From user-return-12534-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Thu Jan 16 15:05:56 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id A5E2318060E for ; Thu, 16 Jan 2020 16:05:55 +0100 (CET) Received: (qmail 91637 invoked by uid 500); 16 Jan 2020 15:05:39 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 90444 invoked by uid 99); 16 Jan 2020 15:05:33 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Jan 2020 15:05:33 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 5B64F1A2C34 for ; Thu, 16 Jan 2020 15:05:32 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.253 X-Spam-Level: X-Spam-Status: No, score=0.253 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, KAM_LOTSOFHASH=0.25, NUMERIC_HTTP_ADDR=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-he-de.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id N5K_3EbD5fEW for ; Thu, 16 Jan 2020 15:05:28 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a00:1450:4864:20::541; helo=mail-ed1-x541.google.com; envelope-from=szalay.beko.mate@gmail.com; receiver= Received: from mail-ed1-x541.google.com (mail-ed1-x541.google.com [IPv6:2a00:1450:4864:20::541]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id 944017E12F for ; Thu, 16 Jan 2020 15:05:27 +0000 (UTC) Received: by mail-ed1-x541.google.com with SMTP id dc19so19193124edb.10 for ; Thu, 16 Jan 2020 07:05:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UHdk/c0R5y6fBX6l/I3HADoL2DJDaBnFFDhHE/RjKqY=; b=S4HrWBL0ji2tX8vBLx8Jk/D0QAa8bKEk09/lRX6eLxR7ekMffcDywAdx9sXENi5iwv 6Fvipw1bmORwWeBJ4bLgjSKS9phd1TaPhGJ8AlhKZvfGIXR5J6WEwzVQi3IZzxHt8lSx plwfmd89gEr8uHH3umCeeNyEGNG6Tz7waYFEYLUHg4jDhkBAp4QNA/a0wcxSYsq+clS8 T4vnJFAiXmLATOpJa+1ewD/EgwY3KEvuEXHxxVtOLi4iyAPtbxH35ZFsADJW0wn9JA54 IZUj0/3sNrz1/BgY4J8jeIDecG/L76HY05TUPeLQcEFSs1OwuC74VLfllrPTiFzQm/db zNpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UHdk/c0R5y6fBX6l/I3HADoL2DJDaBnFFDhHE/RjKqY=; b=MEV4g3+HB40yfPgnUSPnTCd8KxYCitA3so0HlIIBZQeHNf095QtJR7trUZcjGPRqyt UIr53jfPaVP5y4MP5ncZxwmRt99KxfGs4gZi1kZ3zeYGSZmNa93/5VaumAYv4xB2L2Ye ec7N/jTmqjqBV1nUQDI0hgHKGJVC974yMpQo0D3P0DxYjOCuPW133J3RG8U8IE0P9M7A amO3SNpRcndF1ypO7B02g4X2aUFE9T3JvaYMU9hoXC7ZWeovOh2qj4gQlOWps63gx/NL zWKF1rmNh9YF2Wlj7cjMtXjA8jEadKc5vFqFAybh6MNFG7cp4p4GBLgc+zSXUOps7WNa lXqg== X-Gm-Message-State: APjAAAVNoKqtYo4prFZWJ4RCfaq1vXowMKLbgWP6doaxmD7ruQHtPJFT vef181lpMyzadKD1BbPGfV7T7IPzjraE6NdjVe5kTHs= X-Google-Smtp-Source: APXvYqwUgzre0vc8tCbSC557fXqkekljTobsDzKTT+q1cxx7E0dLtoD2JITETSHTrScFoRzhOTp++xSAvtJ7qsODozw= X-Received: by 2002:a17:906:a394:: with SMTP id k20mr3421807ejz.216.1579187126854; Thu, 16 Jan 2020 07:05:26 -0800 (PST) MIME-Version: 1.0 References: <87h814n37k.fsf@sinenomine.net> <87blrcmow9.fsf@sinenomine.net> <877e20mjh7.fsf@sinenomine.net> <4F30BB7E-6D28-4FD3-BBE9-AB309D768D1C@diennea.com> <2243B65A-5943-4361-AF5F-95E10B7D1CFF@diennea.com> In-Reply-To: From: =?UTF-8?B?U3phbGF5LUJla8WRIE3DoXTDqQ==?= Date: Thu, 16 Jan 2020 16:05:12 +0100 Message-ID: Subject: Re: Zookeeper and curator SASL authentication To: Arpit Jain Cc: UserZooKeeper , Damien Diederen , "eolivelli@gmail.com" Content-Type: multipart/alternative; boundary="000000000000baea01059c432732" --000000000000baea01059c432732 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable great! :) On Wed, Jan 15, 2020 at 6:38 PM Arpit Jain wrote: > I managed to create ACL with authenticated client principal using below > lines of code in client: > > curator > .create().creatingParentContainersIfNeeded().withACL(ZooDefs.Ids. > CREATOR_ALL_ACL).forPath("/mynode"); > > > ZooDefs.Ids.CREATOR_ALL_ACL gives permissions to the client which is > authenticated. > > To test this, I logged in using zkCli.sh on ZK server and ran getAcl > /mynode and able to browse the znodes and can see that node has all (CDRW= A) > permission for authenticated uses. If I log in with a unauthenticated > principal, I am not able to see the znodes tree even though I manage to > connect to ZK server. > > On Wed, Jan 15, 2020 at 12:19 PM Enrico Olivelli - Diennea < > enrico.olivelli@diennea.com> wrote: > >> Yes, they are system properties >> >> You can take this guide (about Kafka) as example >> >> https://docs.confluent.io/current/kafka/authentication_sasl/authenticati= on_sasl_gssapi.html >> >> >> >> =EF=BB=BFIl giorno 15/01/20, 13:17 "Arpit Jain" = ha >> scritto: >> >> I have not passed those parameters. Is this something I need to set = in >> Zookeeper (zoo.cfg) ? >> >> On Wed, Jan 15, 2020 at 12:12 PM Enrico Olivelli - Diennea < >> enrico.olivelli@diennea.com> wrote: >> >> > Usually with SASL auth you are using: >> > kerberos.removeHostFromPrincipal=3Dtrue >> > kerberos.removeRealmFromPrincipal=3Dtrue >> > >> > is this the case for you ? >> > >> > Enrico >> > >> > Il giorno 15/01/20, 13:01 "Arpit Jain" ha >> > scritto: >> > >> > I have asked in Curator mailing list as well but not much help= . >> I am >> > able >> > to set ACL with sasl scheme by using zkCli.sh client in >> Zookeeper >> > server. >> > The idea is to use Curator to set the ACLs so that only my >> client >> > application can access its Znodes. >> > >> > >> > On Wed, Jan 15, 2020 at 9:21 AM Szalay-Bek=C5=91 M=C3=A1t=C3= =A9 < >> > szalay.beko.mate@gmail.com> >> > wrote: >> > >> > > I am not sure what is wrong with the code... I am not >> familiar with >> > > Curator. I can try to google / reproduce this and see what i= s >> wrong, >> > but it >> > > will take a while for me. So first I would ask the others, >> maybe >> > there is >> > > someone who knows both ZooKeeper SASL and Curator and can >> help you >> > more in >> > > this mailing list. If noone replies, then I will try to setu= p >> a dummy >> > > project with Curator to test this. >> > > >> > > Did you also ask around the Curator mailing list maybe? Woul= d >> it >> > help if I >> > > send you code about setting the ACLs using plain ZooKeeper >> (and no >> > Curator)? >> > > >> > > On Tue, Jan 14, 2020 at 2:48 PM Arpit Jain < >> jain.arpit6@gmail.com> >> > wrote: >> > > >> > >> Thanks for the clarification. >> > >> I am able to authenticate client with Zookeeper. However, >> when I >> > started >> > >> to set ACLs with the same client, I get error messages. Thi= s >> is how >> > I am >> > >> creating curator client for setting ACLs >> > >> >> > >> CuratorFrameworkFactory.Builder builder =3D >> > >> >> > >> CuratorFrameworkFactory.builder().connectString= ( >> > >> coordinatorHosts).retryPolicy(retryPolicy) >> > >> >> > >> .connectionTimeoutMs(coordinatorConnectionTimeo= ut >> > >> ).sessionTimeoutMs(coordinatorSessionTimeout); >> > >> >> > >> final CuratorFramework curatorFramework =3D >> > >> >> > >> builder.authorization("sasl", "zkclient/ >> > zoo1@EXAMPLE.COM" >> > >> .getBytes()).aclProvider(new ACLProvider() { >> > >> >> > >> @Override >> > >> >> > >> public List getDefaultAcl() { >> > >> >> > >> return ZooDefs.Ids.CREATOR_ALL_ACL; >> > >> >> > >> } >> > >> >> > >> >> > >> @Override >> > >> >> > >> public List getAclForPath(String path) { >> > >> >> > >> return ZooDefs.Ids.CREATOR_ALL_ACL; >> > >> >> > >> } >> > >> >> > >> }).build(); >> > >> >> > >> >> > >> I see below logs in Zookeeper node: >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> *2020-01-14 13:27:53,174 [myid:1] - INFO >> > >> [NIOWorkerThread-3:SaslServerCallbackHandler@120] - >> Successfully >> > >> authenticated client: authenticationID=3Dzkclient/ >> zoo1@EXAMPLE.COM >> > >> ; authorizationID=3Dzkclient/ >> zoo1@EXAMPLE.COM >> > >> .2020-01-14 13:27:53,175 [myid:1] - INFO >> > >> [NIOWorkerThread-3:SaslServerCallbackHandler@136] - Settin= g >> > authorizedID: >> > >> zkclient/zoo1@EXAMPLE.COM 2020-01-14 >> 13:27:53,175 >> > >> [myid:1] - INFO [NIOWorkerThread-3:ZooKeeperServer@1170] - >> adding >> > SASL >> > >> authorization for authorizationID: zkclient/zoo1@EXAMPLE.CO= M >> > >> 2020-01-14 13:27:53,182 [myid:1] - INFO >> > >> [NIOWorkerThread-7:ZooKeeperServer@1095] - got auth packet >> > >> /172.30.0.6:36658 2020-01-14 >> 13:27:53,183 >> > [myid:1] >> > >> - WARN [NIOWorkerThread-7:ZooKeeperServer@1123] - >> Authentication >> > failed >> > >> for scheme: sasl* >> > >> >> > >> Is this not the correct way to do it ? >> > >> >> > >> >> > >> >> > >> On Tue, Jan 14, 2020 at 11:52 AM Szalay-Bek=C5=91 M=C3=A1t= =C3=A9 < >> > >> szalay.beko.mate@gmail.com> wrote: >> > >> >> > >>> The system property name is a bit misleading... this >> parameter is >> > >>> actually specifies the username used in the ZooKeeper serv= er >> > principal. >> > >>> (in your case the server principal is: zookeeper/ >> zoo1@EXAMPLE.COM) >> > >>> AFAIK the ZooKeeper client (after authenticated as zkclien= t/ >> > >>> zoo1@EXAMPLE.COM in Kerberos based on the jaas.conf file) >> needs >> > to know >> > >>> the ZooKeeper server principal in order to ask for a >> specific >> > token from >> > >>> kerberos which can be read by the ZooKeeper server. >> > >>> >> > >>> In 3.5.5 (or 3.5.6) you can use the >> zookeeper.sasl.client.username >> > >>> parameter (plus some other parameters) to configure how th= e >> server >> > >>> principal will be determined by the client. >> > >>> See: >> > >>> >> > >> https://github.com/apache/zookeeper/blob/c11b7e26bc554b8523dc929761dd288= 08913f091/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPri= ncipal.java#L48 >> > >>> >> > >>> In future releases (3.5.7, 3.6, ...) you can also use >> > >>> the zookeeper.server.principal parameter (a much better >> name I >> > think) to >> > >>> use a fix server principal name in the client. >> > >>> See: >> > >>> >> > >> https://github.com/apache/zookeeper/blob/1c5d135d74f16275876c024401dc2de= 92909b20a/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPri= ncipal.java#L50 >> > >>> >> > >>> On Mon, Jan 13, 2020 at 6:03 PM Arpit Jain < >> jain.arpit6@gmail.com> >> > >>> wrote: >> > >>> >> > >>>> Does this user name have to be "Zookeeper" >> > >>>> (-Dzookeeper.sasl.client.username=3Dzookeeper) always ? >> > >>>> And the client principal name is different than this >> > username..Correct >> > >>>> me if I am wrong ? >> > >>>> >> > >>>> On Mon, Jan 13, 2020 at 4:58 PM Arpit Jain < >> jain.arpit6@gmail.com >> > > >> > >>>> wrote: >> > >>>> >> > >>>>> Thanks you so much ! >> > >>>>> It worked finally. I had to change >> > >>>>> -Dzookeeper.sasl.client.username=3Dzookeeper parameter. >> > >>>>> >> > >>>>> On Mon, Jan 13, 2020 at 4:40 PM