Daryn Sharp created HADOOP-14687:
------------------------------------
Summary: AuthenticatedURL will reuse bad/expired session cookies
Key: HADOOP-14687
URL: https://issues.apache.org/jira/browse/HADOOP-14687
Project: Hadoop Common
Issue Type: Bug
Components: common
Affects Versions: 2.6.0
Reporter: Daryn Sharp
Assignee: Daryn Sharp
Priority: Critical
AuthenticatedURL with kerberos was designed to perform spnego, then use a
session cookie to avoid renegotiation overhead. Unfortunately the client will
continue to use a cookie after it expires. Every request elicits a 401,
connection closes (despite keepalive because 401 is an "error"), TGS is
obtained, connection re-opened, re-requests with TGS, repeat cycle. This
places a strain on the kdc and creates lots of time_wait sockets.
The main problem is unbeknownst to the auth url, the JDK transparently does
spnego. The server issues a new cookie but the auth url doesn't scrape the
cookie from the response because it doesn't know the JDK re-authenticated.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
