[
https://issues.apache.org/jira/browse/HADOOP-9749?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daryn Sharp updated HADOOP-9749:
--------------------------------
Attachment: HADOOP-9749.branch-2.patch
HADOOP-9749.trunk.patch
Latest versions of age old internal patches to avoid ugi synchronization issues
that cause unnecessary contention and corruption of private credentials during
relogin.
The synchronization model for the ugi is fundamentally flawed. Instance level
synchronization is meaningless due to many-to-1 relationship of ugi to subject.
Class level synchronization only applies to other ugi methods, not to
authenticators (ex. gssapi or spnego) which also modify the private creds.
The current class synchronization is primarily intended to guard
getCurrentUser/getLoginUser against a relogin. The creates a contention point
for common case usage, which doesn’t guard against authenticator modifications.
The comprehensive solution is removing class and instance synchronization,
replacing with authenticator friendly synchronization on the underlying
Subject’s private credentials during:
# Instantiation of a new ugi to guard the checks for keytab and ticket.
# Entire relogin (logout/login) to avoid inconsistencies or corruption by
authenticators.
There’s one wrinkle as detailed by another subtask. The hadoop login conf
relies on class statics for keytab and principal. Until removed, this requires
all login-related methods related to synchronize on a global login lock before
synchronizing on the Subject’s private credentials. Effectively this replaces
the class level synchronization previously used to protect these fields,
enabling getCurrentUser to become concurrent.
> Remove synchronization for UGI.getCurrentUser
> ---------------------------------------------
>
> Key: HADOOP-9749
> URL: https://issues.apache.org/jira/browse/HADOOP-9749
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: security
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0-alpha1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Critical
> Attachments: HADOOP-9749.branch-2.patch, HADOOP-9749.trunk.patch
>
>
> HADOOP-7854 added synchronization to {{getCurrentUser}} due to
> {{ConcurrentModificationExceptions}}. This degrades NN call handler
> performance.
> The problem was not well understood at the time, but it's caused by a
> collision between relogin and {{getCurrentUser}} due to a bug in
> {{Krb5LoginModule}}. Avoiding the collision will allow removal of the
> synchronization.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
