[
https://issues.apache.org/jira/browse/ZOOKEEPER-4477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17498008#comment-17498008
]
Vincent Grivel commented on ZOOKEEPER-4477:
-------------------------------------------
[~symat] I'm not working on a patch so I will let you do it if it is good.
We start seeing this issue by doing an extensive test of KDC failures and
resiliency of Kafka. For that we simulate KDC failure while decreasing the TGT
validity to few minutes.
Linked to that issue, we also raised a JDK enhancement request:
[https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8282223] as currently
only a SocketTimeoutException trigger the retry mechanism to connect to the KDC.
> A single Kerberos login failure fails all future connections from Java 9
> onwards
> --------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4477
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4477
> Project: ZooKeeper
> Issue Type: Bug
> Components: kerberos
> Affects Versions: 3.5.9, 3.6.3, 3.7.0
> Reporter: Vincent Grivel
> Assignee: Mate Szalay-Beko
> Priority: Minor
>
> Zookeeper refresh thread for Kerberos have the same problem in the reLogin()
> [https://github.com/apache/zookeeper/blob/release-3.5.5/zookeeper-server/src/main/java/org/apache/zookeeper/Login.java#L413]
> function as describe in https://issues.apache.org/jira/browse/KAFKA-12730
> {quote}The refresh thread for Kerberos performs re-login by logging out and
> then logging in again. If login fails, we retry after a backoff. Every
> iteration of the loop performs loginContext.logout() and
> loginContext.login(). If login fails, we end up with two consecutive logouts.
> This used to work, but from Java 9 onwards, this results in a
> NullPointerException due to
> [https://bugs.openjdk.java.net/browse/JDK-8173069]. We should check if logout
> is required before attempting logout.
> {quote}
>
> A NPE is throw if multiple logout() is invoke multiple times:
> {code:java}
> 2022-02-14 18:38:11,899 ERROR org.apache.zookeeper.Login: Failed to refresh
> TGT: refresh thread exiting now.
> javax.security.auth.login.LoginException: java.lang.NullPointerException:
> invalid null input(s)
> at java.base/java.util.Objects.requireNonNull(Objects.java:246)
> at
> java.base/javax.security.auth.Subject$SecureSet.remove(Subject.java:1172)
> at
> java.base/java.util.Collections$SynchronizedCollection.remove(Collections.java:2043)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.logout(Krb5LoginModule.java:1202)
> at
> java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:732)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at
> java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
> at
> java.base/javax.security.auth.login.LoginContext.logout(LoginContext.java:613)
> at org.apache.zookeeper.Login.reLogin(Login.java:413)
> at org.apache.zookeeper.Login.access$500(Login.java:49)
> at org.apache.zookeeper.Login$1.run(Login.java:240)
> at java.base/java.lang.Thread.run(Thread.java:834)
> at
> java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:821)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at
> java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
> at
> java.base/javax.security.auth.login.LoginContext.logout(LoginContext.java:613)
> at org.apache.zookeeper.Login.reLogin(Login.java:413)
> at org.apache.zookeeper.Login.access$500(Login.java:49)
> at org.apache.zookeeper.Login$1.run(Login.java:240)
> at java.base/java.lang.Thread.run(Thread.java:834) {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
