+            reLogin();
+        }
+    }
+
     /**
      * Re-login a principal. This method assumes that {@link #login()} has happened already.
      * @throws javax.security.auth.login.LoginException on a failure

schema-registry/client/src/main/java/com/hortonworks/registries/schemaregistry/client/SchemaRegistryClient.java

@@ -48,6 +48,7 @@
 import com.hortonworks.registries.schemaregistry.errors.SchemaBranchAlreadyExistsException;
 import com.hortonworks.registries.schemaregistry.errors.SchemaBranchNotFoundException;
 import com.hortonworks.registries.schemaregistry.errors.SchemaNotFoundException;
+import com.hortonworks.registries.schemaregistry.exceptions.RegistryRetryableException;
 import com.hortonworks.registries.schemaregistry.serde.SerDesException;
 import com.hortonworks.registries.schemaregistry.serde.SnapshotDeserializer;
 import com.hortonworks.registries.schemaregistry.serde.SnapshotSerializer;
@@ -106,6 +107,9 @@
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.locks.Lock;
+import java.util.concurrent.locks.ReadWriteLock;
+import java.util.concurrent.locks.ReentrantReadWriteLock;
 
 import static com.hortonworks.registries.schemaregistry.client.SchemaRegistryClient.Configuration.DEFAULT_CONNECTION_TIMEOUT;
 import static com.hortonworks.registries.schemaregistry.client.SchemaRegistryClient.Configuration.DEFAULT_READ_TIMEOUT;
@@ -157,11 +161,15 @@ public class SchemaRegistryClient implements ISchemaRegistryClient {
     private static final Set<Class<?>> SERIALIZER_INTERFACE_CLASSES = Sets.<Class<?>>newHashSet(SnapshotSerializer.class, PullSerializer.class);
     private static final String SEARCH_FIELDS = SCHEMA_REGISTRY_PATH + "/search/schemas/fields";
     private static Subject subject;
+    private static ReadWriteLock kerberosSynchronizationLock = null;
+    private static final long KERBEROS_SYNCHRONIZATION_TIMEOUT_MS = 180000;
 
     static {
         String jaasConfigFile = System.getProperty("java.security.auth.login.config");
         if (jaasConfigFile != null && !jaasConfigFile.trim().isEmpty()) {
-            KerberosLogin kerberosLogin = new KerberosLogin();
+            kerberosSynchronizationLock = new ReentrantReadWriteLock(true);
+            Lock kerberosTGTRenewalLock = kerberosSynchronizationLock.writeLock();
+            KerberosLogin kerberosLogin = new KerberosLogin(kerberosTGTRenewalLock, KERBEROS_SYNCHRONIZATION_TIMEOUT_MS);
             kerberosLogin.configure(new HashMap<>(), REGISTY_CLIENT_JAAS_SECTION);
             try {
                 subject = kerberosLogin.login().getSubject();
@@ -447,7 +455,7 @@ public void deleteSchema(String schemaName) throws SchemaNotFoundException {
         }
 
         WebTarget target = currentSchemaRegistryTargets().schemasTarget.path(String.format("%s", schemaName));
-        Response response = Subject.doAs(subject, new PrivilegedAction<Response>() {
+        Response response = synchronizeDoAction(new PrivilegedAction<Response>() {
             @Override
             public Response run() {
                 return target.request(MediaType.APPLICATION_JSON_TYPE).delete(Response.class);
@@ -516,7 +524,7 @@ public SchemaIdVersion uploadSchemaVersion(final String schemaBranchName,
                         .bodyPart(streamDataBodyPart);
 
         Entity<MultiPart> multiPartEntity = Entity.entity(multipartEntity, MediaType.MULTIPART_FORM_DATA);
-        Response response = Subject.doAs(subject, new PrivilegedAction<Response>() {
+        Response response = synchronizeDoAction(new PrivilegedAction<Response>() {
             @Override
             public Response run() {
                 return target.request().post(multiPartEntity, Response.class);
@@ -575,7 +583,7 @@ public void deleteSchemaVersion(SchemaVersionKey schemaVersionKey) throws Schema
 
