This is an automated email from the ASF dual-hosted git repository. pvillard pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push: new 921e3d0f2a NIFI-11604 Improve handling of non-renewable tickets in AbstractKerberosUser 921e3d0f2a is described below commit 921e3d0f2a01503aec51297c656b7db2376c45be Author: Bryan Bende <bbe...@apache.org> AuthorDate: Thu May 25 15:48:32 2023 -0400 NIFI-11604 Improve handling of non-renewable tickets in AbstractKerberosUser Signed-off-by: Pierre Villard <pierre.villard...@gmail.com> This closes #7301. --- .../nifi/security/krb/AbstractKerberosUser.java | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java index cc443c4b54..20936d5ea3 100644 --- a/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java +++ b/nifi-commons/nifi-security-kerberos/src/main/java/org/apache/nifi/security/krb/AbstractKerberosUser.java @@ -196,10 +196,8 @@ public abstract class AbstractKerberosUser implements KerberosUser { public synchronized boolean checkTGTAndRelogin() { final KerberosTicket tgt = getTGT(); if (tgt == null) { - LOGGER.debug("TGT for {} was not found, performing logout/login", principal); - logout(); - login(); - return true; + LOGGER.debug("TGT for {} was not found", principal); + return logoutAndLogin(); } if (tgt != null && System.currentTimeMillis() < getRefreshTime(tgt)) { @@ -207,6 +205,11 @@ public abstract class AbstractKerberosUser implements KerberosUser { return false; } + if (!tgt.isRenewable() || tgt.getRenewTill() == null) { + return logoutAndLogin(); + } + + LOGGER.debug("TGT for {} is renewable, will attempt refresh", principal); try { tgt.refresh(); LOGGER.debug("TGT for {} was refreshed", principal); @@ -214,12 +217,15 @@ public abstract class AbstractKerberosUser implements KerberosUser { } catch (final RefreshFailedException e) { LOGGER.debug("TGT for {} could not be refreshed", principal); LOGGER.trace("", e); - LOGGER.debug("Performing logout/login for {}", principal); - logout(); - login(); - return true; + return logoutAndLogin(); } + } + private boolean logoutAndLogin() { + LOGGER.debug("Performing logout/login", principal); + logout(); + login(); + return true; } /**