[nifi] branch main updated: NIFI-11604 Improve handling of non-renewable tickets in AbstractKerberosUser

[pvillard]

This is an automated email from the ASF dual-hosted git repository.

pvillard pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new 921e3d0f2a NIFI-11604 Improve handling of non-renewable tickets in 
AbstractKerberosUser
921e3d0f2a is described below

commit 921e3d0f2a01503aec51297c656b7db2376c45be
Author: Bryan Bende <bbe...@apache.org>
AuthorDate: Thu May 25 15:48:32 2023 -0400

    NIFI-11604 Improve handling of non-renewable tickets in AbstractKerberosUser
    
    Signed-off-by: Pierre Villard <pierre.villard...@gmail.com>
    
    This closes #7301.
---
 .../nifi/security/krb/AbstractKerberosUser.java    | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git 
a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java
 
b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java
index cc443c4b54..20936d5ea3 100644
--- 
a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java
+++ 
b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java
@@ -196,10 +196,8 @@ public abstract class AbstractKerberosUser implements 
KerberosUser {
     public synchronized boolean checkTGTAndRelogin()  {
         final KerberosTicket tgt = getTGT();
         if (tgt == null) {
-            LOGGER.debug("TGT for {} was not found, performing logout/login", 
principal);
-            logout();
-            login();
-            return true;
+            LOGGER.debug("TGT for {} was not found", principal);
+            return logoutAndLogin();
         }
 
         if (tgt != null && System.currentTimeMillis() < getRefreshTime(tgt)) {
@@ -207,6 +205,11 @@ public abstract class AbstractKerberosUser implements 
KerberosUser {
             return false;
         }
 
+        if (!tgt.isRenewable() || tgt.getRenewTill() == null) {
+            return logoutAndLogin();
+        }
+
+        LOGGER.debug("TGT for {} is renewable, will attempt refresh", 
principal);
         try {
             tgt.refresh();
             LOGGER.debug("TGT for {} was refreshed", principal);
@@ -214,12 +217,15 @@ public abstract class AbstractKerberosUser implements 
KerberosUser {
         } catch (final RefreshFailedException e) {
             LOGGER.debug("TGT for {} could not be refreshed", principal);
             LOGGER.trace("", e);
-            LOGGER.debug("Performing logout/login for {}", principal);
-            logout();
-            login();
-            return true;
+            return logoutAndLogin();
         }
+    }
 
+    private boolean logoutAndLogin() {
+        LOGGER.debug("Performing logout/login", principal);
+        logout();
+        login();
+        return true;
     }
 
     /**