Szalay-Bek=C5=91 M=C3=A1= t=C3=A9 < >> > >>>>> szalay.beko.mate@gmail.com> wrote: >> > >>>>> >> > >>>>>> You are using 3.5.5 or 3.5.6, right? >> > >>>>>> I think you need to specify: >> > >>>>>> -Dzookeeper.sasl.client.username=3Dzookeeper >> > >>>>>> can you give it a try? If it doesn't work then I can >> take a >> > deeper >> > >>>>>> look (also we can enable some debug logging) >> > >>>>>> >> > >>>>>> On Mon, Jan 13, 2020 at 5:31 PM Arpit Jain < >> > jain.arpit6@gmail.com> >> > >>>>>> wrote: >> > >>>>>> >> > >>>>>>> Hi >> > >>>>>>> >> > >>>>>>> I have Kerberos, Zookeeper and my application (using >> curator) >> > >>>>>>> running in 3 docker containers with ZK SASL >> authentication >> > enabled. The ZK >> > >>>>>>> can login to Kerberos and starts successfully. >> > >>>>>>> >> > >>>>>>> The ZK server principal is zookeeper/zoo1@EXAMPLE.COM >> > >>>>>>> The client principal is : zkclient/zoo1@EXAMPLE.COM >> > >>>>>>> >> > >>>>>>> While starting my application, I am seeing failure whi= le >> > obtaining >> > >>>>>>> TGS. >> > >>>>>>> See the log at Kerberos side: >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> *Jan 13 15:22:19 kdc krb5kdc[20](info): AS_REQ (2 >> etypes {18 >> > 17}) >> > >>>>>>> 172.30.0.6 : NEEDED_PREAUTH: >> zkclient/ >> > zoo1@EXAMPLE.COM >> > >>>>>>> for krbtgt/EXAMPLE.COM@EXAMPLE.COM >> > >>>>>>> , Additional >> pre-authentication >> > requiredJan 13 >> > >>>>>>> 15:22:19 kdc krb5kdc[20](info): AS_REQ (2 etypes {18 >> 17}) >> > 172.30.0.6 >> > >>>>>>> : ISSUE: authtime 1578928939, etype= s >> > {rep=3D18 tkt=3D18 >> > >>>>>>> ses=3D18}, zkclient/zoo1@EXAMPLE.COM >> for >> > >>>>>>> krbtgt/EXAMPLE.COM@EXAMPLE.COM > >Jan >> > 13 15:22:19 kdc >> > >>>>>>> krb5kdc[20](info): TGS_REQ (4 etypes {18 17 16 23}) >> 172.30.0.6 >> > >>>>>>> : ISSUE: authtime 1578928939, etype= s >> > {rep=3D18 tkt=3D18 >> > >>>>>>> ses=3D18}, zkclient/zoo1@EXAMPLE.COM >> for >> > >>>>>>> zkclient/zoo1@EXAMPLE.COM * >> > >>>>>>> >> > >>>>>>> However, if I use the zkCli.sh to login to Zookeeper, = it >> > >>>>>>> successfully logs in. See the log on Kerberos side. Se= e >> the >> > difference in >> > >>>>>>> the last line while requesting TGS. >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> *Jan 13 15:26:14 kdc krb5kdc[20](info): AS_REQ (2 >> etypes {18 >> > 17}) >> > >>>>>>> 172.30.0.3 : NEEDED_PREAUTH: >> zkclient/ >> > zoo1@EXAMPLE.COM >> > >>>>>>> for krbtgt/EXAMPLE.COM@EXAMPLE.COM >> > >>>>>>> , Additional >> pre-authentication >> > requiredJan 13 >> > >>>>>>> 15:26:14 kdc krb5kdc[20](info): AS_REQ (2 etypes {18 >> 17}) >> > 172.30.0.3 >> > >>>>>>> : ISSUE: authtime 1578929174, etype= s >> > {rep=3D18 tkt=3D18 >> > >>>>>>> ses=3D18}, zkclient/zoo1@EXAMPLE.COM >> for >> > >>>>>>> krbtgt/EXAMPLE.COM@EXAMPLE.COM > >Jan >> > 13 15:26:14 kdc >> > >>>>>>> krb5kdc[20](info): TGS_REQ (4 etypes {18 17 16 23}) >> 172.30.0.3 >> > >>>>>>> : ISSUE: authtime 1578929174, etype= s >> > {rep=3D18 tkt=3D18 >> > >>>>>>> ses=3D18}, zkclient/zoo1@EXAMPLE.COM >> for >> > >>>>>>> zookeeper/zoo1@EXAMPLE.COM * >> > >>>>>>> >> > >>>>>>> The client section in JAAS config file is same in both >> the >> > cases but >> > >>>>>>> the server it is looking for is different in both the >> cases. >> > >>>>>>> Could someone suggest why there is a difference ? >> > >>>>>>> >> > >>>>>>> Thanks >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> >> > >>>>>>> On Mon, Jan 13, 2020 at 4:17 PM Szalay-Bek=C5=91 