[kudu-CR] [security] avoid tickets with NULL 'renew till'

Tue, 22 Aug 2017 09:42:28 -0700 

Hello Kudu Jenkins,

I'd like you to reexamine a change.  Please visit

    http://gerrit.cloudera.org:8080/7770

to look at the new patch set (#3).

Change subject: [security] avoid tickets with NULL 'renew_till'
......................................................................

[security] avoid tickets with NULL 'renew_till'

It was found that if we use a file based credential cache that is
shared between the C++ side and the java side of a process, and we
encounter the specific edge case where we renew a ticket that has
less than 'ticket_lifetime' left before its 'renew_lifetime' expires,
the ticket is set to have a NULL 'renew_till' timestamp.

Eg:
ticket_lifetime = 10m
renew_lifetime = 100m

[current ticket being renewed] at '15:30:00'
endtime = '15:30:30'
renew_till = '15:31:00'

This ticket will be renewed and the renewed ticket will have the
following values:
endtime = '15:31:00'
renew_till = null

The Java krb5 library refuses to read these kinds of tickets which
have the RENEWABLE flag set but no 'renew_till' set, causing
unexpected failures. We work around this by reacquiring a new ticket
instead of renewing the existing ticket if there is less that
'ticket_lifetime' left between now and the 'renew_till' deadline.

Tracked on the Java side by:
http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8186576

Change-Id: I59194af94838f680df4ce121a8dee526a876e369
---
M src/kudu/integration-tests/external_mini_cluster-test.cc
M src/kudu/security/init.cc
2 files changed, 12 insertions(+), 6 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/70/7770/3
-- 
To view, visit http://gerrit.cloudera.org:8080/7770
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I59194af94838f680df4ce121a8dee526a876e369
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Sailesh Mukil <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Sailesh Mukil <[email protected]>
Gerrit-Reviewer: Todd Lipcon <[email protected]>

Reply via email to