ISSUE 568 : Synchronize Kerberos ticket renewal for non-renewable ticket #581
Conversation
| @@ -246,6 +260,26 @@ private KerberosTicket getTGT() { | |||
| return null; | |||
| } | |||
|
|
|||
| private void synchronizeReLogin() throws LoginException { | |||
There was a problem hiding this comment.
I dont see any point having relogin and synchronizeReLogin. Please rename this as relogin and delete the other.
There was a problem hiding this comment.
The code in try {} block and in else {} block have same lines of code which has been abstracted out as reLogin(). Its better to keep this abstracted out, as synchronizedReLogin() is wrapper over reLogin() which hold the actual logic to reLogin() while synchornizedReLogin() simply provides a synchronization on top of it.
| KerberosLogin kerberosLogin = new KerberosLogin(); | ||
| kerberosSynchronizationLock = new ReentrantReadWriteLock(true); | ||
| Lock kerberosTGTRenewalLock = kerberosSynchronizationLock.writeLock(); | ||
| KerberosLogin kerberosLogin = new KerberosLogin(kerberosTGTRenewalLock, KERBEROS_SYNCHRONIZATION_TIMEOUT_MS); |
There was a problem hiding this comment.
KERBEROS_SYNCHRONIZATION_TIMEOUT_MS does not belong here. And sharing the lock does not appear so elegant. How about this
- Create a ReentrantReadWriteLock in KerberosLogin.
- Use writelock in relogin method.
- Push the synchronizedDoAction to KerberosLogin and use readlock for that.
You will limit the moving parts of KerberosLogin class.
raju-saravanan
force-pushed
the
master-issue-568
branch
from
9e4c2ac to
a6ecee0
Compare
|
@guruchai: I have exposed NOOPLogin class which will abstract out the login |
There was a problem hiding this comment.
LGTM...
food for thought: Can we do away with all the additional checks for locks in KerberosLogin? relogin ideally should be an atomic operation. Almost all the KerberosLogin impls have their relogin wrapped inside a lock.
https://github.com/hortonworks/kafka/blob/bd037de41b621a6984a0577ab59e13c27c225931/clients/src/main/java/org/apache/kafka/common/security/kerberos/KerberosLogin.java#L359
https://github.com/apache/zookeeper/blob/d84b7a682eb4601005db9fac886079b1a9a4d4b0/zookeeper-server/src/main/java/org/apache/zookeeper/Login.java#L409
Similarly, on read lock side, no implementation would want to do an action without lock. So lets make that explicit by creating lock always. This simplifies the code and removes repititive checks. We can assume an indefinite timeout in default case.
|
We can't have reLogin() wrapped in a synchronized block as you have referenced in the previous comment. In the schema registry, we don't have a connection pool, we open up a new connection for every request made, so if we open a new connection between logout() and login() of reLogin() the server will throw 401. Zookeeper and Kafka the connection is reused after the request is over and hence it making a call between logout() and login() works as it still the cookie from the previous call. |
|
@raju-saravanan
Zookeeper and Kafka the connection is reused after the request is over and hence it making a call between logout() and login() works as it still the cookie from the previous call.
|
|
Thanks for the PR! |
…ket (#581) * ISSUE 568 : Synchronize Kerberos ticket renewal for non-renewable ticket * Handle doAction as a part of Login class * Remove references to Schema Registry in KerberosLogin class. * With default constructor of KerberosLogin create a read/write lock
Fixes #568