M=C3= =A1t=C3=A9 < >> > >>>>>>> szalay.beko.mate@gmail.com> wrote: >> > >>>>>>> >> > >>>>>>>> Also please note, that the >> > >>>>>>>> 'Configuration.getConfiguration().refresh()' will >> reload only >> > the >> > >>>>>>>> jaas.config. >> > >>>>>>>> If you also need to reload the kerberos client config= , >> then >> > you can >> > >>>>>>>> add the "refreshKrb5Config=3Dtrue" line to your >> jaas.conf file. >> > This will >> > >>>>>>>> trigger to reload the krb.cfg file as well if needed. >> > >>>>>>>> >> > >>>>>>>> I am just working on a PR where I had to use both of >> these: >> > >>>>>>>> >> > >> https://github.com/apache/zookeeper/pull/1204/files#diff-0c01d3c68a71c68= 701d778cc556c8e0a >> > >>>>>>>> >> > >>>>>>>> Cheers, >> > >>>>>>>> Mate >> > >>>>>>>> >> > >>>>>>>> On Thu, Jan 9, 2020 at 10:02 PM Damien Diederen < >> > >>>>>>>> ddiederen@sinenomine.net> wrote: >> > >>>>>>>> >> > >>>>>>>>> >> > >>>>>>>>> Hi Enrico, >> > >>>>>>>>> >> > >>>>>>>>> > There is a method to force JAAS to reload the syst= em >> > property. >> > >>>>>>>>> > >> > >>>>>>>>> > Something like >> Configuration.getConfiguration().refresh() >> > >>>>>>>>> >> > >>>>>>>>> Great to know! Thanks! >> > >>>>>>>>> >> > >>>>>>>>> > You have to call that method after changing the >> system >> > property >> > >>>>>>>>> >> > >>>>>>>>> Cheers, -D >> > >>>>>>>>> >> > >>>>>>>>> >> > >>>>>>>>> >> > >>>>>>>>> > Il gio 9 gen 2020, 20:05 Damien Diederen < >> > >>>>>>>>> ddiederen@sinenomine.net> ha >> > >>>>>>>>> > scritto: >> > >>>>>>>>> > >> > >>>>>>>>> >> >> > >>>>>>>>> >> Hi Arpit, M=C3=A1t=C3=A9, >> > >>>>>>>>> >> >> > >>>>>>>>> >> Arpit wrote: >> > >>>>>>>>> >> >> > >>>>>>>>> >> > The solution is to pass JAAS file >> > >>>>>>>>> >> > with >> > -Djava.security.auth.login.config=3D/path/to/jaas.conf. >> > >>>>>>>>> >> >> > >>>>>>>>> >> Okay=E2=80=94good. >> > >>>>>>>>> >> >> > >>>>>>>>> >> > Using System.setProperty does not work for me. >> > >>>>>>>>> >> >> > >>>>>>>>> >> Ah, I see. And I'm not surprised; I think M=C3= =A1t=C3=A9 is >> on the >> > right >> > >>>>>>>>> track: >> > >>>>>>>>> >> >> > >>>>>>>>> >> >> I also faced this exception not long ago. I >> think it >> > is an >> > >>>>>>>>> edge case, >> > >>>>>>>>> >> most >> > >>>>>>>>> >> >> probably you have something else, but still... >> maybe it >> > >>>>>>>>> helps: >> > >>>>>>>>> >> >> >> > >>>>>>>>> >> >> I tried to write a unit test which dynamically >> > generated >> > >>>>>>>>> multiple >> > >>>>>>>>> >> >> jaas.conf files. Then I was setting the >> > >>>>>>>>> >> >> java.security.auth.login.config system propert= y >> to the >> > >>>>>>>>> config file I >> > >>>>>>>>> >> needed >> > >>>>>>>>> >> >> in the given testcase, and when I tried to >> establish a >> > >>>>>>>>> ZooKeeper >> > >>>>>>>>> >> connection >> > >>>>>>>>> >> >> in the unit test, I also got the same exceptio= n >> that >> > you got. >> > >>>>>>>>> >> >> >> > >>>>>>>>> >> >> The problem was, that the security >> configuration file I >> > >>>>>>>>> referred in the >> > >>>>>>>>> >> >> java.security.auth.login.config system propert= y >> file >> > was >> > >>>>>>>>> read only once, >> > >>>>>>>>> >> >> then stored in memory. And it haven't got >> reloaded, >> > even if >> > >>>>>>>>> the file (or >> > >>>>>>>>> >> >> its path in the system property) changed. >> > >>>>>>>>> >> >> > >>>>>>>>> >> My understanding is that the property is read ver= y >> early >> > after >> > >>>>>>>>> "VM boot" >> > >>>>>>>>> >> (the