         WebTarget target = currentSchemaRegistryTargets().schemasTarget.path(String.format("%s/versions/%s", schemaVersionKey
                 .getSchemaName(), schemaVersionKey.getVersion()));
-        Response response = Subject.doAs(subject, new PrivilegedAction<Response>() {
+        Response response = synchronizeDoAction(new PrivilegedAction<Response>() {
             @Override
             public Response run() {
                 return target.request(MediaType.APPLICATION_JSON_TYPE).delete(Response.class);
@@ -606,7 +614,7 @@ private SchemaIdVersion doAddSchemaVersion(String schemaBranchName, String schem
 
         WebTarget target = currentSchemaRegistryTargets().schemasTarget.path(schemaName).path("/versions").queryParam("branch", schemaBranchName)
                 .queryParam("disableCanonicalCheck", disableCanonicalCheck);
-        Response response = Subject.doAs(subject, new PrivilegedAction<Response>() {
+        Response response = synchronizeDoAction(new PrivilegedAction<Response>() {
             @Override
             public Response run() {
                 return target.request(MediaType.APPLICATION_JSON_TYPE).post(Entity.json(schemaVersion), Response.class);
@@ -759,7 +767,7 @@ public void startSchemaVersionReview(Long schemaVersionId) throws SchemaNotFound
     @Override
     public SchemaVersionMergeResult mergeSchemaVersion(Long schemaVersionId, boolean disableCanonicalCheck) throws SchemaNotFoundException, IncompatibleSchemaException {
         WebTarget target = currentSchemaRegistryTargets().schemasTarget.path(schemaVersionId + "/merge").queryParam("disableCanonicalCheck", disableCanonicalCheck);
-        Response response = Subject.doAs(subject, new PrivilegedAction<Response>() {
+        Response response = synchronizeDoAction(new PrivilegedAction<Response>() {
             @Override
             public Response run() {
                 return target.request().post(null);
@@ -795,7 +803,7 @@ public SchemaVersionLifecycleStateMachineInfo getSchemaVersionLifecycleStateMach
     @Override
     public SchemaBranch createSchemaBranch(Long schemaVersionId, SchemaBranch schemaBranch) throws SchemaBranchAlreadyExistsException, SchemaNotFoundException {
         WebTarget target = currentSchemaRegistryTargets().schemasTarget.path("versionsById/" + schemaVersionId + "/branch");
-        Response response = Subject.doAs(subject, new PrivilegedAction<Response>() {
+        Response response = synchronizeDoAction(new PrivilegedAction<Response>() {
             @Override
             public Response run() {
                 return target.request(MediaType.APPLICATION_JSON_TYPE).post(Entity.json(schemaBranch), Response.class);
@@ -819,7 +827,7 @@ public Response run() {
     @Override
     public Collection<SchemaBranch> getSchemaBranches(String schemaName) throws SchemaNotFoundException {
         WebTarget target = currentSchemaRegistryTargets().schemasTarget.path(encode(schemaName) + "/branches");
-        Response response = Subject.doAs(subject, new PrivilegedAction<Response>() {
+        Response response = synchronizeDoAction(new PrivilegedAction<Response>() {
             @Override
             public Response run() {
                 return target.request().get();
@@ -839,7 +847,7 @@ public Response run() {
     @Override
     public void deleteSchemaBranch(Long schemaBranchId) throws SchemaBranchNotFoundException, InvalidSchemaBranchDeletionException {
         WebTarget target = currentSchemaRegistryTargets().schemasTarget.path("branch/" + schemaBranchId);
-        Response response = Subject.doAs(subject, new PrivilegedAction<Response>() {
+        Response response = synchronizeDoAction(new PrivilegedAction<Response>() {
             @Override
             public Response run() {
                 return target.request().delete();
@@ -868,7 +876,7 @@ private boolean transitionSchemaVersionState(Long schemaVersionId,
                                                  byte[] transitionDetails) throws SchemaNotFoundException, SchemaLifecycleException {
 
