From 1b743468df925e442f77c6b6d08d61e639b15021 Mon Sep 17 00:00:00 2001 From: Ryan Wilson Date: Thu, 12 Jan 2017 17:51:07 -0800 Subject: [PATCH] Add Krb5CredentialsCacheManagerLogger for logging credential cache information Summary: This patch adds the Krb5CredentialsCacheManagerLogger interface for logging credential cache data in the Krb5CredentialsCacheManager. This will allow users to log specific data about the credential cache like keytab, default principal and service ticket expiration times. Reviewed By: abajenov Differential Revision: D4349976 fbshipit-source-id: 840ad59c5f6353c66fe9d06abde1d09b27972ed4 --- thrift/lib/cpp/Makefile.am | 3 +- .../lib/cpp/util/kerberos/Krb5CCacheStore.cpp | 92 +++++++++++++++---- .../lib/cpp/util/kerberos/Krb5CCacheStore.h | 17 +++- .../kerberos/Krb5CredentialsCacheManager.cpp | 69 +++++++++++--- .../kerberos/Krb5CredentialsCacheManager.h | 31 +++++-- .../Krb5CredentialsCacheManagerLogger.h | 57 ++++++++++++ thrift/lib/cpp/util/kerberos/Krb5Tgts.cpp | 14 ++- thrift/lib/cpp/util/kerberos/Krb5Tgts.h | 3 +- thrift/lib/cpp/util/kerberos/Krb5Util.cpp | 3 +- thrift/lib/cpp/util/kerberos/Krb5Util.h | 5 +- thrift/perf/cpp/AsyncClientWorker2.cpp | 30 +++--- thrift/perf/cpp/ClientWorker2.cpp | 20 ++-- 12 files changed, 268 insertions(+), 76 deletions(-) create mode 100644 thrift/lib/cpp/util/kerberos/Krb5CredentialsCacheManagerLogger.h diff --git a/thrift/lib/cpp/Makefile.am b/thrift/lib/cpp/Makefile.am index 351184345ae..6d09a8edb75 100644 --- a/thrift/lib/cpp/Makefile.am +++ b/thrift/lib/cpp/Makefile.am @@ -235,7 +235,8 @@ include_utilkerberos_HEADERS = \ util/kerberos/FBKrb5GetCreds.h \ util/kerberos/Krb5OlderVersionStubs.h \ util/kerberos/Krb5Tgts.h \ - util/kerberos/Krb5Util.h + util/kerberos/Krb5Util.h \ + util/kerberos/Krb5CredentialsCacheManagerLogger.h include_testdir = $(include_thriftdir)/test include_test_HEADERS = \ diff --git a/thrift/lib/cpp/util/kerberos/Krb5CCacheStore.cpp b/thrift/lib/cpp/util/kerberos/Krb5CCacheStore.cpp index f780f3d254a..f3974a007ee 100644 --- a/thrift/lib/cpp/util/kerberos/Krb5CCacheStore.cpp +++ b/thrift/lib/cpp/util/kerberos/Krb5CCacheStore.cpp @@ -73,7 +73,8 @@ uint64_t Krb5CCacheStore::ServiceData::getCount() { std::shared_ptr Krb5CCacheStore::waitForCache( const Krb5Principal& service, - SecurityLogger* logger) { + SecurityLogger* logger, + bool* didInitCacheForService) { std::shared_ptr dataPtr = getServiceDataPtr(service); uint64_t curtime = chrono::duration_cast( @@ -97,6 +98,9 @@ std::shared_ptr Krb5CCacheStore::waitForCache( if (logger) { logger->logEnd("get_prepared_cache"); } + if (didInitCacheForService) { + *didInitCacheForService = false; + } return dataPtr->cache; } } @@ -120,6 +124,10 @@ std::shared_ptr Krb5CCacheStore::waitForCache( dataPtr->cache = std::move(tempCache); dataPtr->expires = expires; + if (didInitCacheForService) { + *didInitCacheForService = true; + } + return dataPtr->cache; } @@ -361,6 +369,29 @@ uint64_t Krb5CCacheStore::renewCreds() { return renewCount; } +std::set Krb5CCacheStore::getTopServices(size_t limit) { + // Put 'limit' number of most frequently used credentials into the + // top_services set. + folly::SharedMutex::ReadHolder readLock(serviceDataMapLock_); + vector> count_vector; + for (auto& element : serviceDataMap_) { + count_vector.emplace_back(element.first, element.second->getCount()); + } + + sort(count_vector.begin(), count_vector.end(), serviceCountCompare); + + std::set