[GitHub] [hadoop] cnauroth commented on a diff in pull request #5248: HADOOP-18581 : Handle Server KDC re-login when Server and Client run …

Tue, 20 Dec 2022 10:39:28 -0800 


cnauroth commented on code in PR #5248:
URL: https://github.com/apache/hadoop/pull/5248#discussion_r1053628775


##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java:
##########
@@ -2206,7 +2206,25 @@ private void saslProcess(RpcSaslProto saslMessage)
           AUDITLOG.warn(AUTH_FAILED_FOR + this.toString() + ":"
               + attemptingUser + " (" + e.getLocalizedMessage()
               + ") with true cause: (" + tce.getLocalizedMessage() + ")");
-          throw tce;
+          if (!UserGroupInformation.getLoginUser().isLoginSuccess()) {
+            LOG.info("Initiating re-login from IPC Server");
+            if (UserGroupInformation.isLoginKeytabBased()) {
+              UserGroupInformation.getLoginUser().reloginFromKeytab();

Review Comment:
   If I trace through the chain of these re-login methods, they end up passing 
`false` for `ignoreLastLoginTime`. They'll skip the re-login and early exit if 
insufficient time (default 60 seconds) has elapsed since last login. Would that 
still leave a server potentially in a bad state for up to 60 seconds?



##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java:
##########
@@ -529,6 +529,13 @@ private void setLogin(LoginContext login) {
     user.setLogin(login);
   }
 
+  /** This method is only helpful for HadoopLoginContext*/

Review Comment:
   There is a minor checkstyle warning here asking for a period at the end of 
the sentence.
   
   However, perhaps consider expanding a bit. `HadoopLoginContext` is a private 
inner class, so probably best not to discuss it in a public Javadoc. You could 
discuss how this method checks for a successful Kerberos login, or defaults to 
`true` if not using Kerberos.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to