Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-4477

Single Kerberos ticket renewal failure can prevent all future renewals since Java 9

    XMLWordPrintableJSON

Details

    Description

      Zookeeper refresh thread for Kerberos have the same problem in the reLogin() https://github.com/apache/zookeeper/blob/release-3.5.5/zookeeper-server/src/main/java/org/apache/zookeeper/Login.java#L413  function as describe in https://issues.apache.org/jira/browse/KAFKA-12730

      The refresh thread for Kerberos performs re-login by logging out and then logging in again. If login fails, we retry after a backoff. Every iteration of the loop performs loginContext.logout() and loginContext.login(). If login fails, we end up with two consecutive logouts. This used to work, but from Java 9 onwards, this results in a NullPointerException due to https://bugs.openjdk.java.net/browse/JDK-8173069. We should check if logout is required before attempting logout.

       

      A NPE is throw if multiple logout() is invoke multiple times: 

      2022-02-14 18:38:11,899 ERROR org.apache.zookeeper.Login: Failed to refresh TGT: refresh thread exiting now.
javax.security.auth.login.LoginException: java.lang.NullPointerException: invalid null input(s)
    at java.base/java.util.Objects.requireNonNull(Objects.java:246)
    at java.base/javax.security.auth.Subject$SecureSet.remove(Subject.java:1172)
    at java.base/java.util.Collections$SynchronizedCollection.remove(Collections.java:2043)
    at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.logout(Krb5LoginModule.java:1202)
    at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:732)
    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
    at java.base/javax.security.auth.login.LoginContext.logout(LoginContext.java:613)
    at org.apache.zookeeper.Login.reLogin(Login.java:413)
    at org.apache.zookeeper.Login.access$500(Login.java:49)
    at org.apache.zookeeper.Login$1.run(Login.java:240)
    at java.base/java.lang.Thread.run(Thread.java:834)
    at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:821)
    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
    at java.base/javax.security.auth.login.LoginContext.logout(LoginContext.java:613)
    at org.apache.zookeeper.Login.reLogin(Login.java:413)
    at org.apache.zookeeper.Login.access$500(Login.java:49)
    at org.apache.zookeeper.Login$1.run(Login.java:240)
    at java.base/java.lang.Thread.run(Thread.java:834)

      Attachments

        Activity

          People

            symat Mate Szalay-Beko
            vgrivel Vincent Grivel
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 4h 40m
                4h 40m