[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13112813#comment-13112813 ]
jirapos...@reviews.apache.org commented on ZOOKEEPER-1181: ---------------------------------------------------------- ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/1958/ ----------------------------------------------------------- (Updated 2011-09-22 18:39:22.010877) Review request for zookeeper. Changes ------- Add link to JIRA. Summary ------- Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. This addresses bug ZOOKEEPER-1181. https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Diffs ----- src/java/main/org/apache/zookeeper/Login.java de64d0d Diff: https://reviews.apache.org/r/1958/diff Testing ------- Have tested this with a Kerberized HBase/Hadoop cluster on Amazon EC2. Tested with a short Kerberos ticket life (modprinc -maxlife "5 minutes") for zookeeper server and clients. Tested with zookeeper server using a keytab and zookeeper client with ticket cache. Ran YCSB on HBase successfully on a one master, 3 regionserver cluster, where the master and 2 of the regionservers ran Quorum Peers. Thanks, Eugene > Fix problems with Kerberos TGT renewal > -------------------------------------- > > Key: ZOOKEEPER-1181 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 > Project: ZooKeeper > Issue Type: Bug > Components: java client, server > Affects Versions: 3.4.0 > Reporter: Eugene Koontz > Assignee: Eugene Koontz > Labels: kerberos, security > Fix For: 3.4.0, 3.5.0 > > Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch > > > Currently, in Zookeeper trunk, there are two problems with Kerberos TGT > renewal: > 1. TGTs obtained from a keytab are not refreshed periodically. They should > be, just as those from ticket cache are refreshed. > 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if > two or more separate processes (different JVMs) running as the same user try > to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira