[jira] [Commented] (HADOOP-9888) KerberosName static initialization gets default realm, which is unneeded in non-secure deployment.

Tue, 20 Aug 2013 10:39:54 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-9888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13745177#comment-13745177
 ] 

Chris Nauroth commented on HADOOP-9888:
---------------------------------------

So far, we've only seen the DNS timeout happen in Windows VMs running in Azure 
with Oracle JDK 7.  As a workaround, we created a file named krb5.ini in 
\Windows with the following contents:

{code}
[libdefaults]
     default_realm = FOO.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
{code}

I propose that if security is not enabled, we skip getting the default realm 
and just fall back to a default.  We'll need to verify that 
{{KerberosName#defaultRealm}} is only used in code paths where security is 
enabled.

One tricky aspect is that {{KerberosName}} can be referenced from 
{{UserGroupInformation#isSecurityEnabled}}, so the static initialization block 
might run before initialization of {{UserGroupInformation}} has completed.  We 
might need to start with something similar to the HADOOP-6913 patch for 0.22 to 
break this circular initialization.
                
> KerberosName static initialization gets default realm, which is unneeded in 
> non-secure deployment.
> --------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-9888
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9888
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0, 2.1.1-beta
>            Reporter: Chris Nauroth
>
> {{KerberosName}} has a static initialization block that looks up the default 
> realm.  Running with Oracle JDK7, this code path triggers a DNS query.  In 
> some environments, we've seen this DNS query block and time out after 30 
> seconds.  This is part of static initialization, and the class is referenced 
> from {{UserGroupInformation#initialize}}, so every daemon and every shell 
> command experiences this delay.  This occurs even for non-secure deployments, 
> which don't need the default realm.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to