[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal

Thu, 22 Sep 2011 11:39:57 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13112813#comment-13112813
 ] 

jirapos...@reviews.apache.org commented on ZOOKEEPER-1181:
----------------------------------------------------------


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/1958/
-----------------------------------------------------------

(Updated 2011-09-22 18:39:22.010877)


Review request for zookeeper.


Changes
-------

Add link to JIRA.


Summary
-------

Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal:

1. TGTs obtained from a keytab are not refreshed periodically. They should be, 
just as those from ticket cache are refreshed.

2. Ticket renewal should be retried if it fails. Ticket renewal might fail if 
two or more separate processes (different JVMs) running as the same user try to 
renew Kerberos credentials at the same time.


This addresses bug ZOOKEEPER-1181.
    https://issues.apache.org/jira/browse/ZOOKEEPER-1181


Diffs
-----

  src/java/main/org/apache/zookeeper/Login.java de64d0d 

Diff: https://reviews.apache.org/r/1958/diff


Testing
-------

Have tested this with a Kerberized HBase/Hadoop cluster on Amazon EC2. Tested 
with a short Kerberos ticket life (modprinc -maxlife "5 minutes") for zookeeper 
server and clients. Tested with zookeeper server using a keytab and zookeeper 
client with ticket cache. Ran YCSB on HBase successfully on a one master, 3 
regionserver cluster, where the master and 2 of the regionservers ran Quorum 
Peers.


Thanks,

Eugene



> Fix problems with Kerberos TGT renewal
> --------------------------------------
>
>                 Key: ZOOKEEPER-1181
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: java client, server
>    Affects Versions: 3.4.0
>            Reporter: Eugene Koontz
>            Assignee: Eugene Koontz
>              Labels: kerberos, security
>             Fix For: 3.4.0, 3.5.0
>
>         Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch
>
>
> Currently, in Zookeeper trunk, there are two problems with Kerberos TGT 
> renewal:
> 1. TGTs obtained from a keytab are not refreshed periodically. They should 
> be, just as those from ticket cache are refreshed.
> 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if 
> two or more separate processes (different JVMs) running as the same user try 
> to renew Kerberos credentials at the same time. 

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to