2

Author: morningman

be/src/common/kerberos/kerberos_config.cpp

@@ -20,17 +20,11 @@
 #include <filesystem>
 
 #include "common/config.h"
+#include "util/md5.h"
 
 namespace doris::kerberos {
 
 KerberosConfig::KerberosConfig()
         : _refresh_interval_second(300), _min_time_before_refresh_second(600) {}
 
-void KerberosConfig::set_cache_file_path(const std::string& path) {
-    const std::string prefix = doris::config::kerberos_ccache_path;
-    std::filesystem::path full_path = std::filesystem::path(prefix) / path;
-    full_path = std::filesystem::weakly_canonical(full_path);
-    _cache_file_path = full_path.string();
-}
-
 } // namespace doris::kerberos

be/src/common/kerberos/kerberos_config.h

@@ -20,30 +20,31 @@
 #include <chrono>
 #include <string>
 
+#include "common/status.h"
+
 namespace doris::kerberos {
 
 class KerberosConfig {
 public:
     KerberosConfig();
 
-    void set_keytab_path(const std::string& path) { _keytab_path = path; }
-    void set_principal(const std::string& principal) { _principal = principal; }
-    void set_cache_file_path(const std::string& path);
+    void set_principal_and_keytab(const std::string& principal, const std::string& keytab) {
+        _principal = principal;
+        _keytab_path = keytab;
+    }
     void set_krb5_conf_path(const std::string& path) { _krb5_conf_path = path; }
     void set_refresh_interval(int32_t interval) { _refresh_interval_second = interval; }
     void set_min_time_before_refresh(int32_t time) { _min_time_before_refresh_second = time; }
 
-    const std::string& get_keytab_path() const { return _keytab_path; }
     const std::string& get_principal() const { return _principal; }
-    const std::string& get_cache_file_path() const { return _cache_file_path; }
+    const std::string& get_keytab_path() const { return _keytab_path; }
     const std::string& get_krb5_conf_path() const { return _krb5_conf_path; }
     int32_t get_refresh_interval_second() const { return _refresh_interval_second; }
     int32_t get_min_time_before_refresh_second() const { return _min_time_before_refresh_second; }
 
 private:
-    std::string _keytab_path;
     std::string _principal;
-    std::string _cache_file_path;
+    std::string _keytab_path;
     std::string _krb5_conf_path;
     int32_t _refresh_interval_second;
     int32_t _min_time_before_refresh_second;

be/src/common/kerberos/kerberos_ticket_cache.cpp

@@ -18,27 +18,76 @@
 #include "common/kerberos/kerberos_ticket_cache.h"
 
 #include <chrono>
+#include <filesystem>
 #include <sstream>
 #include <thread>
 
+#include "common/config.h"
+#include "util/md5.h"
+
 namespace doris::kerberos {
 
 KerberosTicketCache::KerberosTicketCache(const KerberosConfig& config) : _config(config) {}
 
 KerberosTicketCache::~KerberosTicketCache() {
     stop_periodic_refresh();
     _cleanup_context();
-    LOG(INFO) << "destroy kerberos ticket cache with principal: " << _config.get_principal();
+    if (std::filesystem::exists(_ticket_cache_path)) {
+        std::filesystem::remove(_ticket_cache_path);
+    }
+    LOG(INFO) << "destroy kerberos ticket cache " << _ticket_cache_path
+              << " with principal: " << _config.get_principal();
 }
 
 Status KerberosTicketCache::initialize() {
     std::lock_guard<std::mutex> lock(_mutex);
+    RETURN_IF_ERROR(_init_ticket_cache_path());
     Status st = _initialize_context();
-    LOG(INFO) << "initialized kerberos ticket cache with principal: " << _config.get_principal()
-              << ": " << st.to_string();
+    LOG(INFO) << "initialized kerberos ticket cache " << _ticket_cache_path
+              << " with principal: " << _config.get_principal() << ": " << st.to_string();
     return st;
 }
 
+Status KerberosTicketCache::_init_ticket_cache_path() {
+    // use md5(principal + keytab_path) as ticket cache file name.
+    // so that same (principal + keytab_path) will have same name.
+    std::string combined = _config.get_principal() + _config.get_keytab_path();
+    Md5Digest digest;
+    digest.update(combined.c_str(), combined.length());
+    digest.digest();
+    std::string cache_file_md5 = digest.hex();
+
+    // The path should be with prefix "config::kerberos_ccache_path"
+    const std::string prefix = doris::config::kerberos_ccache_path;
+    std::filesystem::path full_path = std::filesystem::path(prefix) / cache_file_md5;
+    full_path = std::filesystem::weakly_canonical(full_path);
+    std::filesystem::path parent_path = full_path.parent_path();
+
+    try {
+        if (!std::filesystem::exists(parent_path)) {
+            // Create the parent dir if not exists
+            std::filesystem::create_directories(parent_path);
+        } else {
+            // Delete the ticket cache file if exists
+            if (std::filesystem::exists(full_path)) {
+                std::filesystem::remove(full_path);
+            }
+        }
+
+        _ticket_cache_path = full_path.string();
+        return Status::OK();
+    } catch (const std::filesystem::filesystem_error& e) {
+        return Status::InternalError("Error when setting kerberos ticket cache file: {}, {}",
+                                     full_path.native(), e.what());
+    } catch (const std::exception& e) {
+        return Status::InternalError("Exception when setting kerberos ticket cache file: {}, {}",
+                                     full_path.native(), e.what());
+    } catch (...) {
+        return Status::InternalError("Unknown error when setting kerberos ticket cache file: {}",
+                                     full_path.native());
+    }
+}
+
 Status KerberosTicketCache::login() {
     std::lock_guard<std::mutex> lock(_mutex);
 
@@ -51,7 +100,7 @@ Status KerberosTicketCache::login() {
         RETURN_IF_ERROR(_check_error(code, "Failed to resolve keytab"));
 
         // init ccache
-        code = krb5_cc_resolve(_context, _config.get_cache_file_path().c_str(), &_ccache);
+        code = krb5_cc_resolve(_context, _ticket_cache_path.c_str(), &_ccache);
         RETURN_IF_ERROR(_check_error(code, "Failed to resolve credential cache"));
 
         // get init creds
@@ -89,8 +138,7 @@ Status KerberosTicketCache::login() {
 
 Status KerberosTicketCache::login_with_cache() {
     std::lock_guard<std::mutex> lock(_mutex);
-    krb5_error_code code =
-            krb5_cc_resolve(_context, _config.get_cache_file_path().c_str(), &_ccache);
+    krb5_error_code code = krb5_cc_resolve(_context, _ticket_cache_path.c_str(), &_ccache);
     return _check_error(code, "Failed to resolve credential cache");
 }
 
@@ -139,8 +187,7 @@ void KerberosTicketCache::start_periodic_refresh() {
                         // ignore and continue
                         LOG(WARNING) << st.to_string();
                     } else {
-                        LOG(INFO) << "refresh kerberos ticket cache: "
-                                  << _config.get_cache_file_path();
+                        LOG(INFO) << "refresh kerberos ticket cache: " << _ticket_cache_path;
                     }
                 }
             }

be/src/common/kerberos/kerberos_ticket_cache.h

@@ -61,13 +61,20 @@ class KerberosTicketCache {
     void start_periodic_refresh();
     void stop_periodic_refresh();
 
+    const KerberosConfig& get_config() const { return _config; }
+
+    const std::string get_ticket_cache_path() const { return _ticket_cache_path; }
+
 private:
+    Status _init_ticket_cache_path();
     Status _initialize_context();
     void _cleanup_context();
     Status _check_error(krb5_error_code code, const char* message);
     bool _needs_refresh() const;
 
+private:
     KerberosConfig _config;
+    std::string _ticket_cache_path;
     krb5_context _context {nullptr};
     krb5_ccache _ccache {nullptr};
     krb5_principal _principal {nullptr};

