You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "lujie (Jira)" <ji...@apache.org> on 2023/06/30 09:17:00 UTC
[jira] [Updated] (DIRKRB-767) data race when multi KrbClients visit KdcServer
[ https://issues.apache.org/jira/browse/DIRKRB-767?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
lujie updated DIRKRB-767:
-------------------------
Description:
when KDCServer started, it will run a thread to check if has a client request in
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run() method.
*server test code:*
{code:java}
// server test code
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer;
public class TestServer2 {
public static void main(String[] args) throws KrbException {
SimpleKdcServer simpleKdcServer = new SimpleKdcServer();
simpleKdcServer.setKdcHost("0.0.0.0");
simpleKdcServer.setKdcRealm("service.ws.apache.org");
simpleKdcServer.setKdcTcpPort(12345);
simpleKdcServer.setAllowUdp(true);
simpleKdcServer.setKdcUdpPort(12346);
simpleKdcServer.init();
// Create principals
String alice = "alice@service.ws.apache.org";
String bob = "bob/service.ws.apache.org@service.ws.apache.org";
// simpleKdcServer.set
simpleKdcServer.createPrincipal(alice, "alice");
simpleKdcServer.createPrincipal(bob,"bob");
simpleKdcServer.start();
}
} {code}
*client test Code*
{code:java}
// client test Code
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbClient;
import org.apache.kerby.kerberos.kerb.client.KrbPkinitClient;
import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
public class TestClient3 {
public static void main(String[] args) {
for (int i = 0; i < 10; i++) {
System.out.println(i);
new Thread(()->{
try {
KrbClient client = new KrbClient();
client.setKdcHost("0.0.0.0");
client.setKdcTcpPort(12345);
client.setKdcUdpPort(12346);
client.setKdcRealm("TEST2.COM");
client.init();
TgtTicket tgt;
SgtTicket tkt;
tgt = client.requestTgt("alice@service.ws.apache.org", "alice");
tkt = client.requestSgt(tgt, "bob/service.ws.apache.org@service.ws.apache.org");
} catch (KrbException e) {
}
}).start();
}
}
}
{code}
*method : org.apache.kerby.kerberos.kerb.server.preauth.pkinit.PkinitPreauth.initWith(KdcContext kdcContext)*
*I insert two line code (System.out.println()) and a line code (Thread.sleep(new Random().nextInt(10))).*
{code:java}
System.out.println("start::" +Thread.currentThread().getName()+ " "+System.identityHashCode(pkinitContexts)+" "+ System.currentTimeMillis());
try {
Thread.sleep(new Random().nextInt(10));
} catch (InterruptedException e) {
throw new RuntimeException(e);
}
pkinitContexts.put(kdcContext.getKdcRealm(), tmp);
System.out.println("end::" +Thread.currentThread().getName()+ " "+System.identityHashCode(pkinitContexts)+" "+ System.currentTimeMillis());{code}
After run the server and client, we will get the part of result:
{panel}
start::pool-1-thread-6 357333366 1688116403609
start::pool-1-thread-4 357333366 1688116403609
end::pool-1-thread-6 357333366 1688116403610
start::pool-1-thread-1 357333366 1688116403609
start::pool-1-thread-9 357333366 1688116403609
start::pool-1-thread-2 357333366 1688116403609
start::pool-1-thread-7 357333366 1688116403609
start::pool-1-thread-5 357333366 1688116403609
start::pool-1-thread-3 357333366 1688116403609
start::pool-1-thread-10 357333366 1688116403609
start::pool-1-thread-8 357333366 1688116403609
end::pool-1-thread-5 357333366 1688116403613
end::pool-1-thread-2 357333366 1688116403613
end::pool-1-thread-4 357333366 1688116403614
end::pool-1-thread-1 357333366 1688116403614
end::pool-1-thread-7 357333366 1688116403617
end::pool-1-thread-10 357333366 1688116403617
end::pool-1-thread-3 357333366 1688116403617
end::pool-1-thread-9 357333366 1688116403619
end::pool-1-thread-8 357333366 1688116403619
start::pool-1-thread-10 357333366 1688116403715
start::pool-1-thread-6 357333366 1688116403716
start::pool-1-thread-2 357333366 1688116403716
start::pool-1-thread-4 357333366 1688116403715
start::pool-1-thread-8 357333366 1688116403715
start::pool-1-thread-3 357333366 1688116403716
start::pool-1-thread-9 357333366 1688116403715
start::pool-1-thread-1 357333366 1688116403715
start::pool-1-thread-5 357333366 1688116403715
end::pool-1-thread-5 357333366 1688116403716
start::pool-1-thread-7 357333366 1688116403716
end::pool-1-thread-10 357333366 1688116403719
end::pool-1-thread-2 357333366 1688116403719
end::pool-1-thread-6 357333366 1688116403719
end::pool-1-thread-1 357333366 1688116403721
end::pool-1-thread-7 357333366 1688116403721
end::pool-1-thread-8 357333366 1688116403724
end::pool-1-thread-4 357333366 1688116403726
end::pool-1-thread-3 357333366 1688116403726
end::pool-1-thread-9 357333366 1688116403726{panel}
Different thread visits pkinitContexts object without any lock, then will couses a data race.
was:
when KDCServer started, it will run a thread to check if has a client request in
org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run() method.