first time any class tries to access the >> > >>>>>>>>> java.security.Provider): >> > >>>>>>>>> >> the resource it points to is parsed at that point= , >> and the >> > >>>>>>>>> property >> > >>>>>>>>> >> "never" checked again. >> > >>>>>>>>> >> >> > >>>>>>>>> >> (It *may* be possible to flush the "Spi" or >> something, >> > but it's >> > >>>>>>>>> clearly >> > >>>>>>>>> >> not the kind of usage it was designed for.) >> > >>>>>>>>> >> >> > >>>>>>>>> >> >> Maybe the best in this case is to >> > >>>>>>>>> >> >> specify separate JAAS config sections for each >> tests >> > and use >> > >>>>>>>>> a single >> > >>>>>>>>> >> >> JAAS.conf file per JVM. >> > >>>>>>>>> >> >> > >>>>>>>>> >> That's probably the easiest if the set is >> enumerable. >> > >>>>>>>>> >> >> > >>>>>>>>> >> "Real dynamism" might require overriding the "Spi= " >> or >> > >>>>>>>>> "Provider," but >> > >>>>>>>>> >> that's probably overkill for a few tests. >> > >>>>>>>>> >> >> > >>>>>>>>> >> (Now that I think of it=E2=80=A6 our tests are al= ready run >> under >> > the >> > >>>>>>>>> JMockit >> > >>>>>>>>> >> agent, so live-patching JAAS methods using >> mockit.MockUp >> > might >> > >>>>>>>>> be >> > >>>>>>>>> >> another option :) >> > >>>>>>>>> >> >> > >>>>>>>>> >> Anyway. It looks like setting the property >> externally >> > worked >> > >>>>>>>>> for Arpit. >> > >>>>>>>>> >> >> > >>>>>>>>> >> Cheers, -D >> > >>>>>>>>> >> >> > >>>>>>>>> >> > >>>>>>>> >> > >> > >> > >> > ________________________________ >> > >> > CONFIDENTIALITY & PRIVACY NOTICE >> > This e-mail (including any attachments) is strictly confidential >> and may >> > also contain privileged information. If you are not the intended >> recipient >> > you are not authorised to read, print, save, process or disclose >> this >> > message. If you have received this message by mistake, please >> inform the >> > sender immediately and destroy this e-mail, its attachments and an= y >> copies. >> > Any use, distribution, reproduction or disclosure by any person >> other than >> > the intended recipient is strictly prohibited and the person >> responsible >> > may incur in penalties. >> > The use of this e-mail is only for professional purposes; there is >> no >> > guarantee that the correspondence towards this e-mail will be read >> only by >> > the recipient, because, under certain circumstances, there may be = a >> need to >> > access this email by third subjects belonging to the Company. >> > >> >> >> >> ________________________________ >> >> CONFIDENTIALITY & PRIVACY NOTICE >> This e-mail (including any attachments) is strictly confidential and may >> also contain privileged information. If you are not the intended recipie= nt >> you are not authorised to read, print, save, process or disclose this >> message. If you have received this message by mistake, please inform the >> sender immediately and destroy this e-mail, its attachments and any copi= es. >> Any use, distribution, reproduction or disclosure by any person other th= an >> the intended recipient is strictly prohibited and the person responsible >> may incur in penalties. >> The use of this e-mail is only for professional purposes; there is no >> guarantee that the correspondence towards this e-mail will be read only = by >> the recipient, because, under certain circumstances, there may be a need= to >> access this email by third subjects belonging to the Company. >> > --000000000000baea01059c432732--