-
Bug
-
Resolution: Fixed
-
P4
-
9
-
b22
-
x86
-
linux
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8239188 | openjdk8u252 | Andrew Hughes | P4 | Resolved | Fixed | b03 |
| JDK-8237157 | openjdk8u242 | Andrew Hughes | P4 | Resolved | Fixed | b07 |
| JDK-8240026 | openjdk7u | Andrew Hughes | P4 | Resolved | Fixed | master |
FULL PRODUCT VERSION :
Reproed on JDK7 but can see that the code is still the same in JDK9-dev
ADDITIONAL OS VERSION INFORMATION :
RHEL 7.3
A DESCRIPTION OF THE PROBLEM :
KerberosTicket.init() has the following code which assumes that, if a ticket has the RENEWABLE flag set, it must also have a renewTill date:
if (this.flags[RENEWABLE_TICKET_FLAG]) {
if (renewTill == null) {
throw new IllegalArgumentException("The renewable period "
+ "end time cannot be null for renewable tickets.");
}
this.renewTill = new Date(renewTill.getTime());
}
However, this is not actually the case, at least in Kerberos 1.14 as installed on RHEL7.
1) Here at 18:39:00 we renew a Kerberos ticket and show the ticket cache. The resulting ticket has a renewTill = 18:39:31. The lifetime on this system has been configured to 30 seconds, so the ticket expires at 18:39:30 (1 second before the renewTill date)
$ kinit -R ; klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kudu/impala-sasl-1.vpc.cloudera.com@VPC.CLOUDERA.COM
Valid starting Expires Service principal
08/21/2017 18:39:00 08/21/2017 18:39:30 krbtgt/VPC.CLOUDERA.COM@VPC.CLOUDERA.COM
renew until 08/21/2017 18:39:31, Flags: FRIT
2) If we wait another second and renew again, we can see that the resulting ticket has no 'renewTill' date, but still has the R (RENEWABLE) flag:
[root@impala-sasl-1 ~]# kinit -R ; klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kudu/impala-sasl-1.vpc.cloudera.com@VPC.CLOUDERA.COM
Valid starting Expires Service principal
08/21/2017 18:39:01 08/21/2017 18:39:31 krbtgt/VPC.CLOUDERA.COM@VPC.CLOUDERA.COM
Flags: FRIT
[root@impala-sasl-1 ~]#
When I try to load this ticket cache from a Java program, it fails with the above-mentioned IllegalArgumentException.
[1] javax.security.auth.kerberos.KerberosTicket.init (KerberosTicket.java:306)
[2] javax.security.auth.kerberos.KerberosTicket.init (KerberosTicket.java:259)
[3] javax.security.auth.kerberos.KerberosTicket.<init> (KerberosTicket.java:241)
[4] sun.security.jgss.krb5.Krb5Util.credsToTicket (Krb5Util.java:342)
[5] com.sun.security.auth.module.Krb5LoginModule.commit (Krb5LoginModule.java:1,028)
[6] sun.reflect.NativeMethodAccessorImpl.invoke0 (native method)
[7] sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:57)
[8] sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
[9] java.lang.reflect.Method.invoke (Method.java:606)
[10] javax.security.auth.login.LoginContext.invoke (LoginContext.java:762)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Configure a KDC with renew_lifetime =1m and ticket_lifetime = 30s
2) obtain a ticket
3) wait 35 seconds
4) renew the ticket
5) try to login from the ticket cache using Krb5LoginModule
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The kerberos ticket should load successfully and be treated the same as a non-renewable ticket.
ACTUAL -
An IAE is thrown by the Krb5LoginModule
ERROR MESSAGES/STACK TRACES THAT OCCUR :
>>>DEBUG <CCacheInputStream> client principal is kudu/impala-sasl-1.vpc.cloudera.com@VPC.CLOUDERA.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/VPC.CLOUDERA.COM@VPC.CLOUDERA.COM
>>>DEBUG <CCacheInputStream> key type: 16
>>>DEBUG <CCacheInputStream> auth time: Mon Aug 21 18:37:00 PDT 2017
>>>DEBUG <CCacheInputStream> start time: Mon Aug 21 18:37:30 PDT 2017
>>>DEBUG <CCacheInputStream> end time: Mon Aug 21 18:38:00 PDT 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL;
Ticket could not be renewed : null
Principal is null
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
We are planning to work around the issue by not renewing tickets using 'kinit' when the remaining life is less than one renewal period.
