zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mfenes <...@git.apache.org>
Subject [GitHub] zookeeper pull request #390: ZOOKEEPER-2908: quorum.auth.MiniKdcTest.testKer...
Date Wed, 04 Oct 2017 18:00:01 GMT
GitHub user mfenes opened a pull request:

    https://github.com/apache/zookeeper/pull/390

    ZOOKEEPER-2908: quorum.auth.MiniKdcTest.testKerberosLogin failing wit…

    
    ZOOKEEPER-2908: quorum.auth.MiniKdcTest.testKerberosLogin failing with NPE on Java 9
    
    Cause:
    
    The NPE exception in the MiniKdcTest.testKerberosLogin() unit test is caused by a duplicate
loginContext.logout() call: one logout() call at the end of the test inside the try block
and another logout() call in the finally block. When the test finishes, the first logout()
call removes the kerbClientPrinc KerberosPrincipal in Krb5LoginModule, so when logout() is
called for the second time in the finally block, it tries to remove a null kerbClientPrinc
at Krb5LoginModule.java:1193:
    
    subject.getPrincipals().remove(kerbClientPrinc);
    
    where subject is a javax.security.auth.Subject, 
    getPrincipals() returns Set<Principal> 
    and the Set implementation is a javax.security.auth.Subject.SecureSet.
    
    In Java 9, SecureSet's remove() method has introduced a new requireNonNull check for its
parameter Object o, which fails if someone tries to remove a null from a SecureSet:
    
    Objects.requireNonNull(o,ResourcesMgr.getString(“invalid.null.input.s.”));
    
    Java 8 (and before) did not have this check in the SecureSet.remove() method, and this
is the reason why this NPE appeared in Java 9.
    
    Solution:
    
    The unit test was fixed by adding an additional condition before running the logout()
call in the finally block: logout() is called only if the Set of Principals is not empty i.e.
logout() was not already called inside the try block.
    
    Note: Inside ZK, LoginContext logout() is called only once in the org.apache.zookeeper.Login
reLogin() method, when ZK does a re-login after refreshing the Kerberos tickets.


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/mfenes/zookeeper ZOOKEEPER-2908

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zookeeper/pull/390.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #390
    
----
commit fe08ff5cbf50fdba17714c72416ca4e6a9f4e79a
Author: Mark Fenes <mfenes@cloudera.com>
Date:   2017-10-03T20:48:44Z

    ZOOKEEPER-2908: quorum.auth.MiniKdcTest.testKerberosLogin failing with NPE on java 9

----


---

Mime
View raw message