Todd Lipcon has posted comments on this change. Change subject: Adjust kerberos renewal logic to avoid tickets with NULL 'renew_till' timestamp ......................................................................
Patch Set 1: (5 comments) http://gerrit.cloudera.org:8080/#/c/7770/1//COMMIT_MSG Commit Message: PS1, Line 28: does not like this maybe be slightly more specific and say that the Java library refuses to read a ticket which has the RENEWABLE flag set, but no renew_till set. PS1, Line 30: reqacquiring typo http://gerrit.cloudera.org:8080/#/c/7770/1/src/kudu/security/init.cc File src/kudu/security/init.cc: PS1, Line 290: difftime am surprised to see 'difftime'. Never seen that before. Why not just cast to (signed) int64_ts? PS1, Line 290: creds.times.starttime according to http://web.mit.edu/kerberos/krb5-current/doc/appldev/refs/types/krb5_ticket_times.html#krb5_ticket_times the starttime may be missing, in which case we would have to fall back to 'authtime' instead. I've never seen it, but I think we should probably look whether that happens and at least make sure we do something sane in that case PS1, Line 298: (now + ticket_lifetime) > renew_till we probably want a little bit of slop here just like we had with 'renew_deadline'. Otherwise if we are exactly at the threshold where things break, we might still do a renewal and hit the issue, right? -- To view, visit http://gerrit.cloudera.org:8080/7770 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I59194af94838f680df4ce121a8dee526a876e369 Gerrit-PatchSet: 1 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Sailesh Mukil <sail...@cloudera.com> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon <t...@apache.org> Gerrit-HasComments: Yes
