Impala Public Jenkins has submitted this change and it was merged. Change subject: [security] avoid kerberos ticket renewal and only reacquire ......................................................................
[security] avoid kerberos ticket renewal and only reacquire It was found that if we use a file based credential cache that is shared between the C++ side and the java side of a process, and we encounter the specific edge case where we renew a ticket that has less than 'ticket_lifetime' left before its 'renew_lifetime' expires, the ticket is set to have a NULL 'renew_till' timestamp. Eg: ticket_lifetime = 10m renew_lifetime = 100m [current ticket being renewed] at '15:30:00' endtime = '15:30:30' renew_till = '15:31:00' This ticket will be renewed and the renewed ticket will have the following values: endtime = '15:31:00' renew_till = null The Java krb5 library refuses to read these kinds of tickets which have the RENEWABLE flag set but no 'renew_till' set, causing unexpected failures. Currently, the only way to work around this is to not renew tickets at all and only always reacquire them. The reason for this is that the Java side of a process or even another process may be running its own renewal thread on the same credential cache for the same principal(s). So even if we were to avoid renewing in this window, the Java side could renew in this window, causing the above problem. If we always reacquire the tickets, we're forcefully reseting this window for that principal, thereby not allowing the Java side to hit this bug. The scenario where this bug played out is when using the kudu renewal code in tandem with a hadoop process that use the same principals. Also, currently there is no advantage we gain from just renewing the tickets vs. reacquiring them, either in terms of security or performance, since we login from a keytab. Tracked on the Java side by: http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8186576 Change-Id: I8e5225de332ba785e3a73014b8418cfd4059fe07 Reviewed-on: http://gerrit.cloudera.org:8080/7810 Reviewed-by: Todd Lipcon <[email protected]> Tested-by: Kudu Jenkins Reviewed-on: http://gerrit.cloudera.org:8080/7898 Reviewed-by: Sailesh Mukil <[email protected]> Tested-by: Impala Public Jenkins --- M be/src/kudu/security/init.cc M be/src/kudu/security/init.h 2 files changed, 29 insertions(+), 57 deletions(-) Approvals: Impala Public Jenkins: Verified Sailesh Mukil: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/7898 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: I8e5225de332ba785e3a73014b8418cfd4059fe07 Gerrit-PatchSet: 6 Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-Owner: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Michael Ho <[email protected]> Gerrit-Reviewer: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Todd Lipcon <[email protected]>
