You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Chris Nauroth (JIRA)" <ji...@apache.org> on 2013/08/20 19:38:52 UTC

[jira] [Commented] (HADOOP-9888) KerberosName static initialization gets default realm, which is unneeded in non-secure deployment.

    [ https://issues.apache.org/jira/browse/HADOOP-9888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13745177#comment-13745177 ] 

Chris Nauroth commented on HADOOP-9888:
---------------------------------------

So far, we've only seen the DNS timeout happen in Windows VMs running in Azure with Oracle JDK 7.  As a workaround, we created a file named krb5.ini in \Windows with the following contents:

{code}
[libdefaults]
     default_realm = FOO.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
{code}

I propose that if security is not enabled, we skip getting the default realm and just fall back to a default.  We'll need to verify that {{KerberosName#defaultRealm}} is only used in code paths where security is enabled.

One tricky aspect is that {{KerberosName}} can be referenced from {{UserGroupInformation#isSecurityEnabled}}, so the static initialization block might run before initialization of {{UserGroupInformation}} has completed.  We might need to start with something similar to the HADOOP-6913 patch for 0.22 to break this circular initialization.
                
> KerberosName static initialization gets default realm, which is unneeded in non-secure deployment.
> --------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-9888
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9888
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.0.0, 2.1.1-beta
>            Reporter: Chris Nauroth
>
> {{KerberosName}} has a static initialization block that looks up the default realm.  Running with Oracle JDK7, this code path triggers a DNS query.  In some environments, we've seen this DNS query block and time out after 30 seconds.  This is part of static initialization, and the class is referenced from {{UserGroupInformation#initialize}}, so every daemon and every shell command experiences this delay.  This occurs even for non-secure deployments, which don't need the default realm.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira