On 5/15/2014 9:27, Xuelei Fan wrote:
On 5/14/2014 8:24 PM, Weijun Wang wrote:
How is this unsafe, especially compared to if we don't fix it? The only
bad thing is that if someone wants to set the timeout to be less than
120 ms, now there will be no way to do it. But that should never happen,
right?
My concerns is that it might happen. 120ms is not a small number, and
120s is not a big number in some circumstances.
120ms and 120s are possible values,
So it is really confusing to me that 119 will be treated as seconds, and
121 will be treated as milliseconds.
This is unfortunate, we can document it.
but I doubt people will set them in
krb5.conf.
I did not get your idea. People won't use kdc_timeout option at all?
No, what I mean is people is not likely to set these values as
kdc_timeout. If someone sets it to 120ms it means he does not want to
wait more than that and would rather switch to another KDC or fail. That
looks too impatient. If someone sets it to 120s, that is a too long time
for me. In general, 3 sec to 30 sec sounds sane.
Alternatively, for better inerop, we can suggest to use explicit spec in
the configure instead of guess the what the spec is. Support two
default specs is really confusing.
Unless we drop kdc_timeout and invent a new key name, we will have to
deal with the correctness (sec) and compatibility (msec) at the same
time. Yes, we can suggest people always adding a unit, but it looks most
people simply put a bare number there.
IMHO, just declare it as a known issue of Java is an alternative
approach I may prefer.
Is Java the only implementation to use milliseconds in the
configuration? Do we have public specification for the kdc_timeout
option? Or we just declare we follow the industry conversions? If Java
is the only vendor to use milliseconds wrongly, it may be OK to make the
correction in a major release (JDK 9?).
We should be the only one using msec.
Java SE have a public spec saying the default value is 30000, that
implies we uses msec. Oracle has other doc claiming it's msec:
http://docs.oracle.com/cd/E19728-01/820-2550/activedir_auth.html
If we just change to sec it is a big compatibility issue. User won't
notice any error report expect finding their app runs much slower.
Thanks
Max
Xuelei
