You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Andrew Olson (JIRA)" <ji...@apache.org> on 2017/02/22 13:07:44 UTC

[jira] [Comment Edited] (KAFKA-3866) KerberosLogin refresh time bug and other improvements

    [ https://issues.apache.org/jira/browse/KAFKA-3866?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15878152#comment-15878152 ] 

Andrew Olson edited comment on KAFKA-3866 at 2/22/17 1:06 PM:
--------------------------------------------------------------

We saw the following error when setting a very low expiration time (-maxlife "30 seconds" and -maxrenewlife "90 seconds"),

{noformat}ERROR NextRefresh: Tue Feb 21 12:42:59 CST 2017 is in the past: exiting refresh
thread. Check clock sync between this host and KDC - (KDC's clock is likely ahead of this host). 
Manual intervention will be required for this client to successfully authenticate. Exiting refresh 
thread. (org.apache.kafka.common.security.kerberos.KerberosLogin){noformat}

Would this change fix that scenario?


was (Author: noslowerdna):
We saw the following error when setting a very low expiration time (-maxlife "30 seconds" and -maxrenewlife "90 seconds"),

{noformat}ERROR NextRefresh: Tue Feb 21 12:42:59 CST 2017 is in the past: exiting refresh thread. Check clock sync between this host and KDC - (KDC's clock is likely ahead of this host). Manual intervention will be required for this client to successfully authenticate. Exiting refresh thread. (org.apache.kafka.common.security.kerberos.KerberosLogin){noformat}

Would this change fix that scenario?

> KerberosLogin refresh time bug and other improvements
> -----------------------------------------------------
>
>                 Key: KAFKA-3866
>                 URL: https://issues.apache.org/jira/browse/KAFKA-3866
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.10.0.0
>            Reporter: Ismael Juma
>            Assignee: Ismael Juma
>
> ZOOKEEPER-2295 describes a bug in the Kerberos refresh time logic that is also present in our KerberosLogin class. While looking at the code, I found a number of things that could be improved. More details in the PR.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)