         WebTarget webTarget = currentSchemaRegistryTargets().schemaVersionsTarget.path(schemaVersionId + "/state/" + operationOrTargetState);
-        Response response = Subject.doAs(subject, new PrivilegedAction<Response>() {
+        Response response = synchronizeDoAction(new PrivilegedAction<Response>() {
             @Override
             public Response run() {
                 return webTarget.request().post(Entity.text(transitionDetails));
@@ -919,7 +927,7 @@ public CompatibilityResult checkCompatibility(String schemaName, String toSchema
     public CompatibilityResult checkCompatibility(String schemaBranchName, String schemaName,
                                                   String toSchemaText) throws SchemaNotFoundException {
         WebTarget webTarget = currentSchemaRegistryTargets().schemasTarget.path(encode(schemaName) + "/compatibility").queryParam("branch", schemaBranchName);
-        String response = Subject.doAs(subject, new PrivilegedAction<String>() {
+        String response = synchronizeDoAction(new PrivilegedAction<String>() {
             @Override
             public String run() {
                 return webTarget.request().post(Entity.text(toSchemaText), String.class);
@@ -953,7 +961,7 @@ public String uploadFile(InputStream inputStream) {
         MultiPart multiPart = new MultiPart();
         BodyPart filePart = new StreamDataBodyPart("file", inputStream, "file");
         multiPart.bodyPart(filePart);
-        return Subject.doAs(subject, new PrivilegedAction<String>() {
+        return synchronizeDoAction(new PrivilegedAction<String>() {
             @Override
             public String run() {
                 return currentSchemaRegistryTargets().filesTarget.request()
@@ -964,7 +972,7 @@ public String run() {
 
     @Override
     public InputStream downloadFile(String fileId) {
-        return Subject.doAs(subject, new PrivilegedAction<InputStream>() {
+        return synchronizeDoAction(new PrivilegedAction<InputStream>() {
             @Override
             public InputStream run() {
                 return currentSchemaRegistryTargets().filesTarget.path("download/" + encode(fileId))
@@ -1086,7 +1094,7 @@ private <T> T createInstance(SerDesInfo serDesInfo, boolean isSerializer) {
     }
 
     private <T> List<T> getEntities(WebTarget target, Class<T> clazz) {
-        String response = Subject.doAs(subject, new PrivilegedAction<String>() {
+        String response = synchronizeDoAction(new PrivilegedAction<String>() {
             @Override
             public String run() {
                 return target.request(MediaType.APPLICATION_JSON_TYPE).get(String.class);
@@ -1111,7 +1119,7 @@ private <T> List<T> parseResponseAsEntities(String response, Class<T> clazz) {
     }
 
     private <T> T postEntity(WebTarget target, Object json, Class<T> responseType) {
-        String response = Subject.doAs(subject, new PrivilegedAction<String>() {
+        String response = synchronizeDoAction(new PrivilegedAction<String>() {
             @Override
             public String run() {
                 return target.request(MediaType.APPLICATION_JSON_TYPE).post(Entity.json(json), String.class);
@@ -1130,7 +1138,7 @@ private <T> T readEntity(String response, Class<T> clazz) {
     }
 
     private <T> T getEntity(WebTarget target, Class<T> clazz) {
-        String response = Subject.doAs(subject, new PrivilegedAction<String>() {
+        String response = synchronizeDoAction(new PrivilegedAction<String>() {
             @Override
             public String run() {
                 return target.request(MediaType.APPLICATION_JSON_TYPE).get(String.class);
@@ -1140,6 +1148,30 @@ public String run() {
         return readEntity(response, clazz);
     }
 
+    private <T> T synchronizeDoAction(PrivilegedAction<T> action) {
+        if (kerberosSynchronizationLock == null) {
+            return Subject.doAs(subject, action);
+        } else {
+            Lock schemaRegistryLock = kerberosSynchronizationLock.readLock();
+            try {
+                if (schemaRegistryLock.tryLock(KERBEROS_SYNCHRONIZATION_TIMEOUT_MS, TimeUnit.MILLISECONDS)) {
+                    T result;
+                    try {
+                        result = Subject.doAs(subject, action);
+                    } finally {
+                        schemaRegistryLock.unlock();
+                    }
+                    return result;
+                } else {
+                    throw new RegistryRetryableException("Timed out while schema registry client was waiting for Kerberos TGT renewal");
+                }
+            } catch (InterruptedException e) {
+                throw new RegistryRetryableException("Error while schema registry client was waiting for Kerberos TGT renewal", e);
+            }
+        }
+    }
+
+
     public static final class Configuration {
         // we may want to remove schema.registry prefix from configuration properties as these are all properties
         // given by client.