hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9888) KerberosName static initialization gets default realm, which is unneeded in non-secure deployment.
Date Tue, 20 Aug 2013 17:38:52 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13745177#comment-13745177

Chris Nauroth commented on HADOOP-9888:

So far, we've only seen the DNS timeout happen in Windows VMs running in Azure with Oracle
JDK 7.  As a workaround, we created a file named krb5.ini in \Windows with the following contents:

     default_realm = FOO.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false

I propose that if security is not enabled, we skip getting the default realm and just fall
back to a default.  We'll need to verify that {{KerberosName#defaultRealm}} is only used in
code paths where security is enabled.

One tricky aspect is that {{KerberosName}} can be referenced from {{UserGroupInformation#isSecurityEnabled}},
so the static initialization block might run before initialization of {{UserGroupInformation}}
has completed.  We might need to start with something similar to the HADOOP-6913 patch for
0.22 to break this circular initialization.
> KerberosName static initialization gets default realm, which is unneeded in non-secure
> --------------------------------------------------------------------------------------------------
>                 Key: HADOOP-9888
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9888
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0, 2.1.1-beta
>            Reporter: Chris Nauroth
> {{KerberosName}} has a static initialization block that looks up the default realm. 
Running with Oracle JDK7, this code path triggers a DNS query.  In some environments, we've
seen this DNS query block and time out after 30 seconds.  This is part of static initialization,
and the class is referenced from {{UserGroupInformation#initialize}}, so every daemon and
every shell command experiences this delay.  This occurs even for non-secure deployments,
which don't need the default realm.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message