hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-9888) KerberosName static initialization gets default realm, which is unneeded in non-secure deployment.
Date Tue, 20 Aug 2013 17:38:52 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-9888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13745177#comment-13745177
] 

Chris Nauroth commented on HADOOP-9888:
---------------------------------------

So far, we've only seen the DNS timeout happen in Windows VMs running in Azure with Oracle
JDK 7.  As a workaround, we created a file named krb5.ini in \Windows with the following contents:

{code}
[libdefaults]
     default_realm = FOO.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
{code}

I propose that if security is not enabled, we skip getting the default realm and just fall
back to a default.  We'll need to verify that {{KerberosName#defaultRealm}} is only used in
code paths where security is enabled.

One tricky aspect is that {{KerberosName}} can be referenced from {{UserGroupInformation#isSecurityEnabled}},
so the static initialization block might run before initialization of {{UserGroupInformation}}
has completed.  We might need to start with something similar to the HADOOP-6913 patch for
0.22 to break this circular initialization.
                
> KerberosName static initialization gets default realm, which is unneeded in non-secure
deployment.
> --------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-9888
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9888
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0, 2.1.1-beta
>            Reporter: Chris Nauroth
>
> {{KerberosName}} has a static initialization block that looks up the default realm. 
Running with Oracle JDK7, this code path triggers a DNS query.  In some environments, we've
seen this DNS query block and time out after 30 seconds.  This is part of static initialization,
and the class is referenced from {{UserGroupInformation#initialize}}, so every daemon and
every shell command experiences this delay.  This occurs even for non-secure deployments,
which don't need the default realm.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message