be/src/common/kerberos/kerberos_ticket_mgr.cpp

@@ -0,0 +1,145 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "common/kerberos/kerberos_ticket_mgr.h"
+
+#include <iomanip>
+#include <sstream>
+
+#include "util/md5.h"
+
+namespace doris::kerberos {
+
+KerberosTicketMgr::KerberosTicketMgr() {
+    _start_cleanup_thread();
+}
+
+KerberosTicketMgr::~KerberosTicketMgr() {
+    _stop_cleanup_thread();
+}
+
+std::string KerberosTicketMgr::_generate_key(const std::string& principal,
+                                             const std::string& keytab_path) {
+    std::string combined = principal + keytab_path;
+    Md5Digest digest;
+    digest.update(combined.c_str(), combined.length());
+    digest.digest();
+    return digest.hex();
+}
+
+Status KerberosTicketMgr::get_or_set_ticket_cache(const KerberosConfig& config,
+                                                  std::string* cache_path) {
+    std::string key = _generate_key(config.get_principal(), config.get_keytab_path());
+
+    std::lock_guard<std::mutex> lock(_mutex);
+
+    // Check if already exists
+    auto it = _ticket_caches.find(key);
+    if (it != _ticket_caches.end()) {
+        it->second.last_access_time = std::chrono::steady_clock::now();
+        *cache_path = it->second.cache->get_ticket_cache_path();
+        return Status::OK();
+    }
+
+    // Create new ticket cache
+    auto ticket_cache = std::make_unique<KerberosTicketCache>(config);
+    RETURN_IF_ERROR(ticket_cache->initialize());
+    RETURN_IF_ERROR(ticket_cache->login());
+    RETURN_IF_ERROR(ticket_cache->write_ticket_cache());
+    ticket_cache->start_periodic_refresh();
+
+    // Add to map
+    KerberosTicketEntry entry {.cache = std::move(ticket_cache),
+                               .last_access_time = std::chrono::steady_clock::now()};
+
+    auto [inserted_it, success] = _ticket_caches.emplace(key, std::move(entry));
+    if (!success) {
+        return Status::InternalError("Failed to insert ticket cache into map");
+    }
+
+    *cache_path = inserted_it->second.cache->get_ticket_cache_path();
+    LOG(INFO) << "create new kerberos ticket cache: " << *cache_path;
+    return Status::OK();
+}
+
+Status KerberosTicketMgr::get_cache_file_path(const std::string& principal,
+                                              const std::string& keytab_path,
+                                              std::string* cache_path) {
+    std::string key = _generate_key(principal, keytab_path);
+
+    std::lock_guard<std::mutex> lock(_mutex);
+
+    auto it = _ticket_caches.find(key);
+    if (it == _ticket_caches.end()) {
+        return Status::NotFound("Kerberos ticket cache not found for principal: " + principal);
+    }
+
+    // Update last access time
+    it->second.last_access_time = std::chrono::steady_clock::now();
+
+    *cache_path = it->second.cache->get_ticket_cache_path();
+    return Status::OK();
+}
+
+void KerberosTicketMgr::_cleanup_thread_func() {
+    // Use a shorter sleep interval for quicker shutdown
+    static constexpr std::chrono::seconds SLEEP_INTERVAL {1};
+    auto last_cleanup_time = std::chrono::steady_clock::now();
+
+    while (!_should_stop) {
+        std::this_thread::sleep_for(SLEEP_INTERVAL);
+        auto now = std::chrono::steady_clock::now();
+        if (now - last_cleanup_time < CLEANUP_INTERVAL && !_should_stop) {
+            continue;
+        }
+
+        // Store expired caches here to destroy them after releasing the lock
+        std::vector<std::unique_ptr<KerberosTicketCache>> expired_caches;
+        {
+            std::lock_guard<std::mutex> lock(_mutex);
+            // Remove expired entries
+            for (auto it = _ticket_caches.begin(); it != _ticket_caches.end();) {
+                auto time_since_last_access = now - it->second.last_access_time;
+                if (time_since_last_access > EXPIRATION_TIME) {
+                    // Move the unique_ptr to our expired_caches vector
+                    expired_caches.push_back(std::move(it->second.cache));
+                    it = _ticket_caches.erase(it);
+                } else {
+                    ++it;
+                }
+            }
+            last_cleanup_time = now;
+        }
+
+        // expired_caches will be destroyed here, outside the lock
+    }
+}
+
+void KerberosTicketMgr::_start_cleanup_thread() {
+    _should_stop = false;
+    _cleanup_thread = std::make_unique<std::thread>(&KerberosTicketMgr::_cleanup_thread_func, this);
+}
+
+void KerberosTicketMgr::_stop_cleanup_thread() {
+    if (_cleanup_thread) {
+        _should_stop = true;
+        _cleanup_thread->join();
+        _cleanup_thread.reset();
+    }
+}
+
+} // namespace doris::kerberos

