ZOOKEEPER-5033: Quorum SASL authentication fails permanently after Login TGT refresh thread exits#2367
Open
JHSUYU wants to merge 1 commit intoapache:masterfrom
Open
ZOOKEEPER-5033: Quorum SASL authentication fails permanently after Login TGT refresh thread exits#2367JHSUYU wants to merge 1 commit intoapache:masterfrom
JHSUYU wants to merge 1 commit intoapache:masterfrom
Conversation
…gin TGT refresh thread exits Add forceReLogin() to Login that re-logins immediately without the minimum time check, and call it from SaslQuorumAuthLearner and SaslQuorumAuthServer when authentication fails. This ensures the next authentication attempt uses fresh credentials after TGT expiration.
Author
|
@symat @eolivelli Hi, could you take a look to see if this fix makes sense? Thanks! Happy to modify it based on any feedback. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
JIRA: https://issues.apache.org/jira/browse/ZOOKEEPER-5033
Problem
When the Login TGT refresh thread silently exits (due to clock skew, KDC unavailability, etc.), the Kerberos credentials in the Subject expire. Subsequent reconnection attempts fail permanently because no code path triggers a re-login. The
authLearnerobject is created once inQuorumPeer.initialize()and reused for all retry attempts with the same stale Subject.Fix
Login.forceReLogin()that re-logins immediately (bypassing the minimum time check and Kerberos guard) to refresh stale credentials from JAAS config/keytabforceReLogin()inSaslQuorumAuthLearner.authenticate()andSaslQuorumAuthServer.authenticate()on SASL failure, so the next authentication attempt uses fresh credentialsSaslQuorumAuthReLoginTestthat verifies credential recovery after corruption (passes with fix, fails without)Test
SaslQuorumAuthReLoginTest.testReLoginOnSaslAuthFailure— verifies that after credential corruption and auth failure,forceReLogin()restores valid credentials for the next attemptQuorumDigestAuthTest(6 tests) — all pass, no regressions