*server test code:*
{code:java}
// server test code
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer;
public class TestServer2 {
public static void main(String[] args) throws KrbException {
SimpleKdcServer simpleKdcServer = new SimpleKdcServer();
simpleKdcServer.setKdcHost("0.0.0.0");
simpleKdcServer.setKdcRealm("service.ws.apache.org");
simpleKdcServer.setKdcTcpPort(12345);
simpleKdcServer.setAllowUdp(true);
simpleKdcServer.setKdcUdpPort(12346);
simpleKdcServer.init();
// Create principals
String alice = "alice@service.ws.apache.org";
String bob = "bob/service.ws.apache.org@service.ws.apache.org";
// simpleKdcServer.set
simpleKdcServer.createPrincipal(alice, "alice");
simpleKdcServer.createPrincipal(bob,"bob");
simpleKdcServer.start();
}
} {code}
*client test Code*
{code:java}
// client test Code
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbClient;
import org.apache.kerby.kerberos.kerb.client.KrbPkinitClient;
import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
public class TestClient3 {
public static void main(String[] args) {
for (int i = 0; i < 10; i++) {
System.out.println(i);
new Thread(()->{
try {
KrbClient client = new KrbClient();
client.setKdcHost("0.0.0.0");
client.setKdcTcpPort(12345);
client.setKdcUdpPort(12346);
client.setKdcRealm("TEST2.COM");
client.init();
TgtTicket tgt;
SgtTicket tkt;
tgt = client.requestTgt("alice@service.ws.apache.org", "alice");
tkt = client.requestSgt(tgt, "bob/service.ws.apache.org@service.ws.apache.org");
} catch (KrbException e) {
}
}).start();
}
}
}
{code}
*method : org.apache.kerby.kerberos.kerb.server.preauth.pkinit.PkinitPreauth.initWith(KdcContext kdcContext)*
*I insert two line coded thoes are "System.out.println("start::" +Thread.currentThread().getName()+ " "+System.identityHashCode(pkinitContexts)+" "+ System.currentTimeMillis());" and "System.out.println("end::" +Thread.currentThread().getName()+ " "+System.identityHashCode(pkinitContexts)+" "+ System.currentTimeMillis());"*
{code:java}
// code placeholder
public void initWith(KdcContext kdcContext) {
super.initWith(kdcContext);
PkinitKdcContext tmp = new PkinitKdcContext();
tmp.realm = kdcContext.getKdcRealm();
String pkinitIdentity = kdcContext.getConfig().getPkinitIdentity();
tmp.identityOpts.setIdentity(pkinitIdentity);
System.out.println("start::" +Thread.currentThread().getName()+ " "+System.identityHashCode(pkinitContexts)+" "+ System.currentTimeMillis());
pkinitContexts.put(kdcContext.getKdcRealm(), tmp);
System.out.println("end::" +Thread.currentThread().getName()+ " "+System.identityHashCode(pkinitContexts)+" "+ System.currentTimeMillis());
} {code}
After run the server and client, we will get the part of result:
{panel}
start::pool-1-thread-7 434495522 1688115500240
start::pool-1-thread-1 434495522 1688115500240
start::pool-1-thread-10 434495522 1688115500240
start::pool-1-thread-4 434495522 1688115500240
start::pool-1-thread-6 434495522 1688115500240
start::pool-1-thread-2 434495522 1688115500240
start::pool-1-thread-5 434495522 1688115500240
start::pool-1-thread-3 434495522 1688115500240
start::pool-1-thread-9 434495522 1688115500240
end::pool-1-thread-9 434495522 1688115500240
start::pool-1-thread-8 434495522 1688115500240
end::pool-1-thread-3 434495522 1688115500240
end::pool-1-thread-5 434495522 1688115500240
end::pool-1-thread-2 434495522 1688115500240
end::pool-1-thread-6 434495522 1688115500240
end::pool-1-thread-4 434495522 1688115500240
end::pool-1-thread-10 434495522 1688115500240
end::pool-1-thread-1 434495522 1688115500240
end::pool-1-thread-7 434495522 1688115500240
end::pool-1-thread-8 434495522 1688115500240
....
{panel}
Different thread visits pkinitContexts object without any lock, then will couses a data race.
> data race when multi KrbClients visit KdcServer
> -----------------------------------------------
>
> Key: DIRKRB-767
> URL: https://issues.apache.org/jira/browse/DIRKRB-767
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 2.0.3
> Reporter: lujie
> Priority: Critical
>
> when KDCServer started, it will run a thread to check if has a client request in
> org.apache.kerby.kerberos.kerb.transport.KdcNetwork.run() method.
