Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Kyuubi Kubernetes Client would not reload token when service account token expired #6888

Open
3 of 4 tasks
kennywgx opened this issue Jan 10, 2025 · 3 comments
Open
3 of 4 tasks

[Bug] Kyuubi Kubernetes Client would not reload token when service account token expired #6888

kennywgx opened this issue Jan 10, 2025 · 3 comments
Labels
kind:bug This is a clearly a bug priority:major

Comments

@kennywgx
Copy link

Code of Conduct

Search before asking

  • I have searched in the issues and found no similar issues.

Describe the bug

Fault: KubenetesClientException - Unauthorized. http code=401

My kyuubi server was running on Azure Kubenetes Service(简写:AKS) , and we met this error in below pic.
image

Note: Kyuubi server worked well at the beginning, the error happened after 1 hour. AKS said that it was caused by the token expiration. We suspected that kyuubi won't auto reload the serviceAccount token in the pod.

Root Cause

The AKS serviceaccount token expires in 1 hour by default. Thus, the kyuubi will have an peaceful hour after starting, but after that, the token will expires, a continuous KubenetesClientException with 401 http code will be threw out.

Kubenetes client token refresh mechanism

Dive into the code of Kubenetes Client, we found that it has already integrated a TokenRefreshInterceptor to handle the 401 http status code issue, but it doesn't work at all in kyuubi. Here's why:

Kyuubi load the serviceAccount token by itself when initializing kube client, which is NOT RECOMMENDED. In fact, the kubeclient will auto configure the desired token, and take care of the token expiration time on its own.
image

Check out the TokenRefreshInterceptor code in Kubenetes client repo, we can see that the refreshToken method will skip refreshing token if you have specified a oauthToken by yourself.
img_v3_02ic_1d8f5eac-df0c-4a53-afd9-42614658067g

Fix

We simply removed the code of setting oauthToken in the kyuubi, and it works very well now.
img_v3_02id_20928d6c-66f8-474a-8f7a-3d6effae60ag

In addition, if you want to provide some flexible ways for the the authentication configuration, consider using tokenProvider instead of a token value. I would be very willing to commit a PR if you guys agree with my opinion, thanks.
image

Affects Version(s)

1.7.0~1.9.3

Kyuubi Server Log Output

No response

Kyuubi Engine Log Output

No response

Kyuubi Server Configurations

No response

Kyuubi Engine Configurations

No response

Additional context

No response

Are you willing to submit PR?

  • Yes. I would be willing to submit a PR with guidance from the Kyuubi community to fix.
  • No. I cannot submit a PR at this time.
@kennywgx kennywgx added kind:bug This is a clearly a bug priority:major labels Jan 10, 2025
@github-actions GitHub Actions
Copy link

Hello @kennywgx,
Thanks for finding the time to report the issue!
We really appreciate the community's efforts to improve Apache Kyuubi.

@kennywgx
Copy link
Author

上面的问题,我在内存中监控了相关代码的执行结果,确定了当token需要被刷新的时候,一直没有刷新成功:
img_v3_02ic_d6026bec-9d5d-4c64-b556-c1060145d7cg
token的值一直保持不变:
img_v3_02ic_d503ad27-8865-45e5-b071-3aedaa4ff34g

观察到 refreshToken() 方法中,如果oauthToken已经存在,方法就立刻返回,不执行下面的refresh逻辑
img_v3_02ic_1d8f5eac-df0c-4a53-afd9-42614658067g

@pan3793
Copy link
Member

pan3793 commented Jan 10, 2025

see #6883

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind:bug This is a clearly a bug priority:major
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kennywgx @pan3793