You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Chris Nauroth (JIRA)" <ji...@apache.org> on 2013/08/20 19:38:52 UTC
[jira] [Commented] (HADOOP-9888) KerberosName static initialization
gets default realm, which is unneeded in non-secure deployment.
[ https://issues.apache.org/jira/browse/HADOOP-9888?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13745177#comment-13745177 ]
Chris Nauroth commented on HADOOP-9888:
---------------------------------------
So far, we've only seen the DNS timeout happen in Windows VMs running in Azure with Oracle JDK 7. As a workaround, we created a file named krb5.ini in \Windows with the following contents:
{code}
[libdefaults]
default_realm = FOO.COM
dns_lookup_realm = false
dns_lookup_kdc = false
{code}
I propose that if security is not enabled, we skip getting the default realm and just fall back to a default. We'll need to verify that {{KerberosName#defaultRealm}} is only used in code paths where security is enabled.
One tricky aspect is that {{KerberosName}} can be referenced from {{UserGroupInformation#isSecurityEnabled}}, so the static initialization block might run before initialization of {{UserGroupInformation}} has completed. We might need to start with something similar to the HADOOP-6913 patch for 0.22 to break this circular initialization.
> KerberosName static initialization gets default realm, which is unneeded in non-secure deployment.
> --------------------------------------------------------------------------------------------------
>
> Key: HADOOP-9888
> URL: https://issues.apache.org/jira/browse/HADOOP-9888
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 3.0.0, 2.1.1-beta
> Reporter: Chris Nauroth
>
> {{KerberosName}} has a static initialization block that looks up the default realm. Running with Oracle JDK7, this code path triggers a DNS query. In some environments, we've seen this DNS query block and time out after 30 seconds. This is part of static initialization, and the class is referenced from {{UserGroupInformation#initialize}}, so every daemon and every shell command experiences this delay. This occurs even for non-secure deployments, which don't need the default realm.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira