Todd Lipcon has posted comments on this change. ( )

Change subject: KUDU-2264. java: automatically attempt to re-acquire Kerberos 
credentials before expiration

Patch Set 3:

File java/kudu-client/src/main/java/org/apache/kudu/client/
PS3, Line 86:   private final Object subjectLock = new Object();
> I don't know how you feel about this style, but since 'subject' is private,
Subject could have been passed in by the caller, though, in which case we'd be 
using an external object as an internal lock which is a no-no IMO.
File java/kudu-client/src/main/java/org/apache/kudu/util/
PS3, Line 196: principal.getRealm() + "@" + principal.getRealm())
> Do we always have the service and the client in the same domain?  Maybe, it
Even in a cross-realm situation, you end up with a service ticket to your local 
realm's KDC. This is called from the findTgt function above which loops over 
all your tickets.

For example, I just logged into a cluster which has cross-realm trust from our 
corporate active directory to a cluster-local KDC, kinitted to active 
directory, and then connected to a kerberos-authenticated service on the 
cluster. kinit shows:

[todd@xxx ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_2009
Default principal: todd@CLOUDERA.LOCAL

Valid starting     Expires            Service principal
03/07/18 19:56:23  03/08/18 05:56:25  krbtgt/CLOUDERA.LOCAL@CLOUDERA.LOCAL
        renew until 03/14/18 19:56:23
03/07/18 19:56:27  03/08/18 05:56:25  krbtgt/PROD.EDH@CLOUDERA.LOCAL
        renew until 03/14/18 19:56:23
03/07/18 19:56:27  03/08/18 05:56:25  impala/xxx.cloudera....@prod.edh
        renew until 03/12/18 19:56:27

In this case, it's the krbtgt/CLOUDERA.LOCAL@CLOUDERA.LOCAL ticket that we're 
looking for (ie the TGT associated with the primary realm you authenticated 
to). I'll see if I can add some commentary.

To view, visit
To unsubscribe, visit

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I514253e0a7f067dbc8ffe4eaf5a7a2c32900b539
Gerrit-Change-Number: 9050
Gerrit-PatchSet: 3
Gerrit-Owner: Todd Lipcon <>
Gerrit-Reviewer: Adar Dembo <>
Gerrit-Reviewer: Alexey Serbin <>
Gerrit-Reviewer: Anonymous Coward #380
Gerrit-Reviewer: Dan Burkert <>
Gerrit-Reviewer: Hao Hao <>
Gerrit-Reviewer: Jean-Daniel Cryans <>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <>
Gerrit-Comment-Date: Wed, 07 Mar 2018 20:07:00 +0000
Gerrit-HasComments: Yes

Reply via email to