JHSUYU opened a new pull request, #2367:
URL: https://github.com/apache/zookeeper/pull/2367
JIRA: https://issues.apache.org/jira/browse/ZOOKEEPER-5033
## Problem
When the Login TGT refresh thread silently exits (due to clock skew, KDC
unavailability, etc.), the Kerberos credentials in the Subject expire.
Subsequent reconnection attempts fail permanently because no code path triggers
a re-login. The `authLearner` object is created once in
`QuorumPeer.initialize()` and reused for all retry attempts with the same
stale Subject.
## Fix
- Add `Login.forceReLogin()` that re-logins immediately (bypassing the
minimum time check and Kerberos guard) to refresh stale credentials from JAAS
config/keytab
- Call `forceReLogin()` in `SaslQuorumAuthLearner.authenticate()` and
`SaslQuorumAuthServer.authenticate()` on SASL failure, so the next
authentication attempt uses fresh credentials
- Add unit test `SaslQuorumAuthReLoginTest` that verifies credential
recovery after corruption (passes with fix, fails without)
## Test
- [x] `SaslQuorumAuthReLoginTest.testReLoginOnSaslAuthFailure` — verifies
that after credential corruption and auth failure, `forceReLogin()` restores
valid credentials for the next attempt
- [x] Existing `QuorumDigestAuthTest` (6 tests) — all pass, no regressions
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
