[
https://issues.apache.org/jira/browse/HADOOP-14687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16137467#comment-16137467
]
Jason Lowe commented on HADOOP-14687:
-------------------------------------
+1 for the branch-2.8 patch as well. Committing this.
> AuthenticatedURL will reuse bad/expired session cookies
> -------------------------------------------------------
>
> Key: HADOOP-14687
> URL: https://issues.apache.org/jira/browse/HADOOP-14687
> Project: Hadoop Common
> Issue Type: Bug
> Components: common
> Affects Versions: 2.6.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Critical
> Attachments: HADOOP-14687.2.trunk.patch,
> HADOOP-14687.branch-2.8.patch, HADOOP-14687.trunk.patch
>
>
> AuthenticatedURL with kerberos was designed to perform spnego, then use a
> session cookie to avoid renegotiation overhead. Unfortunately the client
> will continue to use a cookie after it expires. Every request elicits a 401,
> connection closes (despite keepalive because 401 is an "error"), TGS is
> obtained, connection re-opened, re-requests with TGS, repeat cycle. This
> places a strain on the kdc and creates lots of time_wait sockets.
>
> The main problem is unbeknownst to the auth url, the JDK transparently does
> spnego. The server issues a new cookie but the auth url doesn't scrape the
> cookie from the response because it doesn't know the JDK re-authenticated.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
