2

Author: morningman

be/src/common/kerberos/kerberos_config.cpp

@@ -20,17 +20,11 @@
 #include <filesystem>
 
 #include "common/config.h"
+#include "util/md5.h"
 
 namespace doris::kerberos {
 
 KerberosConfig::KerberosConfig()
         : _refresh_interval_second(300), _min_time_before_refresh_second(600) {}
 
-void KerberosConfig::set_cache_file_path(const std::string& path) {
-    const std::string prefix = doris::config::kerberos_ccache_path;
-    std::filesystem::path full_path = std::filesystem::path(prefix) / path;
-    full_path = std::filesystem::weakly_canonical(full_path);
-    _cache_file_path = full_path.string();
-}
-
 } // namespace doris::kerberos

be/src/common/kerberos/kerberos_config.h

@@ -20,30 +20,31 @@
 #include <chrono>
 #include <string>
 
+#include "common/status.h"
+
 namespace doris::kerberos {
 
 class KerberosConfig {
 public:
     KerberosConfig();
 
-    void set_keytab_path(const std::string& path) { _keytab_path = path; }
-    void set_principal(const std::string& principal) { _principal = principal; }
-    void set_cache_file_path(const std::string& path);
+    void set_principal_and_keytab(const std::string& principal, const std::string& keytab) {
+        _principal = principal;
+        _keytab_path = keytab;
+    }
     void set_krb5_conf_path(const std::string& path) { _krb5_conf_path = path; }
     void set_refresh_interval(int32_t interval) { _refresh_interval_second = interval; }
     void set_min_time_before_refresh(int32_t time) { _min_time_before_refresh_second = time; }
 
-    const std::string& get_keytab_path() const { return _keytab_path; }
     const std::string& get_principal() const { return _principal; }
-    const std::string& get_cache_file_path() const { return _cache_file_path; }
+    const std::string& get_keytab_path() const { return _keytab_path; }
     const std::string& get_krb5_conf_path() const { return _krb5_conf_path; }
     int32_t get_refresh_interval_second() const { return _refresh_interval_second; }
     int32_t get_min_time_before_refresh_second() const { return _min_time_before_refresh_second; }
 
 private:
-    std::string _keytab_path;
     std::string _principal;
-    std::string _cache_file_path;
+    std::string _keytab_path;
     std::string _krb5_conf_path;
     int32_t _refresh_interval_second;
     int32_t _min_time_before_refresh_second;

be/src/common/kerberos/kerberos_ticket_cache.cpp

@@ -18,27 +18,76 @@
 #include "common/kerberos/kerberos_ticket_cache.h"
 
 #include <chrono>
+#include <filesystem>
 #include <sstream>
 #include <thread>
 
+#include "common/config.h"
+#include "util/md5.h"
+
 namespace doris::kerberos {
 
 KerberosTicketCache::KerberosTicketCache(const KerberosConfig& config) : _config(config) {}
 
 KerberosTicketCache::~KerberosTicketCache() {
     stop_periodic_refresh();
     _cleanup_context();
-    LOG(INFO) << "destroy kerberos ticket cache with principal: " << _config.get_principal();
+    if (std::filesystem::exists(_ticket_cache_path)) {
+        std::filesystem::remove(_ticket_cache_path);
+    }
+    LOG(INFO) << "destroy kerberos ticket cache " << _ticket_cache_path
+              << " with principal: " << _config.get_principal();
 }
 
 Status KerberosTicketCache::initialize() {
     std::lock_guard<std::mutex> lock(_mutex);
+    RETURN_IF_ERROR(_init_ticket_cache_path());
     Status st = _initialize_context();
-    LOG(INFO) << "initialized kerberos ticket cache with principal: " << _config.get_principal()
-              << ": " << st.to_string();
+    LOG(INFO) << "initialized kerberos ticket cache " << _ticket_cache_path
+              << " with principal: " << _config.get_principal() << ": " << st.to_string();
     return st;
 }
 
