[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13133974#comment-13133974 ] Hudson commented on ZOOKEEPER-1181: --- Integrated in ZooKeeper-trunk #1342 (See [https://builds.apache.org/job/ZooKeeper-trunk/1342/]) ZOOKEEPER-1181. Fix problems with Kerberos TGT renewal. (Eugene Koontz via mahadev) mahadev : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVNview=revrev=1188033 Files : * /zookeeper/trunk/CHANGES.txt * /zookeeper/trunk/src/java/main/org/apache/zookeeper/Login.java Fix problems with Kerberos TGT renewal -- Key: ZOOKEEPER-1181 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Project: ZooKeeper Issue Type: Bug Components: java client, server Affects Versions: 3.4.0 Reporter: Eugene Koontz Assignee: Eugene Koontz Labels: kerberos, security Fix For: 3.4.0, 3.5.0 Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13130436#comment-13130436 ] Hadoop QA commented on ZOOKEEPER-1181: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12499644/ZOOKEEPER-1181.patch against trunk revision 1185994. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/625//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/625//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/625//console This message is automatically generated. Fix problems with Kerberos TGT renewal -- Key: ZOOKEEPER-1181 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Project: ZooKeeper Issue Type: Bug Components: java client, server Affects Versions: 3.4.0 Reporter: Eugene Koontz Assignee: Eugene Koontz Labels: kerberos, security Fix For: 3.4.0, 3.5.0 Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13115144#comment-13115144 ] Mahadev konar commented on ZOOKEEPER-1181: -- Eugene, We should write some unit tests for this. I am fine checking this into 3.4 for now. Can you please create a ticket to add a unit test for this? Mockito would be very helpful here. Might make some changes to the patch to get this in ASAP. Fix problems with Kerberos TGT renewal -- Key: ZOOKEEPER-1181 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Project: ZooKeeper Issue Type: Bug Components: java client, server Affects Versions: 3.4.0 Reporter: Eugene Koontz Assignee: Eugene Koontz Labels: kerberos, security Fix For: 3.4.0, 3.5.0 Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13115218#comment-13115218 ] Eugene Koontz commented on ZOOKEEPER-1181: -- Hi Mahadev, good idea; I added ZOOKEEPER-1205 for unit tests for this bug. Fix problems with Kerberos TGT renewal -- Key: ZOOKEEPER-1181 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Project: ZooKeeper Issue Type: Bug Components: java client, server Affects Versions: 3.4.0 Reporter: Eugene Koontz Assignee: Eugene Koontz Labels: kerberos, security Fix For: 3.4.0, 3.5.0 Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13112813#comment-13112813 ] jirapos...@reviews.apache.org commented on ZOOKEEPER-1181: -- --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/1958/ --- (Updated 2011-09-22 18:39:22.010877) Review request for zookeeper. Changes --- Add link to JIRA. Summary --- Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. This addresses bug ZOOKEEPER-1181. https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Diffs - src/java/main/org/apache/zookeeper/Login.java de64d0d Diff: https://reviews.apache.org/r/1958/diff Testing --- Have tested this with a Kerberized HBase/Hadoop cluster on Amazon EC2. Tested with a short Kerberos ticket life (modprinc -maxlife 5 minutes) for zookeeper server and clients. Tested with zookeeper server using a keytab and zookeeper client with ticket cache. Ran YCSB on HBase successfully on a one master, 3 regionserver cluster, where the master and 2 of the regionservers ran Quorum Peers. Thanks, Eugene Fix problems with Kerberos TGT renewal -- Key: ZOOKEEPER-1181 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Project: ZooKeeper Issue Type: Bug Components: java client, server Affects Versions: 3.4.0 Reporter: Eugene Koontz Assignee: Eugene Koontz Labels: kerberos, security Fix For: 3.4.0, 3.5.0 Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13112253#comment-13112253 ] Eugene Koontz commented on ZOOKEEPER-1181: -- Hi Patrick, I'd like to push for this to be included in 3.4.0. It fixes significant problems with the currently-available Kerberos support in the 3.4.0 branch and trunk. Thanks for considering it, Eugene Fix problems with Kerberos TGT renewal -- Key: ZOOKEEPER-1181 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Project: ZooKeeper Issue Type: Bug Components: java client, server Affects Versions: 3.4.0 Reporter: Eugene Koontz Assignee: Eugene Koontz Labels: kerberos, security Fix For: 3.4.0, 3.5.0 Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13108059#comment-13108059 ] Thomas Koch commented on ZOOKEEPER-1181: Could you please upload the patch to https://reviews.apache.org/r/new/ for review? Fix problems with Kerberos TGT renewal -- Key: ZOOKEEPER-1181 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Project: ZooKeeper Issue Type: Bug Components: java client, server Affects Versions: 3.4.0 Reporter: Eugene Koontz Assignee: Eugene Koontz Labels: kerberos, security Fix For: 3.4.0 Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13108098#comment-13108098 ] Eugene Koontz commented on ZOOKEEPER-1181: -- Hi Thomas, Thanks for your interest! Please see the review here: https://reviews.apache.org/r/1958 -Eugene Fix problems with Kerberos TGT renewal -- Key: ZOOKEEPER-1181 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Project: ZooKeeper Issue Type: Bug Components: java client, server Affects Versions: 3.4.0 Reporter: Eugene Koontz Assignee: Eugene Koontz Labels: kerberos, security Fix For: 3.4.0 Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13104517#comment-13104517 ] Camille Fournier commented on ZOOKEEPER-1181: - I wish this was a touch cleaner... aren't reloginFromKeytab and reloginFromTicketCache almost the same method? Can we refactor the retry logic into one place? Fix problems with Kerberos TGT renewal -- Key: ZOOKEEPER-1181 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Project: ZooKeeper Issue Type: Bug Components: java client, server Affects Versions: 3.4.0 Reporter: Eugene Koontz Assignee: Eugene Koontz Labels: kerberos, security Fix For: 3.4.0 Attachments: ZOOKEEPER-1181.patch Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13105010#comment-13105010 ] Eugene Koontz commented on ZOOKEEPER-1181: -- This was a one master, 3 regionserver cluster, where the master and 2 of the regionservers ran Quorum Peers. Fix problems with Kerberos TGT renewal -- Key: ZOOKEEPER-1181 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Project: ZooKeeper Issue Type: Bug Components: java client, server Affects Versions: 3.4.0 Reporter: Eugene Koontz Assignee: Eugene Koontz Labels: kerberos, security Fix For: 3.4.0 Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13105008#comment-13105008 ] Eugene Koontz commented on ZOOKEEPER-1181: -- bq. -1 tests included. The patch doesn't appear to include any new or modified tests. bq. Please justify why no new tests are needed for this patch. bq. Also please list what manual steps were performed to verify this patch. Have tested this with a Kerberized HBase/Hadoop cluster on Amazon EC2. Tested with a short Kerberos ticket life (modprinc -maxlife 5 minutes) for zookeeper server and clients. Tested with zookeeper server using a keytab and zookeeper client with ticket cache. Ran YCSB on HBase successfully. I think I might be able to learn Mockito and mock up a Kerberos server for adding additional tests, but would rather defer that to later. Fix problems with Kerberos TGT renewal -- Key: ZOOKEEPER-1181 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Project: ZooKeeper Issue Type: Bug Components: java client, server Affects Versions: 3.4.0 Reporter: Eugene Koontz Assignee: Eugene Koontz Labels: kerberos, security Fix For: 3.4.0 Attachments: ZOOKEEPER-1181.patch, ZOOKEEPER-1181.patch Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1181) Fix problems with Kerberos TGT renewal
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13104092#comment-13104092 ] Hadoop QA commented on ZOOKEEPER-1181: -- -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12494346/ZOOKEEPER-1181.patch against trunk revision 1170365. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. -1 findbugs. The patch appears to introduce 2 new Findbugs (version 1.3.9) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/531//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/531//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/531//console This message is automatically generated. Fix problems with Kerberos TGT renewal -- Key: ZOOKEEPER-1181 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1181 Project: ZooKeeper Issue Type: Bug Components: java client, server Affects Versions: 3.4.0 Reporter: Eugene Koontz Assignee: Eugene Koontz Labels: kerberos, security Fix For: 3.4.0 Attachments: ZOOKEEPER-1181.patch Currently, in Zookeeper trunk, there are two problems with Kerberos TGT renewal: 1. TGTs obtained from a keytab are not refreshed periodically. They should be, just as those from ticket cache are refreshed. 2. Ticket renewal should be retried if it fails. Ticket renewal might fail if two or more separate processes (different JVMs) running as the same user try to renew Kerberos credentials at the same time. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira