You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by GitBox <gi...@apache.org> on 2022/12/20 18:39:22 UTC

[GitHub] [hadoop] cnauroth commented on a diff in pull request #5248: HADOOP-18581 : Handle Server KDC re-login when Server and Client run …

cnauroth commented on code in PR #5248:
URL: https://github.com/apache/hadoop/pull/5248#discussion_r1053628775


##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/ipc/Server.java:
##########
@@ -2206,7 +2206,25 @@ private void saslProcess(RpcSaslProto saslMessage)
           AUDITLOG.warn(AUTH_FAILED_FOR + this.toString() + ":"
               + attemptingUser + " (" + e.getLocalizedMessage()
               + ") with true cause: (" + tce.getLocalizedMessage() + ")");
-          throw tce;
+          if (!UserGroupInformation.getLoginUser().isLoginSuccess()) {
+            LOG.info("Initiating re-login from IPC Server");
+            if (UserGroupInformation.isLoginKeytabBased()) {
+              UserGroupInformation.getLoginUser().reloginFromKeytab();

Review Comment:
   If I trace through the chain of these re-login methods, they end up passing `false` for `ignoreLastLoginTime`. They'll skip the re-login and early exit if insufficient time (default 60 seconds) has elapsed since last login. Would that still leave a server potentially in a bad state for up to 60 seconds?



##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java:
##########
@@ -529,6 +529,13 @@ private void setLogin(LoginContext login) {
     user.setLogin(login);
   }
 
+  /** This method is only helpful for HadoopLoginContext*/

Review Comment:
   There is a minor checkstyle warning here asking for a period at the end of the sentence.
   
   However, perhaps consider expanding a bit. `HadoopLoginContext` is a private inner class, so probably best not to discuss it in a public Javadoc. You could discuss how this method checks for a successful Kerberos login, or defaults to `true` if not using Kerberos.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org