+Status KerberosTicketCache::_init_ticket_cache_path() {
+    // use md5(principal + keytab_path) as ticket cache file name.
+    // so that same (principal + keytab_path) will have same name.
+    std::string combined = _config.get_principal() + _config.get_keytab_path();
+    Md5Digest digest;
+    digest.update(combined.c_str(), combined.length());
+    digest.digest();
+    std::string cache_file_md5 = digest.hex();
+
+    // The path should be with prefix "config::kerberos_ccache_path"
+    const std::string prefix = doris::config::kerberos_ccache_path;
+    std::filesystem::path full_path = std::filesystem::path(prefix) / cache_file_md5;
+    full_path = std::filesystem::weakly_canonical(full_path);
+    std::filesystem::path parent_path = full_path.parent_path();
+
+    try {
+        if (!std::filesystem::exists(parent_path)) {
+            // Create the parent dir if not exists
+            std::filesystem::create_directories(parent_path);
+        } else {
+            // Delete the ticket cache file if exists
+            if (std::filesystem::exists(full_path)) {
+                std::filesystem::remove(full_path);
+            }
+        }
+
+        _ticket_cache_path = full_path.string();
+        return Status::OK();
+    } catch (const std::filesystem::filesystem_error& e) {
+        return Status::InternalError("Error when setting kerberos ticket cache file: {}, {}",
+                                     full_path.native(), e.what());
+    } catch (const std::exception& e) {
+        return Status::InternalError("Exception when setting kerberos ticket cache file: {}, {}",
+                                     full_path.native(), e.what());
+    } catch (...) {
+        return Status::InternalError("Unknown error when setting kerberos ticket cache file: {}",
+                                     full_path.native());
+    }
+}
+
 Status KerberosTicketCache::login() {
     std::lock_guard<std::mutex> lock(_mutex);
 
@@ -51,7 +100,7 @@ Status KerberosTicketCache::login() {
         RETURN_IF_ERROR(_check_error(code, "Failed to resolve keytab"));
 
         // init ccache
-        code = krb5_cc_resolve(_context, _config.get_cache_file_path().c_str(), &_ccache);
+        code = krb5_cc_resolve(_context, _ticket_cache_path.c_str(), &_ccache);
         RETURN_IF_ERROR(_check_error(code, "Failed to resolve credential cache"));
 
         // get init creds
@@ -89,8 +138,7 @@ Status KerberosTicketCache::login() {
 
 Status KerberosTicketCache::login_with_cache() {
     std::lock_guard<std::mutex> lock(_mutex);
-    krb5_error_code code =
-            krb5_cc_resolve(_context, _config.get_cache_file_path().c_str(), &_ccache);
+    krb5_error_code code = krb5_cc_resolve(_context, _ticket_cache_path.c_str(), &_ccache);
     return _check_error(code, "Failed to resolve credential cache");
 }
 
@@ -139,8 +187,7 @@ void KerberosTicketCache::start_periodic_refresh() {
                         // ignore and continue
                         LOG(WARNING) << st.to_string();
                     } else {
-                        LOG(INFO) << "refresh kerberos ticket cache: "
-                                  << _config.get_cache_file_path();
+                        LOG(INFO) << "refresh kerberos ticket cache: " << _ticket_cache_path;
                     }
                 }
             }

be/src/common/kerberos/kerberos_ticket_cache.h

@@ -61,13 +61,20 @@ class KerberosTicketCache {
     void start_periodic_refresh();
     void stop_periodic_refresh();
 
+    const KerberosConfig& get_config() const { return _config; }
+
+    const std::string get_ticket_cache_path() const { return _ticket_cache_path; }
+
 private:
+    Status _init_ticket_cache_path();
     Status _initialize_context();
     void _cleanup_context();
     Status _check_error(krb5_error_code code, const char* message);
     bool _needs_refresh() const;
 
+private:
     KerberosConfig _config;
+    std::string _ticket_cache_path;
     krb5_context _context {nullptr};
     krb5_ccache _ccache {nullptr};
     krb5_principal _principal {nullptr};

