Critical Description
During the gateway startup, Knox executes the following steps (among others) in this order:
- reloads/redeploys topologies
- triggers descriptors reload to trigger service discovery (see
KNOX-2301)
The problem with this approach is, that in the case of dynamic Kerberos settings (variable keytab path and principal name), Knox may deploy a topology with old settings that are no longer valid, and only a couple of seconds later (in my test environment it was between 10-20 seconds for a particular topology) it redeploys the topology with up-to-date configuration. This might be irrelevant if that topology is not used in that small time window, however, there is a chance that Knox will fail to serve the request with an error message similar to this:
2023-06-06 19:33:00,756 9ee494e4-4ede-4a81-962e-77334bfd80b8 ERROR knox.gateway (AbstractGatewayFilter.java:doFilter(60)) - Failed to execute filter: javax.servlet.ServletException: javax.servlet.ServletException: javax.servlet.ServletException: Keytab does not exist: /$DYNAMIC_KEYTAB_PATH//knox.keytab 2023-06-06 19:33:00,757 9ee494e4-4ede-4a81-962e-77334bfd80b8 ERROR knox.gateway (GatewayFilter.java:doFilter(197)) - Gateway processing failed: javax.servlet.ServletException: javax.servlet.ServletException: javax.servlet.ServletException: Keytab does not exist: /$DYNAMIC_KEYTAB_PATH//knox.keytab javax.servlet.ServletException: javax.servlet.ServletException: javax.servlet.ServletException: Keytab does not exist: /$DYNAMIC_KEYTAB_PATH/knox.keytab