Reproed on JDK7 but can see that the code is still the same in JDK9-dev
ADDITIONAL OS VERSION INFORMATION :
RHEL 7.3
A DESCRIPTION OF THE PROBLEM :
KerberosTicket.init() has the following code which assumes that, if a ticket has the RENEWABLE flag set, it must also have a renewTill date:
if (this.flags[RENEWABLE_TICKET_FLAG]) {
if (renewTill == null) {
throw new IllegalArgumentException("The renewable period "
+ "end time cannot be null for renewable tickets.");
}
this.renewTill = new Date(renewTill.getTime());
}
However, this is not actually the case, at least in Kerberos 1.14 as installed on RHEL7.
1) Here at 18:39:00 we renew a Kerberos ticket and show the ticket cache. The resulting ticket has a renewTill = 18:39:31. The lifetime on this system has been configured to 30 seconds, so the ticket expires at 18:39:30 (1 second before the renewTill date)
$ kinit -R ; klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kudu/impala-sasl-1.vpc.cloudera.com@VPC.CLOUDERA.COM
Valid starting Expires Service principal
08/21/2017 18:39:00 08/21/2017 18:39:30 krbtgt/VPC.CLOUDERA.COM@VPC.CLOUDERA.COM
renew until 08/21/2017 18:39:31, Flags: FRIT
2) If we wait another second and renew again, we can see that the resulting ticket has no 'renewTill' date, but still has the R (RENEWABLE) flag:
[root@impala-sasl-1 ~]# kinit -R ; klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kudu/impala-sasl-1.vpc.cloudera.com@VPC.CLOUDERA.COM
Valid starting Expires Service principal
08/21/2017 18:39:01 08/21/2017 18:39:31 krbtgt/VPC.CLOUDERA.COM@VPC.CLOUDERA.COM
Flags: FRIT
[root@impala-sasl-1 ~]#
When I try to load this ticket cache from a Java program, it fails with the above-mentioned IllegalArgumentException.
[1] javax.security.auth.kerberos.KerberosTicket.init (KerberosTicket.java:306)
[2] javax.security.auth.kerberos.KerberosTicket.init (KerberosTicket.java:259)
[3] javax.security.auth.kerberos.KerberosTicket.<init> (KerberosTicket.java:241)
[4] sun.security.jgss.krb5.Krb5Util.credsToTicket (Krb5Util.java:342)
[5] com.sun.security.auth.module.Krb5LoginModule.commit (Krb5LoginModule.java:1,028)
[6] sun.reflect.NativeMethodAccessorImpl.invoke0 (native method)
[7] sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:57)
[8] sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
[9] java.lang.reflect.Method.invoke (Method.java:606)
[10] javax.security.auth.login.LoginContext.invoke (LoginContext.java:762)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Configure a KDC with renew_lifetime =1m and ticket_lifetime = 30s
2) obtain a ticket
3) wait 35 seconds
4) renew the ticket
5) try to login from the ticket cache using Krb5LoginModule
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The kerberos ticket should load successfully and be treated the same as a non-renewable ticket.
ACTUAL -
An IAE is thrown by the Krb5LoginModule
ERROR MESSAGES/STACK TRACES THAT OCCUR :
>>>DEBUG <CCacheInputStream> client principal is kudu/impala-sasl-1.vpc.cloudera.com@VPC.CLOUDERA.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/VPC.CLOUDERA.COM@VPC.CLOUDERA.COM
>>>DEBUG <CCacheInputStream> key type: 16
>>>DEBUG <CCacheInputStream> auth time: Mon Aug 21 18:37:00 PDT 2017
>>>DEBUG <CCacheInputStream> start time: Mon Aug 21 18:37:30 PDT 2017
>>>DEBUG <CCacheInputStream> end time: Mon Aug 21 18:38:00 PDT 2017
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL;
Ticket could not be renewed : null
Principal is null
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
We are planning to work around the issue by not renewing tickets using 'kinit' when the remaining life is less than one renewal period.
- backported by
-
JDK-8237157 KerberosTicket does not properly handle renewable tickets at the end of their lifetime
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-