top_services; + int count = 0; + for (auto& element : count_vector) { + if (count >= limit) { + break; + } + top_services.insert(element.first); + count++; + } + return top_services; +} + std::unique_ptr Krb5CCacheStore::exportCache(size_t limit) { Krb5Principal client_principal = tgts_.getClientPrincipal(); @@ -371,25 +402,8 @@ std::unique_ptr Krb5CCacheStore::exportCache(size_t limit) { temp_cache->initialize(client_principal.get()); { - // Put 'limit' number of most frequently used credentials into the - // top_services set. folly::SharedMutex::ReadHolder readLock(serviceDataMapLock_); - vector> count_vector; - for (auto& element : serviceDataMap_) { - count_vector.emplace_back(element.first, element.second->getCount()); - } - - sort(count_vector.begin(), count_vector.end(), serviceCountCompare); - - std::set top_services; - int count = 0; - for (auto& element : count_vector) { - if (count >= limit) { - break; - } - top_services.insert(element.first); - count++; - } + const auto top_services = getTopServices(limit); for (auto& data : serviceDataMap_) { folly::SharedMutex::ReadHolder lock(data.second->lockCache); @@ -424,7 +438,7 @@ bool Krb5CCacheStore::isInitialized() { return tgts_.isInitialized(); } -std::pair Krb5CCacheStore::getLifetime() { +Krb5Lifetime Krb5CCacheStore::getLifetime() { return tgts_.getLifetime(); } @@ -444,4 +458,42 @@ void Krb5CCacheStore::notifyOfError(const std::string& error) { tgts_.notifyOfError(error); } +std::map +Krb5CCacheStore::getServicePrincipalLifetimes(size_t limit) { + folly::SharedMutex::ReadHolder readLock(serviceDataMapLock_); + const auto top_services = getTopServices(limit); + + std::map services; + for (auto& data : serviceDataMap_) { + folly::SharedMutex::ReadHolder cache_lock(data.second->lockCache); + if (!data.second->cache) { + continue; + } + const auto service = getLifetimeOfFirstServicePrincipal(data.second->cache); + if (top_services.count(service.first) == 0) { + continue; + } + services[service.first] = service.second; + } + return services; +} + +std::map Krb5CCacheStore::getTgtLifetimes() { + return tgts_.getLifetimes(); +} + +std::pair +Krb5CCacheStore::getLifetimeOfFirstServicePrincipal( + const std::shared_ptr& cache) { + auto princ_list = cache->getServicePrincipalList(); + if (princ_list.size() < 1) { + throw std::runtime_error("Principal list too small in ccache"); + } + auto princ = std::move(princ_list[0]); + auto princStr = folly::to(princ); + auto creds = cache->retrieveCred(princ.get()); + auto lifetime = + std::make_pair(creds.get().times.starttime, creds.get().times.endtime); + return std::make_pair(folly::to(princ), std::move(lifetime)); +} }}} diff --git a/thrift/lib/cpp/util/kerberos/Krb5CCacheStore.h b/thrift/lib/cpp/util/kerberos/Krb5CCacheStore.h index 770275208e0..8bbe24b6bcd 100644 --- a/thrift/lib/cpp/util/kerberos/Krb5CCacheStore.h +++ b/thrift/lib/cpp/util/kerberos/Krb5CCacheStore.h @@ -17,10 +17,11 @@ #ifndef KRB5_CCACHE_STORE #define KRB5_CCACHE_STORE +#include #include #include -#include #include +#include #include #include #include @@ -48,8 +49,9 @@ class Krb5CCacheStore { virtual ~Krb5CCacheStore() {} std::shared_ptr waitForCache( - const Krb5Principal& service, - SecurityLogger* logger = nullptr); + const Krb5Principal& service, + SecurityLogger* logger = nullptr, + bool* didInitCacheForService = nullptr); void kInit(const Krb5Principal& client); bool isInitialized(); @@ -66,7 +68,13 @@ class Krb5CCacheStore { /** * Get lifetime of the currently loaded creds. */ - std::pair getLifetime(); + Krb5Lifetime getLifetime(); + + std::map getServicePrincipalLifetimes( + size_t limit); + std::pair getLifetimeOfFirstServicePrincipal( + const std::shared_ptr& cache); + std::map getTgtLifetimes(); protected: static const int SERVICE_HISTOGRAM_NUM_BUCKETS; @@ -104,6 +112,7 @@ class Krb5CCacheStore { std::shared_ptr getServiceDataPtr(const Krb5Principal& service); std::vector getServicePrincipalList(); + std::set getTopServices(size_t limit); void raiseIf(krb5_error_code code, const std::string& what) { apache::thrift::krb5::raiseIf(ctx_.get(), code, what); diff --git a/thrift/lib/cpp/util/kerberos/Krb5CredentialsCacheManager.cpp b/thrift/lib/cpp/util/kerberos/Krb5CredentialsCacheManager.cpp index d4069ac0d84..31385da012b 100644 --- a/thrift/lib/cpp/util/kerberos/Krb5CredentialsCacheManager.cpp +++ b/thrift/lib/cpp/util/kerberos/Krb5CredentialsCacheManager.cpp @@ -53,14 +53,15 @@ using namespace std; const int Krb5CredentialsCacheManager::MANAGE_THREAD_SLEEP_PERIOD = 10*60*1000; const int Krb5CredentialsCacheManager::ABOUT_TO_EXPIRE_THRESHOLD = 600; const int Krb5CredentialsCacheManager::NUM_ELEMENTS_TO_PERSIST_TO_FILE = 10000; +const int Krb5CredentialsCacheManager::NUM_ELEMENTS_TO_LOG = 10; Krb5CredentialsCacheManager::Krb5CredentialsCacheManager( - const std::shared_ptr& logger, - int maxCacheSize) - : stopManageThread_(false) - , logger_(logger) - , ccacheTypeIsMemory_(false) - , updateFileCacheEnabled_(true) { + const std::shared_ptr& logger, + int maxCacheSize) + : stopManageThread_(false), + logger_(logger), + ccacheTypeIsMemory_(false), + updateFileCacheEnabled_(true) { try { // These calls can throw if the context cannot be initialized for some // reason, e.g. bad config format, etc. @@ -123,10 +124,12 @@ Krb5CredentialsCacheManager::Krb5CredentialsCacheManager( logger->logStart("init_cache_store"); initCacheStore(); logger->logEnd("init_cache_store"); + logTopCredentials(logger, "init_cache_store"); } else if (aboutToExpire(store_->getLifetime())) { logger->logStart("init_cache_store", "expired"); initCacheStore(); logger->logEnd("init_cache_store"); + logTopCredentials(logger, "init_expired_cache_store"); } // If not a user credential and the cache store needs to be renewed, @@ -141,6 +144,7 @@ Krb5CredentialsCacheManager::Krb5CredentialsCacheManager( uint64_t renewCount = store_->renewCreds(); logger->logEnd( "build_renewed_cache", folly::to(renewCount)); + logTopCredentials(logger, "build_renewed_cache"); } if (updateFileCacheEnabled_) { @@ -412,9 +416,9 @@ int Krb5CredentialsCacheManager::writeOutCache(size_t limit) { LOG(ERROR) << "Could not open a temporary cache file with template: " << tmp_template << " error: " << strerror(errno); logger_->log( - "persist_ccache_fail_tmp_file_create_fail", - {tmp_template, strerror(errno)}, - SecurityLogger::TracingOptions::NONE); + "persist_ccache_fail_tmp_file_create_fail", + {tmp_template, strerror(errno)}, + Krb5CredentialsCacheManagerLogger::TracingOptions::NONE); return -1; } ret = close(fd); @@ -475,7 +479,12 @@ std::shared_ptr Krb5CredentialsCacheManager::waitForCache( if (!store_) { throw std::runtime_error("Kerberos ccache store could not be initialized"); } - return store_->waitForCache(service, logger); + bool didInitCacheForService; + auto cache = store_->waitForCache(service, logger, &didInitCacheForService); + if (didInitCacheForService) { + logOneCredential(logger_, "init_cache_for_service", cache); + } + return cache; } void Krb5CredentialsCacheManager::initCacheStore() { @@ -560,8 +569,7 @@ bool Krb5CredentialsCacheManager::isPrincipalInKeytab( return false; } -bool Krb5CredentialsCacheManager::aboutToExpire( - const std::pair& lifetime) { +bool Krb5CredentialsCacheManager::aboutToExpire(const Krb5Lifetime& lifetime) { time_t now; time(&now); return ((uint64_t) now + @@ -570,7 +578,8 @@ bool Krb5CredentialsCacheManager::aboutToExpire( } bool Krb5CredentialsCacheManager::reachedRenewTime( - const std::pair& lifetime, const std::string& client) { + const Krb5Lifetime& lifetime, + const std::string& client) { time_t now; time(&now); size_t sname_hash = std::hash()(client); @@ -585,4 +594,38 @@ bool Krb5CredentialsCacheManager::reachedRenewTime( return (uint64_t) now > (half_life_time + renew_offset); } +void Krb5CredentialsCacheManager::logTopCredentials( + const std::shared_ptr& logger, + const std::string& key) { + logCredentialsCache( + logger, + key, + store_->getServicePrincipalLifetimes( + Krb5CredentialsCacheManager::NUM_ELEMENTS_TO_LOG)); +} + +void Krb5CredentialsCacheManager::logOneCredential( + const std::shared_ptr& logger, + const std::string& key, + const std::shared_ptr& cache) { + const auto service = store_->getLifetimeOfFirstServicePrincipal(cache); + std::map serviceLifetimes = { + {service.first, service.second}}; + + logCredentialsCache(logger, key, serviceLifetimes); +} + +void Krb5CredentialsCacheManager::logCredentialsCache( + const std::shared_ptr& logger, + const std::string& key, + const std::map& serviceLifetimes) { + Krb5Keytab keytab(ctx_->get()); + logger->logCredentialsCache( + key, + keytab, + store_->getClientPrincipal(), + store_->getLifetime(), + serviceLifetimes, + store_->getTgtLifetimes()); +} }}} diff --git a/thrift/lib/cpp/util/kerberos/Krb5CredentialsCacheManager.h b/thrift/lib/cpp/util/kerberos/Krb5CredentialsCacheManager.h index 8032dac885a..ea17d861f1b 100644 --- a/thrift/lib/cpp/util/kerberos/Krb5CredentialsCacheManager.h +++ b/thrift/lib/cpp/util/kerberos/Krb5CredentialsCacheManager.h @@ -25,11 +25,12 @@ #include #include -#include #include -#include +#include #include +#include #include +#include namespace apache { namespace thrift { namespace krb5 { @@ -44,9 +45,9 @@ class Krb5CredentialsCacheManager { * The logger object here will log internal events happening in the class. */ explicit Krb5CredentialsCacheManager( - const std::shared_ptr& logger = - std::make_shared(), - int maxCacheSize = -1); + const std::shared_ptr& logger = + std::make_shared(), + int maxCacheSize = -1); virtual ~Krb5CredentialsCacheManager(); @@ -80,6 +81,7 @@ class Krb5CredentialsCacheManager { static const int MANAGE_THREAD_SLEEP_PERIOD; static const int ABOUT_TO_EXPIRE_THRESHOLD; static const int NUM_ELEMENTS_TO_PERSIST_TO_FILE; + static const int NUM_ELEMENTS_TO_LOG; /** * Read in credentials from the default CC file. Throws if @@ -106,9 +108,22 @@ class Krb5CredentialsCacheManager { void initCacheStore(); - bool aboutToExpire(const std::pair& lifetime); + bool aboutToExpire(const Krb5Lifetime& lifetime); bool reachedRenewTime( - const std::pair& lifetime, const std::string& client); + const Krb5Lifetime& lifetime, + const std::string& client); + + void logTopCredentials( + const std::shared_ptr& logger, + const std::string& key); + void