be/src/common/kerberos/kerberos_ticket_mgr.h

@@ -0,0 +1,80 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#pragma once
+
+#include <atomic>
+#include <chrono>
+#include <memory>
+#include <mutex>
+#include <string>
+#include <thread>
+#include <unordered_map>
+
+#include "common/kerberos/kerberos_config.h"
+#include "common/kerberos/kerberos_ticket_cache.h"
+#include "common/status.h"
+
+namespace doris::kerberos {
+
+struct KerberosTicketEntry {
+    std::unique_ptr<KerberosTicketCache> cache;
+    std::chrono::steady_clock::time_point last_access_time;
+};
+
+class KerberosTicketMgr {
+public:
+    KerberosTicketMgr();
+
+    // Register a new KerberosTicketCache with given config
+    // Returns the cache file path in cache_path
+    Status get_or_set_ticket_cache(const KerberosConfig& config, std::string* cache_path);
+
+    // Get cache file path for given principal and keytab path
+    Status get_cache_file_path(const std::string& principal, const std::string& keytab_path,
+                               std::string* cache_path);
+
+    ~KerberosTicketMgr();
+
+private:
+    KerberosTicketMgr(const KerberosTicketMgr&) = delete;
+    KerberosTicketMgr& operator=(const KerberosTicketMgr&) = delete;
+
+    // Generate key for map from principal and keytab path
+    std::string _generate_key(const std::string& principal, const std::string& keytab_path);
+
+    // Clean up expired entries
+    void _cleanup_thread_func();
+
+    // Start cleanup thread
+    void _start_cleanup_thread();
+
+    // Stop cleanup thread
+    void _stop_cleanup_thread();
+
+    std::unordered_map<std::string, KerberosTicketEntry> _ticket_caches;
+    std::mutex _mutex;
+
+    std::unique_ptr<std::thread> _cleanup_thread;
+    std::atomic<bool> _should_stop {false};
+
+    // Cleanup interval and expiration time
+    static constexpr std::chrono::seconds CLEANUP_INTERVAL {5};
+    static constexpr std::chrono::hours EXPIRATION_TIME {24}; // 1 days
+};
+
+} // namespace doris::kerberos

be/src/io/fs/hdfs_file_system.h

@@ -28,7 +28,6 @@
 #include <vector>
 
 #include "common/config.h"
-#include "common/kerberos/kerberos_ticket_cache.h"
 #include "common/status.h"
 #include "io/fs/hdfs.h"
 #include "io/fs/path.h"

be/src/io/hdfs_builder.h

@@ -35,10 +35,6 @@ const std::string KERBEROS_PRINCIPAL = "hadoop.kerberos.principal";
 const std::string KERBEROS_KEYTAB = "hadoop.kerberos.keytab";
 const std::string TICKET_CACHE_PATH = "/tmp/krb5cc_doris_";
 
-namespace kerberos {
-class KerberosTicketCache;
-};
-
 class HDFSCommonBuilder {
     friend Status create_hdfs_builder(const THdfsParams& hdfsParams, const std::string& fs_name,
                                       HDFSCommonBuilder* builder);
@@ -61,7 +57,7 @@ class HDFSCommonBuilder {
 
     hdfsBuilder* get() { return hdfs_builder; }
     bool is_kerberos() const { return kerberos_login; }
-    Status gen_ticket_cache_and_renew_thread(doris::kerberos::KerberosTicketCache** ccache);
+    Status gen_ticket_cache_and_renew_thread();
 
 private:
     hdfsBuilder* hdfs_builder = nullptr;

be/src/io/hdfs_util.cpp

@@ -25,7 +25,6 @@
 #include <ostream>
 #include <thread>
 
-#include "common/kerberos/kerberos_ticket_cache.h"
 #include "common/logging.h"
 #include "io/fs/err_utils.h"
 #include "io/hdfs_builder.h"
@@ -34,17 +33,9 @@
 namespace doris::io {
 namespace {
 
