[ https://issues.apache.org/jira/browse/ZOOKEEPER-4477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mate Szalay-Beko updated ZOOKEEPER-4477: ---------------------------------------- Affects Version/s: 3.7.0 3.6.3 3.5.9 (was: 3.5.5) > A single Kerberos login failure fails all future connections from Java 9 > onwards > -------------------------------------------------------------------------------- > > Key: ZOOKEEPER-4477 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4477 > Project: ZooKeeper > Issue Type: Bug > Components: kerberos > Affects Versions: 3.5.9, 3.6.3, 3.7.0 > Reporter: Vincent Grivel > Assignee: Mate Szalay-Beko > Priority: Minor > > Zookeeper refresh thread for Kerberos have the same problem in the reLogin() > [https://github.com/apache/zookeeper/blob/release-3.5.5/zookeeper-server/src/main/java/org/apache/zookeeper/Login.java#L413] > function as describe in https://issues.apache.org/jira/browse/KAFKA-12730 > {quote}The refresh thread for Kerberos performs re-login by logging out and > then logging in again. If login fails, we retry after a backoff. Every > iteration of the loop performs loginContext.logout() and > loginContext.login(). If login fails, we end up with two consecutive logouts. > This used to work, but from Java 9 onwards, this results in a > NullPointerException due to > [https://bugs.openjdk.java.net/browse/JDK-8173069]. We should check if logout > is required before attempting logout. > {quote} > > A NPE is throw if multiple logout() is invoke multiple times: > {code:java} > 2022-02-14 18:38:11,899 ERROR org.apache.zookeeper.Login: Failed to refresh > TGT: refresh thread exiting now. > javax.security.auth.login.LoginException: java.lang.NullPointerException: > invalid null input(s) > at java.base/java.util.Objects.requireNonNull(Objects.java:246) > at > java.base/javax.security.auth.Subject$SecureSet.remove(Subject.java:1172) > at > java.base/java.util.Collections$SynchronizedCollection.remove(Collections.java:2043) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.logout(Krb5LoginModule.java:1202) > at > java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:732) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) > at java.base/java.security.AccessController.doPrivileged(Native Method) > at > java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) > at > java.base/javax.security.auth.login.LoginContext.logout(LoginContext.java:613) > at org.apache.zookeeper.Login.reLogin(Login.java:413) > at org.apache.zookeeper.Login.access$500(Login.java:49) > at org.apache.zookeeper.Login$1.run(Login.java:240) > at java.base/java.lang.Thread.run(Thread.java:834) > at > java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:821) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) > at java.base/java.security.AccessController.doPrivileged(Native Method) > at > java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) > at > java.base/javax.security.auth.login.LoginContext.logout(LoginContext.java:613) > at org.apache.zookeeper.Login.reLogin(Login.java:413) > at org.apache.zookeeper.Login.access$500(Login.java:49) > at org.apache.zookeeper.Login$1.run(Login.java:240) > at java.base/java.lang.Thread.run(Thread.java:834) {code} -- This message was sent by Atlassian Jira (v8.20.1#820001)