logOneCredential( + const std::shared_ptr& logger, + const std::string& key, + const std::shared_ptr& cache); + void logCredentialsCache( + const std::shared_ptr& logger, + const std::string& key, + const std::map& serviceLifetimes); std::unique_ptr ctx_; @@ -121,7 +136,7 @@ class Krb5CredentialsCacheManager { Mutex manageThreadMutex_; // A lock for the two members below bool stopManageThread_; std::condition_variable manageThreadCondVar_; - std::shared_ptr logger_; + std::shared_ptr logger_; bool ccacheTypeIsMemory_; bool updateFileCacheEnabled_; diff --git a/thrift/lib/cpp/util/kerberos/Krb5CredentialsCacheManagerLogger.h b/thrift/lib/cpp/util/kerberos/Krb5CredentialsCacheManagerLogger.h new file mode 100644 index 00000000000..fa587ff7386 --- /dev/null +++ b/thrift/lib/cpp/util/kerberos/Krb5CredentialsCacheManagerLogger.h @@ -0,0 +1,57 @@ +/* + * Copyright 2016 Facebook, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/* + * Copyright 2014 Facebook, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include + +#include +#include + +namespace apache { +namespace thrift { +namespace krb5 { +class Krb5CredentialsCacheManagerLogger : public virtual SecurityLogger { + public: + Krb5CredentialsCacheManagerLogger() {} + virtual ~Krb5CredentialsCacheManagerLogger() {} + + virtual void logCredentialsCache( + const std::string& key, + const Krb5Keytab& keytab, + const Krb5Principal& defaultPrincipal, + const Krb5Lifetime& ccacheLifetime, + const std::map& serviceLifetimes, + const std::map& tgtLifetimes) {} +}; +} +} +} diff --git a/thrift/lib/cpp/util/kerberos/Krb5Tgts.cpp b/thrift/lib/cpp/util/kerberos/Krb5Tgts.cpp index a10b1558d46..f1e9d1bb4a5 100644 --- a/thrift/lib/cpp/util/kerberos/Krb5Tgts.cpp +++ b/thrift/lib/cpp/util/kerberos/Krb5Tgts.cpp @@ -183,7 +183,7 @@ vector Krb5Tgts::getValidRealms() { return ret; } -std::pair Krb5Tgts::getLifetime() { +Krb5Lifetime Krb5Tgts::getLifetime() { waitForInit(); // Get the lifetime of the main cred ReadLock lock(lock_); @@ -192,6 +192,18 @@ std::pair Krb5Tgts::getLifetime() { tgt_->get().times.endtime); } +std::map Krb5Tgts::getLifetimes() { + waitForInit(); + ReadLock lock(lock_); + const auto mainTgtRealm = getClientPrincipal().getRealm(); + const auto mainTgtLifetime = getLifetime(); + std::map ret = {{mainTgtRealm, mainTgtLifetime}}; + for (const auto& entry : realmTgtsMap_) { + ret[entry.first] = std::make_pair( + entry.second->get().times.starttime, entry.second->get().times.endtime); + } + return ret; +} void Krb5Tgts::waitForInit() { MutexGuard guard(initLock_); diff --git a/thrift/lib/cpp/util/kerberos/Krb5Tgts.h b/thrift/lib/cpp/util/kerberos/Krb5Tgts.h index f70daad8814..6300e655a94 100644 --- a/thrift/lib/cpp/util/kerberos/Krb5Tgts.h +++ b/thrift/lib/cpp/util/kerberos/Krb5Tgts.h @@ -58,7 +58,8 @@ class Krb5Tgts { /** * Get lifetime of the currently loaded creds. */ - std::pair getLifetime(); + Krb5Lifetime getLifetime(); + std::map getLifetimes(); bool isInitialized(); diff --git a/thrift/lib/cpp/util/kerberos/Krb5Util.cpp b/thrift/lib/cpp/util/kerberos/Krb5Util.cpp index 7fc5c0b3dcc..03efbdc825f 100644 --- a/thrift/lib/cpp/util/kerberos/Krb5Util.cpp +++ b/thrift/lib/cpp/util/kerberos/Krb5Util.cpp @@ -337,8 +337,7 @@ void Krb5CCache::getCacheTypeAndName(std::string& cacheType, cacheName = std::string(krb5_cc_get_name(ctx, ccache_)); } -std::pair Krb5CCache::getLifetime( - krb5_principal principal) const { +Krb5Lifetime