surendralilhore commented on code in PR #5248:
URL: https://github.com/apache/hadoop/pull/5248#discussion_r1058376241
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java:
##########
@@ -2206,7 +2206,25 @@ private void saslProcess(RpcSaslProto saslMessage)
AUDITLOG.warn(AUTH_FAILED_FOR + this.toString() + ":"
+ attemptingUser + " (" + e.getLocalizedMessage()
+ ") with true cause: (" + tce.getLocalizedMessage() + ")");
- throw tce;
+ if (!UserGroupInformation.getLoginUser().isLoginSuccess()) {
+ LOG.info("Initiating re-login from IPC Server");
+ if (UserGroupInformation.isLoginKeytabBased()) {
+ UserGroupInformation.getLoginUser().reloginFromKeytab();
Review Comment:
Thanks @cnauroth.
Added new API `forceReloginFromTicketCache()` and using both the force API
in `Server.java`
>A drawback is that it's potentially a dangerous API if used incorrectly,
because it could spam the KDC.
I have added check to use force login API only once in `Server.java` after
failure and if it fails again then it will wait for 60 seconds. Handling this
by adding **canTryForceLogin** in `Server.java.`
> We could add that, but expanding the public API footprint of
UserGroupInformation should not be taken lightly.
Mostly people will use it for new development and they should aware of use
case.
> Ideally, I'd like to get a second opinion from one more committer.
@liuml07 Please can you give your opinion here as you reviewed HADOOP-17159
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
