Sailesh Mukil has uploaded a new patch set (#2). Change subject: Adjust kerberos renewal logic to avoid tickets with NULL 'renew_till' timestamp ......................................................................
Adjust kerberos renewal logic to avoid tickets with NULL 'renew_till' timestamp It was found that if we use a file based credential cache that is shared between the C++ side and the java side of a process, and we encounter the specific edge case where we renew a ticket that has less than 'ticket_lifetime' left before its 'renew_lifetime' expires, the ticket is set to have a NULL 'renew_till' timestamp. Eg: ticket_lifetime = 10m renew_lifetime = 100m [current ticket being renewed] at '15:30:00' endtime = '15:30:30' renew_till = '15:31:00' This ticket will be renewed and the renewed ticket will have the following values: endtime = '15:31:00' renew_till = null The Java krb5 library refuses to read these kinds of tickets which have the RENEWABLE flag set but no 'renew_till' set, causing unexpected failures. We work around this by reacquiring a new ticket instead of renewing the existing ticket if there is less that 'ticket_lifetime' left between now and the 'renew_till' deadline. Change-Id: I59194af94838f680df4ce121a8dee526a876e369 --- M src/kudu/integration-tests/external_mini_cluster-test.cc M src/kudu/security/init.cc 2 files changed, 12 insertions(+), 6 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/70/7770/2 -- To view, visit http://gerrit.cloudera.org:8080/7770 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newpatchset Gerrit-Change-Id: I59194af94838f680df4ce121a8dee526a876e369 Gerrit-PatchSet: 2 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Sailesh Mukil <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon <[email protected]>
