You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Enrico Olivelli (Jira)" <ji...@apache.org> on 2022/03/01 16:15:00 UTC
[jira] [Updated] (ZOOKEEPER-4477) Single Kerberos ticket renewal failure can prevent all future renewals since Java 9
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Enrico Olivelli updated ZOOKEEPER-4477:
---------------------------------------
Fix Version/s: 3.9.0
> Single Kerberos ticket renewal failure can prevent all future renewals since Java 9
> -----------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4477
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4477
> Project: ZooKeeper
> Issue Type: Bug
> Components: kerberos
> Affects Versions: 3.5.9, 3.6.3, 3.7.0
> Reporter: Vincent Grivel
> Assignee: Mate Szalay-Beko
> Priority: Minor
> Labels: pull-request-available
> Fix For: 3.5.10, 3.7.1, 3.6.4, 3.9.0, 3.8.1
>
> Time Spent: 4h 20m
> Remaining Estimate: 0h
>
> Zookeeper refresh thread for Kerberos have the same problem in the reLogin() [https://github.com/apache/zookeeper/blob/release-3.5.5/zookeeper-server/src/main/java/org/apache/zookeeper/Login.java#L413] function as describe in https://issues.apache.org/jira/browse/KAFKA-12730
> {quote}The refresh thread for Kerberos performs re-login by logging out and then logging in again. If login fails, we retry after a backoff. Every iteration of the loop performs loginContext.logout() and loginContext.login(). If login fails, we end up with two consecutive logouts. This used to work, but from Java 9 onwards, this results in a NullPointerException due to [https://bugs.openjdk.java.net/browse/JDK-8173069]. We should check if logout is required before attempting logout.
> {quote}
>
> A NPE is throw if multiple logout() is invoke multiple times:
> {code:java}
> 2022-02-14 18:38:11,899 ERROR org.apache.zookeeper.Login: Failed to refresh TGT: refresh thread exiting now.
> javax.security.auth.login.LoginException: java.lang.NullPointerException: invalid null input(s)
> at java.base/java.util.Objects.requireNonNull(Objects.java:246)
> at java.base/javax.security.auth.Subject$SecureSet.remove(Subject.java:1172)
> at java.base/java.util.Collections$SynchronizedCollection.remove(Collections.java:2043)
> at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.logout(Krb5LoginModule.java:1202)
> at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:732)
> at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
> at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
> at java.base/javax.security.auth.login.LoginContext.logout(LoginContext.java:613)
> at org.apache.zookeeper.Login.reLogin(Login.java:413)
> at org.apache.zookeeper.Login.access$500(Login.java:49)
> at org.apache.zookeeper.Login$1.run(Login.java:240)
> at java.base/java.lang.Thread.run(Thread.java:834)
> at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:821)
> at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
> at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
> at java.base/javax.security.auth.login.LoginContext.logout(LoginContext.java:613)
> at org.apache.zookeeper.Login.reLogin(Login.java:413)
> at org.apache.zookeeper.Login.access$500(Login.java:49)
> at org.apache.zookeeper.Login$1.run(Login.java:240)
> at java.base/java.lang.Thread.run(Thread.java:834) {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)