You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Daryn Sharp (JIRA)" <ji...@apache.org> on 2017/02/13 20:59:42 UTC

[jira] [Updated] (HADOOP-9749) Remove synchronization for UGI.getCurrentUser

     [ https://issues.apache.org/jira/browse/HADOOP-9749?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daryn Sharp updated HADOOP-9749:
--------------------------------
    Attachment: HADOOP-9749.branch-2.patch
                HADOOP-9749.trunk.patch

Latest versions of age old internal patches to avoid ugi synchronization issues that cause unnecessary contention and corruption of private credentials during relogin.

The synchronization model for the ugi is fundamentally flawed.  Instance level synchronization is meaningless due to many-to-1 relationship of ugi to subject.  Class level synchronization only applies to other ugi methods, not to authenticators (ex. gssapi or spnego) which also modify the private creds.

The current class synchronization is primarily intended to guard getCurrentUser/getLoginUser against a relogin.  The creates a contention point for common case usage, which doesn’t guard against authenticator modifications.

The comprehensive solution is removing class and instance synchronization, replacing with authenticator friendly synchronization on the underlying Subject’s private credentials during:
# Instantiation of a new ugi to guard the checks for keytab and ticket.
# Entire relogin (logout/login) to avoid inconsistencies or corruption by authenticators.

There’s one wrinkle as detailed by another subtask.  The hadoop login conf relies on class statics for keytab and principal.  Until removed, this requires all login-related methods related to synchronize on a global login lock before synchronizing on the Subject’s private credentials.  Effectively this replaces the class level synchronization previously used to protect these fields, enabling getCurrentUser to become concurrent.


> Remove synchronization for UGI.getCurrentUser
> ---------------------------------------------
>
>                 Key: HADOOP-9749
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9749
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0-alpha1
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>            Priority: Critical
>         Attachments: HADOOP-9749.branch-2.patch, HADOOP-9749.trunk.patch
>
>
> HADOOP-7854 added synchronization to {{getCurrentUser}} due to {{ConcurrentModificationExceptions}}.  This degrades NN call handler performance.
> The problem was not well understood at the time, but it's caused by a collision between relogin and {{getCurrentUser}} due to a bug in {{Krb5LoginModule}}.  Avoiding the collision will allow removal of the synchronization.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org