diff --git a/CHANGES.txt b/CHANGES.txt index ad393a0482..9041b31e3c 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -56,6 +56,9 @@ Trunk (unreleased changes) HADOOP-6939. Inconsistent lock ordering in AbstractDelegationTokenSecretManager. (Todd Lipcon via tomwhite) + HADOOP-7091. reloginFromKeytab() should happen even if TGT can't be found. + (Kan Zhang via jghoman) + Release 0.22.0 - Unreleased INCOMPATIBLE CHANGES diff --git a/src/java/org/apache/hadoop/security/UserGroupInformation.java b/src/java/org/apache/hadoop/security/UserGroupInformation.java index 16c20af321..af4e459352 100644 --- a/src/java/org/apache/hadoop/security/UserGroupInformation.java +++ b/src/java/org/apache/hadoop/security/UserGroupInformation.java @@ -526,7 +526,7 @@ public boolean isFromKeytab() { * Get the Kerberos TGT * @return the user's TGT or null if none was found */ - private KerberosTicket getTGT() { + private synchronized KerberosTicket getTGT() { Set tickets = subject .getPrivateCredentials(KerberosTicket.class); for (KerberosTicket ticket : tickets) { @@ -657,12 +657,14 @@ public synchronized void reloginFromKeytab() !isKeytab) return; - KerberosTicket tgt = getTGT(); - if (tgt == null) { + long now = System.currentTimeMillis(); + if (!hasSufficientTimeElapsed(now)) { return; } + + KerberosTicket tgt = getTGT(); //Return if TGT is valid and is not going to expire soon. - if (System.currentTimeMillis() < getRefreshTime(tgt)) { + if (tgt != null && now < getRefreshTime(tgt)) { return; } @@ -670,7 +672,6 @@ public synchronized void reloginFromKeytab() if (login == null || keytabFile == null) { throw new IOException("loginUserFromKeyTab must be done first"); } - long now = System.currentTimeMillis(); long start = 0; // register most recent relogin attempt