-Status _create_hdfs_fs(const THdfsParams& hdfs_params, const std::string& fs_name, hdfsFS* fs,
-                       std::unique_ptr<kerberos::KerberosTicketCache>& ticket_cache) {
+Status _create_hdfs_fs(const THdfsParams& hdfs_params, const std::string& fs_name, hdfsFS* fs) {
     HDFSCommonBuilder builder;
     RETURN_IF_ERROR(create_hdfs_builder(hdfs_params, fs_name, &builder));
-    if (builder.is_kerberos()) {
-        kerberos::KerberosTicketCache* ccache;
-        RETURN_IF_ERROR(builder.gen_ticket_cache_and_renew_thread(&ccache));
-        ticket_cache.reset(ccache);
-    } else {
-        ticket_cache.reset(nullptr);
-    }
     hdfsFS hdfs_fs = hdfsBuilderConnect(builder.get());
     if (hdfs_fs == nullptr) {
         return Status::InternalError("failed to connect to hdfs {}: {}", fs_name, hdfs_error());
@@ -56,20 +47,19 @@ Status _create_hdfs_fs(const THdfsParams& hdfs_params, const std::string& fs_nam
 // https://brpc.apache.org/docs/server/basics/
 // According to the brpc doc, JNI code checks stack layout and cannot be run in
 // bthreads so create a pthread for creating hdfs connection if necessary.
-Status create_hdfs_fs(const THdfsParams& hdfs_params, const std::string& fs_name, hdfsFS* fs,
-                      std::unique_ptr<kerberos::KerberosTicketCache>& ticket_cache) {
+Status create_hdfs_fs(const THdfsParams& hdfs_params, const std::string& fs_name, hdfsFS* fs) {
     bool is_pthread = bthread_self() == 0;
     LOG(INFO) << "create hfdfs fs, is_pthread=" << is_pthread << " fs_name=" << fs_name;
     if (is_pthread) { // running in pthread
-        return _create_hdfs_fs(hdfs_params, fs_name, fs, ticket_cache);
+        return _create_hdfs_fs(hdfs_params, fs_name, fs);
     }
 
     // running in bthread, switch to a pthread and wait
     Status st;
     auto btx = bthread::butex_create();
     *(int*)btx = 0;
     std::thread t([&] {
-        st = _create_hdfs_fs(hdfs_params, fs_name, fs, ticket_cache);
+        st = _create_hdfs_fs(hdfs_params, fs_name, fs);
         *(int*)btx = 1;
         bthread::butex_wake_all(btx);
     });
@@ -177,19 +167,18 @@ Status HdfsHandlerCache::get_connection(const THdfsParams& hdfs_params, const st
         // not find in cache, or fs handle is invalid
         // create a new one and try to put it into cache
         hdfsFS hdfs_fs = nullptr;
-        std::unique_ptr<kerberos::KerberosTicketCache> ticket_cache;
-        RETURN_IF_ERROR(create_hdfs_fs(hdfs_params, fs_name, &hdfs_fs, ticket_cache));
+        RETURN_IF_ERROR(create_hdfs_fs(hdfs_params, fs_name, &hdfs_fs));
         if (_cache.size() >= MAX_CACHE_HANDLE) {
             _clean_invalid();
             _clean_oldest();
         }
         if (_cache.size() < MAX_CACHE_HANDLE) {
-            auto handle = std::make_shared<HdfsHandler>(hdfs_fs, ticket_cache.release(), true);
+            auto handle = std::make_shared<HdfsHandler>(hdfs_fs, true);
             handle->update_last_access_time();
             *fs_handle = handle;
             _cache[hash_code] = std::move(handle);
         } else {
-            *fs_handle = std::make_shared<HdfsHandler>(hdfs_fs, ticket_cache.release(), false);
+            *fs_handle = std::make_shared<HdfsHandler>(hdfs_fs, false);
         }
     }
     return Status::OK();

be/src/io/hdfs_util.h

@@ -25,7 +25,6 @@
 #include <string>
 #include <unordered_map>
 
-#include "common/kerberos/kerberos_ticket_cache.h"
 #include "common/status.h"
 #include "io/fs/hdfs.h"
 #include "io/fs/path.h"
@@ -53,16 +52,14 @@ extern bvar::LatencyRecorder hdfs_hsync_latency;
 
 class HdfsHandler {
 public:
-    HdfsHandler(hdfsFS fs, kerberos::KerberosTicketCache* ticket_cache, bool cached)
+    HdfsHandler(hdfsFS fs, bool cached)
             : hdfs_fs(fs),
               from_cache(cached),
               _create_time(std::chrono::duration_cast<std::chrono::milliseconds>(
                                    std::chrono::system_clock::now().time_since_epoch())
                                    .count()),
               _last_access_time(0),
-              _invalid(false) {
-        _ticket_cache.reset(ticket_cache);
-    }
+              _invalid(false) {}
 
     ~HdfsHandler() {
         if (hdfs_fs != nullptr) {
@@ -100,8 +97,6 @@ class HdfsHandler {
     std::atomic<uint64_t> _last_access_time;
     // Client will set invalid if error thrown, and HdfsFileSystemCache will not reuse this handler
     std::atomic<bool> _invalid;
-
-    std::unique_ptr<kerberos::KerberosTicketCache> _ticket_cache;
 };
 
 // Cache for HdfsHandler