> *server test code:*
> {code:java}
> // server test code
> import org.apache.kerby.kerberos.kerb.KrbException;
> import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer;
> public class TestServer2 {
> public static void main(String[] args) throws KrbException {
> SimpleKdcServer simpleKdcServer = new SimpleKdcServer();
> simpleKdcServer.setKdcHost("0.0.0.0");
> simpleKdcServer.setKdcRealm("service.ws.apache.org");
> simpleKdcServer.setKdcTcpPort(12345);
> simpleKdcServer.setAllowUdp(true);
> simpleKdcServer.setKdcUdpPort(12346);
> simpleKdcServer.init();
> // Create principals
> String alice = "alice@service.ws.apache.org";
> String bob = "bob/service.ws.apache.org@service.ws.apache.org";
> // simpleKdcServer.set
> simpleKdcServer.createPrincipal(alice, "alice");
> simpleKdcServer.createPrincipal(bob,"bob");
> simpleKdcServer.start();
> }
> } {code}
> *client test Code*
> {code:java}
> // client test Code
> import org.apache.kerby.kerberos.kerb.KrbException;
> import org.apache.kerby.kerberos.kerb.client.KrbClient;
> import org.apache.kerby.kerberos.kerb.client.KrbPkinitClient;
> import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
> import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
> public class TestClient3 {
> public static void main(String[] args) {
> for (int i = 0; i < 10; i++) {
> System.out.println(i);
> new Thread(()->{
> try {
> KrbClient client = new KrbClient();
> client.setKdcHost("0.0.0.0");
> client.setKdcTcpPort(12345);
> client.setKdcUdpPort(12346);
> client.setKdcRealm("TEST2.COM");
> client.init();
> TgtTicket tgt;
> SgtTicket tkt;
> tgt = client.requestTgt("alice@service.ws.apache.org", "alice");
> tkt = client.requestSgt(tgt, "bob/service.ws.apache.org@service.ws.apache.org");
> } catch (KrbException e) {
> }
> }).start();
> }
> }
> }
> {code}
> *method : org.apache.kerby.kerberos.kerb.server.preauth.pkinit.PkinitPreauth.initWith(KdcContext kdcContext)*
> *I insert two line code (System.out.println()) and a line code (Thread.sleep(new Random().nextInt(10))).*
> {code:java}
> System.out.println("start::" +Thread.currentThread().getName()+ " "+System.identityHashCode(pkinitContexts)+" "+ System.currentTimeMillis());
> try {
> Thread.sleep(new Random().nextInt(10));
> } catch (InterruptedException e) {
> throw new RuntimeException(e);
> }
> pkinitContexts.put(kdcContext.getKdcRealm(), tmp);
> System.out.println("end::" +Thread.currentThread().getName()+ " "+System.identityHashCode(pkinitContexts)+" "+ System.currentTimeMillis());{code}
> After run the server and client, we will get the part of result:
> {panel}
> start::pool-1-thread-6 357333366 1688116403609
> start::pool-1-thread-4 357333366 1688116403609
> end::pool-1-thread-6 357333366 1688116403610
> start::pool-1-thread-1 357333366 1688116403609
> start::pool-1-thread-9 357333366 1688116403609
> start::pool-1-thread-2 357333366 1688116403609
> start::pool-1-thread-7 357333366 1688116403609
> start::pool-1-thread-5 357333366 1688116403609
> start::pool-1-thread-3 357333366 1688116403609
> start::pool-1-thread-10 357333366 1688116403609
> start::pool-1-thread-8 357333366 1688116403609
> end::pool-1-thread-5 357333366 1688116403613
> end::pool-1-thread-2 357333366 1688116403613
> end::pool-1-thread-4 357333366 1688116403614
> end::pool-1-thread-1 357333366 1688116403614
> end::pool-1-thread-7 357333366 1688116403617
> end::pool-1-thread-10 357333366 1688116403617
> end::pool-1-thread-3 357333366 1688116403617
> end::pool-1-thread-9 357333366 1688116403619
> end::pool-1-thread-8 357333366 1688116403619
> start::pool-1-thread-10 357333366 1688116403715
> start::pool-1-thread-6 357333366 1688116403716
> start::pool-1-thread-2 357333366 1688116403716
> start::pool-1-thread-4 357333366 1688116403715
> start::pool-1-thread-8 357333366 1688116403715
> start::pool-1-thread-3 357333366 1688116403716
> start::pool-1-thread-9 357333366 1688116403715
> start::pool-1-thread-1 357333366 1688116403715
> start::pool-1-thread-5 357333366 1688116403715
> end::pool-1-thread-5 357333366 1688116403716
> start::pool-1-thread-7 357333366 1688116403716
> end::pool-1-thread-10 357333366 1688116403719
> end::pool-1-thread-2 357333366 1688116403719
> end::pool-1-thread-6 357333366 1688116403719
> end::pool-1-thread-1 357333366 1688116403721
> end::pool-1-thread-7 357333366 1688116403721
> end::pool-1-thread-8 357333366 1688116403724
> end::pool-1-thread-4 357333366 1688116403726
> end::pool-1-thread-3 357333366 1688116403726
> end::pool-1-thread-9 357333366 1688116403726{panel}
> Different thread visits pkinitContexts object without any lock, then will couses a data race.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org