[KYUUBI #7348] Separate the principal and keytab used for ZooKeeper authentication between the service and the engine

[LamiumAmplexicaule]

Why are the changes needed?

The engine and the service are separate components, so their authentication principal and keytab should also be separated.
Close: #7348

How was this patch tested?

Unit tests.

./build/mvn clean install -Dtest=none -DwildcardSuites=org.apache.kyuubi.ha.client.zookeeper.EmbeddedZookeeperDiscoveryClientSuite,org.apache.kyuubi.ha.client.zookeeper.ZookeeperClientProviderSuite,org.apache.kyuubi.engine.spark.SparkProcessBuilderSuite

Was this patch authored or co-authored using generative AI tooling?

No.

[aajisaka]

Thank you @LamiumAmplexicaule. Started CI workflow

[aajisaka]

If they are unset, what are used by default? Would you document?

[LamiumAmplexicaule]

Thank you for your review.
I have added the document for fallback of kyuubi.ha.zookeeper.engine.auth.principal and kyuubi.ha.zookeeper.engine.auth.keytab in 20b6f0d.

[LamiumAmplexicaule]

I realized that instead of updating it manually, I should use dev/gen/gen_all_config_docs.sh, so I’ve update it.

• https://kyuubi.readthedocs.io/en/master/contributing/code/developer.html#append-descriptions-of-new-configurations-to-settings-md

[aajisaka]

The indents look incorrect. Would you keep the current indents so that reviewers can easily review the diff.

[LamiumAmplexicaule]

I set it up according to IntelliJ IDEA Setup Guide — Apache Kyuubi, so I understand that this indentation is the result of automatic formatting. (It’s possible that I misconfigured something, though.)
Do I need to intentionally disable this and adjust it manually?

[aajisaka]

Minor comments

[aajisaka]

Hi @LamiumAmplexicaule would you fix the test failure https://github.com/apache/kyuubi/actions/runs/22996851002/job/66896343535?pr=7349#step:7:429? It looks related to the patch.

- set up zookeeper auth for engine *** FAILED ***
  java.lang.IllegalArgumentException: Can't get Kerberos realm
  at org.apache.hadoop.security.HadoopKerberosName.setConfiguration(HadoopKerberosName.java:71)
  at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:315)
  at org.apache.hadoop.security.UserGroupInformation.setConfiguration(UserGroupInformation.java:366)
  at org.apache.kyuubi.KerberizedTestHelper.tryWithSecurityEnabled(KerberizedTestHelper.scala:154)
  at org.apache.kyuubi.KerberizedTestHelper.tryWithSecurityEnabled$(KerberizedTestHelper.scala:142)
  at org.apache.kyuubi.ha.client.zookeeper.ZookeeperDiscoveryClientSuite.tryWithSecurityEnabled(ZookeeperDiscoveryClientSuite.scala:66)
  at org.apache.kyuubi.ha.client.zookeeper.ZookeeperDiscoveryClientSuite.$anonfun$new$5(ZookeeperDiscoveryClientSuite.scala:142)
  at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
  at org.scalatest.OutcomeOf.outcomeOf(OutcomeOf.scala:85)
  at org.scalatest.OutcomeOf.outcomeOf$(OutcomeOf.scala:83)
  ...
  Cause: java.lang.IllegalArgumentException: KrbException: Cannot locate default realm
  at javax.security.auth.kerberos.KerberosPrincipal.<init>(KerberosPrincipal.java:159)
  at org.apache.hadoop.security.authentication.util.KerberosUtil.getDefaultRealm(KerberosUtil.java:120)
  at org.apache.hadoop.security.HadoopKerberosName.setConfiguration(HadoopKerberosName.java:69)
  at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:315)
  at org.apache.hadoop.security.UserGroupInformation.setConfiguration(UserGroupInformation.java:366)
  at org.apache.kyuubi.KerberizedTestHelper.tryWithSecurityEnabled(KerberizedTestHelper.scala:154)
  at org.apache.kyuubi.KerberizedTestHelper.tryWithSecurityEnabled$(KerberizedTestHelper.scala:142)
  at org.apache.kyuubi.ha.client.zookeeper.ZookeeperDiscoveryClientSuite.tryWithSecurityEnabled(ZookeeperDiscoveryClientSuite.scala:66)
  at org.apache.kyuubi.ha.client.zookeeper.ZookeeperDiscoveryClientSuite.$anonfun$new$5(ZookeeperDiscoveryClientSuite.scala:142)
  at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:23)
  ...

