Todd Lipcon has posted comments on this change. ( http://gerrit.cloudera.org:8080/9050 )
Change subject: KUDU-2264. java: automatically attempt to re-acquire Kerberos credentials before expiration ...................................................................... Patch Set 3: (2 comments) http://gerrit.cloudera.org:8080/#/c/9050/3/java/kudu-client/src/main/java/org/apache/kudu/client/SecurityContext.java File java/kudu-client/src/main/java/org/apache/kudu/client/SecurityContext.java: http://gerrit.cloudera.org:8080/#/c/9050/3/java/kudu-client/src/main/java/org/apache/kudu/client/SecurityContext.java@86 PS3, Line 86: private final Object subjectLock = new Object(); > I don't know how you feel about this style, but since 'subject' is private, Subject could have been passed in by the caller, though, in which case we'd be using an external object as an internal lock which is a no-no IMO. http://gerrit.cloudera.org:8080/#/c/9050/3/java/kudu-client/src/main/java/org/apache/kudu/util/SecurityUtil.java File java/kudu-client/src/main/java/org/apache/kudu/util/SecurityUtil.java: http://gerrit.cloudera.org:8080/#/c/9050/3/java/kudu-client/src/main/java/org/apache/kudu/util/SecurityUtil.java@196 PS3, Line 196: principal.getRealm() + "@" + principal.getRealm()) > Do we always have the service and the client in the same domain? Maybe, it Even in a cross-realm situation, you end up with a service ticket to your local realm's KDC. This is called from the findTgt function above which loops over all your tickets. For example, I just logged into a cluster which has cross-realm trust from our corporate active directory to a cluster-local KDC, kinitted to active directory, and then connected to a kerberos-authenticated service on the cluster. kinit shows: [todd@xxx ~]$ klist Ticket cache: FILE:/tmp/krb5cc_2009 Default principal: [email protected] Valid starting Expires Service principal 03/07/18 19:56:23 03/08/18 05:56:25 krbtgt/[email protected] renew until 03/14/18 19:56:23 03/07/18 19:56:27 03/08/18 05:56:25 krbtgt/[email protected] renew until 03/14/18 19:56:23 03/07/18 19:56:27 03/08/18 05:56:25 impala/[email protected] renew until 03/12/18 19:56:27 In this case, it's the krbtgt/[email protected] ticket that we're looking for (ie the TGT associated with the primary realm you authenticated to). I'll see if I can add some commentary. -- To view, visit http://gerrit.cloudera.org:8080/9050 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I514253e0a7f067dbc8ffe4eaf5a7a2c32900b539 Gerrit-Change-Number: 9050 Gerrit-PatchSet: 3 Gerrit-Owner: Todd Lipcon <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Anonymous Coward #380 Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Hao Hao <[email protected]> Gerrit-Reviewer: Jean-Daniel Cryans <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-Comment-Date: Wed, 07 Mar 2018 20:07:00 +0000 Gerrit-HasComments: Yes