be/src/common/kerberos/kerberos_ticket_mgr.cpp

@@ -0,0 +1,145 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "common/kerberos/kerberos_ticket_mgr.h"
+
+#include <iomanip>
+#include <sstream>
+
+#include "util/md5.h"
+
+namespace doris::kerberos {
+
+KerberosTicketMgr::KerberosTicketMgr() {
+    _start_cleanup_thread();
+}
+
+KerberosTicketMgr::~KerberosTicketMgr() {
+    _stop_cleanup_thread();
+}
+
+std::string KerberosTicketMgr::_generate_key(const std::string& principal,
+                                             const std::string& keytab_path) {
+    std::string combined = principal + keytab_path;
+    Md5Digest digest;
+    digest.update(combined.c_str(), combined.length());
+    digest.digest();
+    return digest.hex();
+}
+
+Status KerberosTicketMgr::get_or_set_ticket_cache(const KerberosConfig& config,
+                                                  std::string* cache_path) {
+    std::string key = _generate_key(config.get_principal(), config.get_keytab_path());
+
+    std::lock_guard<std::mutex> lock(_mutex);
+
+    // Check if already exists
+    auto it = _ticket_caches.find(key);
+    if (it != _ticket_caches.end()) {
+        it->second.last_access_time = std::chrono::steady_clock::now();
+        *cache_path = it->second.cache->get_ticket_cache_path();
+        return Status::OK();
+    }
+
+    // Create new ticket cache
+    auto ticket_cache = std::make_unique<KerberosTicketCache>(config);
+    RETURN_IF_ERROR(ticket_cache->initialize());
+    RETURN_IF_ERROR(ticket_cache->login());
+    RETURN_IF_ERROR(ticket_cache->write_ticket_cache());
+    ticket_cache->start_periodic_refresh();
+
+    // Add to map
+    KerberosTicketEntry entry {.cache = std::move(ticket_cache),
+                               .last_access_time = std::chrono::steady_clock::now()};
+
+    auto [inserted_it, success] = _ticket_caches.emplace(key, std::move(entry));
+    if (!success) {
+        return Status::InternalError("Failed to insert ticket cache into map");
+    }
+
+    *cache_path = inserted_it->second.cache->get_ticket_cache_path();
+    LOG(INFO) << "create new kerberos ticket cache: " << *cache_path;
+    return Status::OK();
+}
+
+Status KerberosTicketMgr::get_cache_file_path(const std::string& principal,
+                                              const std::string& keytab_path,
+                                              std::string* cache_path) {
+    std::string key = _generate_key(principal, keytab_path);
+
+    std::lock_guard<std::mutex> lock(_mutex);
+
+    auto it = _ticket_caches.find(key);
+    if (it == _ticket_caches.end()) {
+        return Status::NotFound("Kerberos ticket cache not found for principal: " + principal);
+    }
+
+    // Update last access time
+    it->second.last_access_time = std::chrono::steady_clock::now();
+
+    *cache_path = it->second.cache->get_ticket_cache_path();
+    return Status::OK();
+}
+
+void KerberosTicketMgr::_cleanup_thread_func() {
+    // Use a shorter sleep interval for quicker shutdown
+    static constexpr std::chrono::seconds SLEEP_INTERVAL {1};
+    auto last_cleanup_time = std::chrono::steady_clock::now();
+
+    while (!_should_stop) {
+        std::this_thread::sleep_for(SLEEP_INTERVAL);
+        auto now = std::chrono::steady_clock::now();
+        if (now - last_cleanup_time < CLEANUP_INTERVAL && !_should_stop) {
+            continue;
+        }
+
+        // Store expired caches here to destroy them after releasing the lock
+        std::vector<std::unique_ptr<KerberosTicketCache>> expired_caches;
+        {
+            std::lock_guard<std::mutex> lock(_mutex);
+            // Remove expired entries
+            for (auto it = _ticket_caches.begin(); it != _ticket_caches.end();) {
+                auto time_since_last_access = now - it->second.last_access_time;
+                if (time_since_last_access > EXPIRATION_TIME) {
+                    // Move the unique_ptr to our expired_caches vector
+                    expired_caches.push_back(std::move(it->second.cache));
+                    it = _ticket_caches.erase(it);
+                } else {
+                    ++it;
+                }
+            }
+            last_cleanup_time = now;
+        }
+
+        // expired_caches will be destroyed here, outside the lock
+    }
+}
+
+void KerberosTicketMgr::_start_cleanup_thread() {
+    _should_stop = false;
+    _cleanup_thread = std::make_unique<std::thread>(&KerberosTicketMgr::_cleanup_thread_func, this);
+}
+
+void KerberosTicketMgr::_stop_cleanup_thread() {
+    if (_cleanup_thread) {
+        _should_stop = true;
+        _cleanup_thread->join();
+        _cleanup_thread.reset();
+    }
+}
+
+} // namespace doris::kerberos