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 37 lines in your changes missing coverage. Please review.
✅ Project coverage is 0.00%. Comparing base (f319921) to head (b862221).
⚠️ Report is 7 commits behind head on master.

Files with missing lines	Patch %	Lines
.../ha/client/zookeeper/ZookeeperClientProvider.scala	0.00%	26 Missing ⚠️
...la/org/apache/kyuubi/ha/HighAvailabilityConf.scala	0.00%	10 Missing ⚠️
...ache/kyuubi/engine/spark/SparkProcessBuilder.scala	0.00%	1 Missing ⚠️

Additional details and impacted files

@@          Coverage Diff           @@
##           master   #7349   +/-   ##
======================================
  Coverage    0.00%   0.00%           
======================================
  Files         698     698           
  Lines       43657   43667   +10     
  Branches     5896    5896           
======================================
- Misses      43657   43667   +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[LamiumAmplexicaule]

It turned out that the Cannot locate default realm error occurs for the following reason.

In org.apache.kyuubi.KerberizedTestHelper#tryWithSecurityEnabled, System.clearProperty("java.security.krb5.conf") is called in the finally block.

• kyuubi/kyuubi-common/src/test/scala/org/apache/kyuubi/KerberizedTestHelper.scala

  Line 159 in 52b038b

  System.clearProperty("java.security.krb5.conf")

In org.apache.kyuubi.ha.client.zookeeper.ZookeeperClientProvider, org.apache.hadoop.security.authentication.util.JaasConfiguration or org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager$JaasConfiguration is used,

• kyuubi/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/zookeeper/ZookeeperClientProvider.scala

  Lines 124 to 144 in 52b038b

  	val jaasConf = jaasConfigurationCache.computeIfAbsent(
  	(principal, keytab),
  	_ => {
  	// HDFS-16591 makes breaking change on JaasConfiguration
  	DynConstructors.builder()
  	.impl( // Hadoop 3.3.5 and above
  	"org.apache.hadoop.security.authentication.util.JaasConfiguration",
  	classOf[String],
  	classOf[String],
  	classOf[String])
  	.impl( // Hadoop 3.3.4 and previous
  	// scalastyle:off
  	"org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager$JaasConfiguration",
  	// scalastyle:on
  	classOf[String],
  	classOf[String],
  	classOf[String])
  	.build[Configuration]()
  	.newInstance("KyuubiZooKeeperClient", zkClientPrincipal, keytab)
  	})
  	Configuration.setConfiguration(jaasConf)

and inside it there is a line:

options.put("refreshKrb5Config", "true");

• https://github.com/apache/hadoop/blob/a178eb780f5c983ab7e5c5a4add8a3027060c68d/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/JaasConfiguration.java#L51
• https://github.com/apache/hadoop/blob/15621e34155ff41b3bfaefec066cde2b37eaff64/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/ZKDelegationTokenSecretManager.java#L280

Because of this, sun.security.krb5.Config#refresh is invoked before com.sun.security.auth.module.Krb5LoginModule#login.

• https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/jdk.security.auth/share/classes/com/sun/security/auth/module/Krb5LoginModule.java#L533
• https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L150-L158

At that point, since java.security.krb5.conf does not exist,

• https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L213
• https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L867-L868

it attempts to read /etc/krb5.conf.

• https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L234
• https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L939

As /etc/krb5.conf does not exist, nothing is loaded, and the singleton instance maintained by sun.security.krb5.Config is overwritten (the stanzaTable becomes empty).

• https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L152

As a result, get("libdefaults", "default_realm") returns null, which causes a KrbException("Cannot locate default realm") to be thrown.

• https://github.com/openjdk/jdk17u-dev/blob/1e113f495f88a854db13af9341924c9f84647bff/src/java.security.jgss/share/classes/sun/security/krb5/Config.java#L1196

For unit tests that use JAAS, we need to save the current javax.security.auth.login.Configuration before the test and restore it afterward.