[
https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13105008#comment-13105008
]
Eugene Koontz commented on ZOOKEEPER-1181:
------------------------------------------
bq. -1 tests included. The patch doesn't appear to include any new or modified
tests.
bq. Please justify why no new tests are needed for this patch.
bq. Also please list what manual steps were performed to verify this patch.
Have tested this with a Kerberized HBase/Hadoop cluster on Amazon EC2. Tested
with a short Kerberos ticket life (modprinc -maxlife "5 minutes") for zookeeper
server and clients. Tested with zookeeper server using a keytab and zookeeper
client with ticket cache. Ran YCSB on HBase successfully.
I think I might be able to learn Mockito and mock up a Kerberos server for
adding additional tests, but would rather defer that to later.
> Fix problems with Kerberos TGT renewal
> --------------------------------------
>
> Key: ZOOKEEPER-1181
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181
> Project: ZooKeeper
> Issue Type: Bug
> Components: java client, server
> Affects Versions: 3.4.0
> Reporter: Eugene Koontz
> Assignee: Eugene Koontz
> Labels: kerberos, security
> Fix For: 3.4.0
>
> Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch
>
>
> Currently, in Zookeeper trunk, there are two problems with Kerberos TGT
> renewal:
> 1. TGTs obtained from a keytab are not refreshed periodically. They should
> be, just as those from ticket cache are refreshed.
> 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if
> two or more separate processes (different JVMs) running as the same user try
> to renew Kerberos credentials at the same time.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
