You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Bharat Viswanadham (JIRA)" <ji...@apache.org> on 2017/12/01 04:51:00 UTC

[jira] [Commented] (HADOOP-9747) Reduce unnecessary UGI synchronization

    [ https://issues.apache.org/jira/browse/HADOOP-9747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16273938#comment-16273938 ] 

Bharat Viswanadham commented on HADOOP-9747:
--------------------------------------------

Hi [~daryn]
Thanks for a great patch, this really simplifies UGI code. I have a few comments.
1. System.setProperty(KRB5CCNAME) is not being set, previously this is being set in the case of IBM_JAVA

2. getLoginUser is no longer Synchronized. If multiple threads call this in parallel, multiple loginUser ugi’s will be created and they could potentially spin up a new thread in spawnAutoRenewalThreadForUserCreds. I would suggest to synchronize it for the case when loginUser is null.

3. In loginUserFromSubject method, when subject passed is null the same situation will occur, it could spin multiple threads for renewal. Probably, we don’t need to support null subject in this API, because null subject use case is already handled by getLoginUser.

4. As you have noted in the comments that getKeyTabEntry is not very reliable for external subjects. I was wondering whether we really need it. Can we get away by saying that it’s user’s responsibility to renew external subjects?

5. Following 3 methods perform login and update the static loginUser. It might make sense to add documentation that these update the global loginUser.
getLoginUser, loginUserFromSubject and loginUserFromKeytab
 
*Minor Nits*
·         getSubjectLoginLock, does not actually getLock, can we change this method name getSubectPrivateCredentials.
·         In hasKerberosCredential, it might make sense to return false for null user, otherwise we will get an NPE.
·         Can we add assert hasSubjectLoginLock() in getTgt()?
·         In unprotectedLoginUserFromSubject we should change the local variable name instead of overloading loginUser, only for better readability.
 
Thank You [~xyao] [~jnp] for cumulative review on the patch.

> Reduce unnecessary UGI synchronization
> --------------------------------------
>
>                 Key: HADOOP-9747
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9747
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0-alpha1
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Critical
>         Attachments: HADOOP-9747-trunk.01.patch, HADOOP-9747.2.branch-2.patch, HADOOP-9747.2.trunk.patch, HADOOP-9747.branch-2.patch, HADOOP-9747.trunk.patch
>
>
> Jstacks of heavily loaded NNs show up to dozens of threads blocking in the UGI.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org