Vincent Grivel created ZOOKEEPER-4477:
-----------------------------------------
Summary: A single Kerberos login failure fails all future
connections from Java 9 onwards
Key: ZOOKEEPER-4477
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4477
Project: ZooKeeper
Issue Type: Bug
Components: kerberos
Affects Versions: 3.5.5
Reporter: Vincent Grivel
Zookeeper refresh thread for Kerberos have the same problem in the reLogin()
[https://github.com/apache/zookeeper/blob/release-3.5.5/zookeeper-server/src/main/java/org/apache/zookeeper/Login.java#L413]
function as describe in https://issues.apache.org/jira/browse/KAFKA-12730
{quote}The refresh thread for Kerberos performs re-login by logging out and
then logging in again. If login fails, we retry after a backoff. Every
iteration of the loop performs loginContext.logout() and loginContext.login().
If login fails, we end up with two consecutive logouts. This used to work, but
from Java 9 onwards, this results in a NullPointerException due to
[https://bugs.openjdk.java.net/browse/JDK-8173069]. We should check if logout
is required before attempting logout.
{quote}
A NPE is throw if multiple logout() is invoke multiple times:
{code:java}
2022-02-14 18:38:11,899 ERROR org.apache.zookeeper.Login: Failed to refresh
TGT: refresh thread exiting now.
javax.security.auth.login.LoginException: java.lang.NullPointerException:
invalid null input(s)
at java.base/java.util.Objects.requireNonNull(Objects.java:246)
at java.base/javax.security.auth.Subject$SecureSet.remove(Subject.java:1172)
at
java.base/java.util.Collections$SynchronizedCollection.remove(Collections.java:2043)
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.logout(Krb5LoginModule.java:1202)
at
java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:732)
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at
java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
at
java.base/javax.security.auth.login.LoginContext.logout(LoginContext.java:613)
at org.apache.zookeeper.Login.reLogin(Login.java:413)
at org.apache.zookeeper.Login.access$500(Login.java:49)
at org.apache.zookeeper.Login$1.run(Login.java:240)
at java.base/java.lang.Thread.run(Thread.java:834)
at
java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:821)
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at
java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
at
java.base/javax.security.auth.login.LoginContext.logout(LoginContext.java:613)
at org.apache.zookeeper.Login.reLogin(Login.java:413)
at org.apache.zookeeper.Login.access$500(Login.java:49)
at org.apache.zookeeper.Login$1.run(Login.java:240)
at java.base/java.lang.Thread.run(Thread.java:834) {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
