[
https://issues.apache.org/jira/browse/ZOOKEEPER-2323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15013675#comment-15013675
]
Bob commented on ZOOKEEPER-2323:
--------------------------------
With below modify, the auth issue can be solved, pls refer to :
1) Modify Login.javaļ¼ add one public relogin method for setupconnection
{noformat}
/**
* Re-login method, just for the client setup connection when network
recovery.
* Note: This method is just for Internal used. Be carefully when call it.
* @throws LoginException
*/
public void reLoginForSetupConnection()
throws LoginException {
if (!isKrbTicket) {
return;
}
LoginContext login = getLogin();
if (login == null) {
throw new LoginException("login must be done first");
}
LOG.info("Initiating logout for " + principal);
synchronized (Login.class) {
//clear up the kerberos state. But the tokens are not cleared! As
per
//the Java kerberos login module code, only the kerberos credentials
//are cleared
login.logout();
//login and also update the subject field of this instance to
//have the new credentials (pass it to the LoginContext constructor)
login = new LoginContext(loginContextName, getSubject());
LOG.info("Initiating re-login for " + principal);
login.login();
setLogin(login);
}
}
{noformat}
2) Modify ZooKeeperSaslClient.java : add relogin logic before do auth check.
{noformat}
synchronized private SaslClient createSaslClient(final String
servicePrincipal,
final String loginContext)
throws LoginException {
try {
if (login == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("JAAS loginContext is: " + loginContext);
}
// note that the login object is static: it's shared amongst
all zookeeper-related connections.
// createSaslClient() must be declared synchronized so that
login is initialized only once.
login = new Login(loginContext, new
ClientCallbackHandler(null));
login.startThreadIfNeeded();
}
+ if (login.getSubject().getPrincipals().isEmpty()) {
+ LOG.info("Begin to reLogin once for this Connection Setup.");
+ login.reLoginForSetupConnection();
+ }
Subject subject = login.getSubject();
SaslClient saslClient;
....
{noformat}
If any idea , pls let me know, thanks.
> ZooKeeper client enters into infinite AuthFailedException cycle if its unable
> to recreate Kerberos ticket
> ---------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-2323
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2323
> Project: ZooKeeper
> Issue Type: Bug
> Components: java client
> Affects Versions: 3.4.7, 3.5.1
> Reporter: Arshad Mohammad
> Assignee: Arshad Mohammad
> Fix For: 3.4.8, 3.5.2, 3.6.0
>
> Attachments: ZOOKEEPER-2323-01.patch
>
>
> ZooKeeper client enters into infinite AuthFailedException cycle. For every
> operation its throws AuthFailedException
> Here is the create operation exception
> {code}
> org.apache.zookeeper.KeeperException$AuthFailedException: KeeperErrorCode =
> AuthFailed for /continuousRunningZKClient
> at org.apache.zookeeper.KeeperException.create(KeeperException.java:127)
> at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
> at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1753)
> {code}
> This can be reproduced easily with the following steps:
> # Reduce the ZooKeeper client principal max life for example set 2 min. use
> command {color:blue} modprinc -maxlife 2min zkcli {color} in kadmin. (This
> is done to reduce the issue reproduce time)
> # Connect Client to ZooKeeper quorum,let it gets connected and some
> operations are done successfully
> # Disconnect the Client's network, by pulling out the Ethernet cable or by
> any way. Now the Client is in disconnected state, no operation is
> expected,Client tries to reconnect to different-different servers in the
> ZooKeeper quorum.
> # After two minutes Client tries to get new Keberos ticket and it fails.
> # Connect the Client to network. Client comes in connected state but
> AuthFailedException for every operation.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
