Tim Armstrong has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/15394 )
Change subject: KUDU-3050: recover from corrupt kerberos ccache ...................................................................... KUDU-3050: recover from corrupt kerberos ccache This handles two failure modes: * krb5_cc_start_seq_get() can fail if the kerberos credential cache gets corrupted on disk, e.g. is truncated. * the renewal can fail to find a credential in the credential cache, either if it is missing or the renewal thread hits an error while reading through credentials. Also add some additional logging and limit the max backoff time to make it easier to debug other kinds of renewal errors. The test triggers a pre-existing memory leak bug in some older Kerberos libraries. Added a suppression for leak sanitizer to ClientNegotiation::CheckGSSAPI() to suppress it. Test: Add a test that exercises the recovery logic after truncating the credential cache. The test failed before this change. Change-Id: I2d6e06c3ea65708896a6bf0134cc84838b3f1b58 --- M src/kudu/integration-tests/security-itest.cc M src/kudu/rpc/client_negotiation.cc M src/kudu/security/init.cc A src/kudu/security/kinit_context.h M src/kudu/security/test/mini_kdc.cc M src/kudu/security/test/mini_kdc.h 6 files changed, 200 insertions(+), 62 deletions(-) Approvals: Adar Dembo: Looks good to me, approved Kudu Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/15394 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I2d6e06c3ea65708896a6bf0134cc84838b3f1b58 Gerrit-Change-Number: 15394 Gerrit-PatchSet: 6 Gerrit-Owner: Tim Armstrong <[email protected]> Gerrit-Reviewer: Adar Dembo <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241) Gerrit-Reviewer: Tim Armstrong <[email protected]>