Krb5CCache::getLifetime(krb5_principal principal) const { const std::string client_realm = getClientPrincipal().getRealm(); std::string princ_realm; krb5_context ctx = context_.get(); diff --git a/thrift/lib/cpp/util/kerberos/Krb5Util.h b/thrift/lib/cpp/util/kerberos/Krb5Util.h index d0682158c57..94decd93047 100644 --- a/thrift/lib/cpp/util/kerberos/Krb5Util.h +++ b/thrift/lib/cpp/util/kerberos/Krb5Util.h @@ -71,7 +71,7 @@ std::ostream& operator<<(std::ostream& os, } namespace apache { namespace thrift { namespace krb5 { - +using Krb5Lifetime = std::pair; /** * This is a convenience method which will raise a std::runtime_error * exception with a useful description if code != 0. @@ -284,8 +284,7 @@ class Krb5CCache { * of 'principal'. If the principal is nullptr, use the ccache's * client principal. */ - std::pair getLifetime( - krb5_principal principal = nullptr) const; + Krb5Lifetime getLifetime(krb5_principal principal = nullptr) const; std::string getName() const; Krb5Principal getClientPrincipal() const; void initialize(krb5_principal cprinc); diff --git a/thrift/perf/cpp/AsyncClientWorker2.cpp b/thrift/perf/cpp/AsyncClientWorker2.cpp index 359f2485c59..0d2a2a3c9fe 100644 --- a/thrift/perf/cpp/AsyncClientWorker2.cpp +++ b/thrift/perf/cpp/AsyncClientWorker2.cpp @@ -18,22 +18,22 @@ #include +#include +#include +#include #include -#include -#include -#include #include +#include +#include +#include +#include +#include #include -#include #include -#include -#include -#include +#include #include #include -#include -#include -#include +#include #include using namespace boost; @@ -282,11 +282,13 @@ LoadTestClientPtr AsyncClientWorker2::createConnection() { if (config->SASLPolicy() == "required" || config->SASLPolicy() == "permitted") { - static auto securityLogger = std::make_shared(); - static auto saslThreadManager = - std::make_shared(securityLogger); + static auto krb5CredentialsCacheManagerLogger = + std::make_shared(); + static auto saslThreadManager = std::make_shared( + krb5CredentialsCacheManagerLogger); static auto credentialsCacheManager = - std::make_shared(securityLogger); + std::make_shared( + krb5CredentialsCacheManagerLogger); channel->setSaslClient(std::unique_ptr( new apache::thrift::GssSaslClient(socket->getEventBase()))); channel->getSaslClient()->setSaslThreadManager(saslThreadManager); diff --git a/thrift/perf/cpp/ClientWorker2.cpp b/thrift/perf/cpp/ClientWorker2.cpp index 228fb0339f9..fdb9e705652 100644 --- a/thrift/perf/cpp/ClientWorker2.cpp +++ b/thrift/perf/cpp/ClientWorker2.cpp @@ -19,15 +19,15 @@ #include #include -#include -#include -#include #include +#include +#include +#include +#include #include #include #include -#include -#include +#include using namespace boost; using namespace apache::thrift::protocol; @@ -110,11 +110,13 @@ std::shared_ptr ClientWorker2::createConnection() { if (config->SASLPolicy() == "required" || config->SASLPolicy() == "permitted") { - static auto securityLogger = std::make_shared(); - static auto saslThreadManager = - std::make_shared(securityLogger); + static auto krb5CredentialsCacheManagerLogger = + std::make_shared(); + static auto saslThreadManager = std::make_shared( + krb5CredentialsCacheManagerLogger); static auto credentialsCacheManager = - std::make_shared(securityLogger); + std::make_shared( + krb5CredentialsCacheManagerLogger); headerChannel->setSaslClient(std::unique_ptr( new apache::thrift::GssSaslClient(socket->getEventBase()) ));