cshannon commented on issue #3075: URL: https://github.com/apache/accumulo/issues/3075#issuecomment-1332865490
I took a look at this and ran the test in a loop in my IDE until it failed and it fails pretty fast after a few attempts. The root cause is that the identifiers are the same between the two generated tokens. This is due to the fact that the issue date is part of the ID and is used for equality and it's set using System.currentTimeMillis() as shown below. https://github.com/apache/accumulo/blob/b5701423330c8a55e50e8409d2492735149d70e0/server/base/src/main/java/org/apache/accumulo/server/security/delegation/AuthenticationTokenSecretManager.java#L81-L84 This means that if the test runs fast enough and System.currentTimeMillis() returns the same time then the generated ID is the same and the test fails. A simple fix for the test itself is just sleeping 1 millisecond before generating the next token to guarantee a different timestamp and I'll do a quick PR for that. However, a follow on question/issue is whether or not this behavior is ok and if we want to update the Token id to be more random in some way so that this collision doesn't happen. I added some logging to illustrate the issue. #### Here are IDs from a successful run where the issueDate timestamps are different values: `ID1:TAuthenticationTokenIdentifier(principal:[email protected], keyId:1, issueDate:`**`1669849979940`**`, expirationDate:1669850039940, instanceId:6c7a4bc6-f7e6-45c2-be8a-4870d2e59fb5)` `ID2:TAuthenticationTokenIdentifier(principal:[email protected], keyId:1, issueDate:`**`1669849979950`**`, expirationDate:1669850039950, instanceId:6c7a4bc6-f7e6-45c2-be8a-4870d2e59fb5)` #### And here is a failed run where the issueDate timestamps are the same value: `ID1:TAuthenticationTokenIdentifier(principal:[email protected], keyId:1, issueDate:`**`1669849979983`**`, expirationDate:1669850039983, instanceId:e77af232-3d4b-4bf6-941a-5cfd7f3b25d5)` `ID2:TAuthenticationTokenIdentifier(principal:[email protected], keyId:1, issueDate:`**`1669849979983`**`, expirationDate:1669850039983, instanceId:e77af232-3d4b-4bf6-941a-5cfd7f3b25d5)` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
