code review request: 7162687: enhance KDC server availability detection
Weijun Wang
weijun.wang at oracle.com
Thu Apr 19 03:21:03 UTC 2012
Hi Valerie
Please take a review at
http://cr.openjdk.java.net/~weijun/7162687/webrev.00/
Basically I add a connect() before send/receive and if a KDC UDP server
is not on, an ICMP Port Unreachable message will be received
immediately, and there will be no more retry on the same KDC.
In the tests, an idle DatagramSocket must be created to avoid the ICMP
message being sent. I also enhance the BadKdc tests to check the new
behavior: When no idle DatagramSocket is created, there are no more
retries on the same KDC, but you can still see krb5.kdc.bad.policy working.
Thanks
Max
-------- Original Message --------
*Change Request ID*: 7162687
*Synopsis*: enhance KDC server availability detection
Product: java
Category: java
Subcategory: classes_security
Type: RFE
=== *Description*
============================================================
Currently if there are multiple KDCs defined for a realm, we send UDP
request to each one and wait for reply, when no reply is received, we
retry. After several unsuccessful retries, we go on to the next KDC. The
timeout for the wait is normally 30 seconds. If the KDCs defined are not
all turned on, the time spent to finally get a response might be very
long. This is especially true for customers having a main KDC and
several slave KDCs and the main KDC is in maintenance.
In fact, there is a better way to detect if the KDC server is on by
connect() to it first. In this way, an IMCP PortUnreachableException
will be thrown in a later send/receive method immediately. Also, when
this exception is thrown, we can be sure that the KDC server is off and
there is no need to retry this one.
Please note that if a KDC is on but for various reasons it cannot reply
in a timely manner, we will still wait for the timeout and do a retry.
*** (#1 of 1): 2012-04-19 02:56:04 GMT+00:00 weijun.wang at oracle.com
*** Last Edit: 2012-04-19 02:57:44 GMT+00:00 weijun.wang at oracle.com
More information about the security-dev
mailing list