[
https://issues.apache.org/jira/browse/HADOOP-14687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16133410#comment-16133410
]
Daryn Sharp commented on HADOOP-14687:
--------------------------------------
I'm a bit confused about the findbugs. It formerly also very clearly returned
null but wasn't flagged? I can make it return empty string but I'm always
leery of changing behaviors of code in comon...
The test failures are completely unrelated.
> AuthenticatedURL will reuse bad/expired session cookies
> -------------------------------------------------------
>
> Key: HADOOP-14687
> URL: https://issues.apache.org/jira/browse/HADOOP-14687
> Project: Hadoop Common
> Issue Type: Bug
> Components: common
> Affects Versions: 2.6.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Critical
> Attachments: HADOOP-14687.trunk.patch
>
>
> AuthenticatedURL with kerberos was designed to perform spnego, then use a
> session cookie to avoid renegotiation overhead. Unfortunately the client
> will continue to use a cookie after it expires. Every request elicits a 401,
> connection closes (despite keepalive because 401 is an "error"), TGS is
> obtained, connection re-opened, re-requests with TGS, repeat cycle. This
> places a strain on the kdc and creates lots of time_wait sockets.
>
> The main problem is unbeknownst to the auth url, the JDK transparently does
> spnego. The server issues a new cookie but the auth url doesn't scrape the
> cookie from the response because it doesn't know the JDK re-authenticated.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
