Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3AB7B18CCC for ; Thu, 20 Aug 2015 19:54:46 +0000 (UTC) Received: (qmail 1240 invoked by uid 500); 20 Aug 2015 19:54:46 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 1197 invoked by uid 500); 20 Aug 2015 19:54:45 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 1175 invoked by uid 99); 20 Aug 2015 19:54:45 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Aug 2015 19:54:45 +0000 Date: Thu, 20 Aug 2015 19:54:45 +0000 (UTC) From: "Benoy Antony (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-12332) UserGroupInformation.reloginFromKeytab() timeout can leave UGI in unusable state MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-12332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14705651#comment-14705651 ] Benoy Antony commented on HADOOP-12332: --------------------------------------- The decision to prevent immediate reLogin is per design . This is especially desirable under error scenarios like heavy load or expred keytab. {code} private boolean hasSufficientTimeElapsed(long now) { if (now - user.getLastLogin() < kerberosMinSecondsBeforeRelogin ) { LOG.warn("Not attempting to re-login since the last re-login was " + "attempted less than " + (kerberosMinSecondsBeforeRelogin/1000) + " seconds before."); return false; } return true; } {code} > UserGroupInformation.reloginFromKeytab() timeout can leave UGI in unusable state > -------------------------------------------------------------------------------- > > Key: HADOOP-12332 > URL: https://issues.apache.org/jira/browse/HADOOP-12332 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.6.0 > Environment: affects all > Reporter: john lilley > Priority: Minor > > UserGroupInformation.reloginFromKeytab() sets the current timestamp before the try: > // register most recent relogin attempt > user.setLastLogin(now); > try { > If a timeout error occurs during user.login() due to heavy system load, this leaves the user logged out and unusable, and because it has updated the timestamp, the caller cannot recover by calling reloginFromKeytab() immediately. > It may be that timeouts should be considered fatal errors in this case, in which I would call it "as designed". -- This message was sent by Atlassian JIRA (v6.3.4#6332)