答复: RFR 8036779: sun.security.krb5.KdcComm interprets kdc_timeout asmsec instead of sec

Thu May 15 02:09:38 UTC 2014

On 5/15/2014 9:41 AM, Weijun Wang wrote:
> 
> On 5/15/2014 9:27, Xuelei Fan wrote:
>> On 5/14/2014 8:24 PM, Weijun Wang wrote:
>>>>> How is this unsafe, especially compared to if we don't fix it? The
>>>>> only
>>>>> bad thing is that if someone wants to set the timeout to be less than
>>>>> 120 ms, now there will be no way to do it. But that should never
>>>>> happen,
>>>>> right?
>>>>>
>>>> My concerns is that it might happen. 120ms is not a small number, and
>>>> 120s is not a big number in some circumstances.
>>>
>>> 120ms and 120s are possible values,
>> So it is really confusing to me that 119 will be treated as seconds, and
>> 121 will be treated as milliseconds.
> 
> This is unfortunate, we can document it.
> 
The actual problem is, what if I want to use 121 seconds?  It is a
possible timeout value in practice.

>>
>>> but I doubt people will set them in
>>> krb5.conf.
>>>
>> I did not get your idea.  People won't use kdc_timeout option at all?
> 
> No, what I mean is people is not likely to set these values as
> kdc_timeout. If someone sets it to 120ms it means he does not want to
> wait more than that and would rather switch to another KDC or fail. That
> looks too impatient. If someone sets it to 120s, that is a too long time
> for me. In general, 3 sec to 30 sec sounds sane.
> 
As I said, in some circumstance 120ms is too big (two notes in a
cluster?); however, it some other circumstance, 120s is too
small(limited bandwidth network?).  We cannot guess what's the proper
value before we exactly know what the circumstance is.  Actually, we
cannot know that for every deployment. So it does not sound like a safe
fix to me to use a mixed spec.

>>
>>>>
>>>> Alternatively, for better inerop, we can suggest to use explicit
>>>> spec in
>>>> the configure instead of guess the what the spec is.  Support two
>>>> default specs is really confusing.
>>>>
>>>
>>> Unless we drop kdc_timeout and invent a new key name, we will have to
>>> deal with the correctness (sec) and compatibility (msec) at the same
>>> time. Yes, we can suggest people always adding a unit, but it looks most
>>> people simply put a bare number there.
>> IMHO, just declare it as a known issue of Java is an alternative
>> approach I may prefer.
>>
>> Is Java the only implementation to use milliseconds in the
>> configuration?  Do we have public specification for the kdc_timeout
>> option?  Or we just declare we follow the industry conversions?  If Java
>> is the only vendor to use milliseconds wrongly, it may be OK to make the
>> correction in a major release (JDK 9?).
> 
> We should be the only one using msec.
> 
Oops!

> Java SE have a public spec saying the default value is 30000, that
> implies we uses msec. Oracle has other doc claiming it's msec:
> 
>   http://docs.oracle.com/cd/E19728-01/820-2550/activedir_auth.html
> 
> If we just change to sec it is a big compatibility issue. User won't
> notice any error report expect finding their app runs much slower.
> 
Then I would suggest to declare it as a known issue, and suggest to use
explicit spec in practice.

Xuelei

> Thanks
> Max
> 
>>
>> Xuelei
>>