Todd Lipcon has posted comments on this change. ( http://gerrit.cloudera.org:8080/9050 )
Change subject: KUDU-2264. java: automatically attempt to re-acquire Kerberos credentials before expiration ...................................................................... Patch Set 3: (2 comments) http://gerrit.cloudera.org:8080/#/c/9050/3/java/kudu-client/src/main/java/org/apache/kudu/client/SecurityContext.java File java/kudu-client/src/main/java/org/apache/kudu/client/SecurityContext.java: http://gerrit.cloudera.org:8080/#/c/9050/3/java/kudu-client/src/main/java/org/apache/kudu/client/SecurityContext.java@86 PS3, Line 86: private final Object subjectLock = new Object(); > I don't know how you feel about this style, but since 'subject' is private, Subject could have been passed in by the caller, though, in which case we'd be using an external object as an internal lock which is a no-no IMO. http://gerrit.cloudera.org:8080/#/c/9050/3/java/kudu-client/src/main/java/org/apache/kudu/util/SecurityUtil.java File java/kudu-client/src/main/java/org/apache/kudu/util/SecurityUtil.java: http://gerrit.cloudera.org:8080/#/c/9050/3/java/kudu-client/src/main/java/org/apache/kudu/util/SecurityUtil.java@196 PS3, Line 196: principal.getRealm() + "@" + principal.getRealm()) > Do we always have the service and the client in the same domain? Maybe, it Even in a cross-realm situation, you end up with a service ticket to your local realm's KDC. This is called from the findTgt function above which loops over all your tickets. For example, I just logged into a cluster which has cross-realm trust from our corporate active directory to a cluster-local KDC, kinitted to active directory, and then connected to a kerberos-authenticated service on the cluster. kinit shows: [todd@xxx ~]$ klist Ticket cache: FILE:/tmp/krb5cc_2009 Default principal: todd@CLOUDERA.LOCAL Valid starting Expires Service principal 03/07/18 19:56:23 03/08/18 05:56:25 krbtgt/CLOUDERA.LOCAL@CLOUDERA.LOCAL renew until 03/14/18 19:56:23 03/07/18 19:56:27 03/08/18 05:56:25 krbtgt/PROD.EDH@CLOUDERA.LOCAL renew until 03/14/18 19:56:23 03/07/18 19:56:27 03/08/18 05:56:25 impala/xxx.cloudera....@prod.edh renew until 03/12/18 19:56:27 In this case, it's the krbtgt/CLOUDERA.LOCAL@CLOUDERA.LOCAL ticket that we're looking for (ie the TGT associated with the primary realm you authenticated to). I'll see if I can add some commentary. -- To view, visit http://gerrit.cloudera.org:8080/9050 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I514253e0a7f067dbc8ffe4eaf5a7a2c32900b539 Gerrit-Change-Number: 9050 Gerrit-PatchSet: 3 Gerrit-Owner: Todd Lipcon <t...@apache.org> Gerrit-Reviewer: Adar Dembo <a...@cloudera.com> Gerrit-Reviewer: Alexey Serbin <aser...@cloudera.com> Gerrit-Reviewer: Anonymous Coward #380 Gerrit-Reviewer: Dan Burkert <danburk...@apache.org> Gerrit-Reviewer: Hao Hao <hao....@cloudera.com> Gerrit-Reviewer: Jean-Daniel Cryans <jdcry...@apache.org> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon <t...@apache.org> Gerrit-Comment-Date: Wed, 07 Mar 2018 20:07:00 +0000 Gerrit-HasComments: Yes