Kerberos kinit handling w.r.t atomicity
Srivatsan vn
srivatsan.vn at gmail.com
Thu Jun 27 10:10:23 EDT 2013
Hi Team,
Can you please provide some insight on how to make kinit as an
atomic operation to deal with concurrency issues. In my application env, I
will have the periodic kinit job that runs every 8 hours to refresh the
TGT tickets, and I will also have applications that would make kerberised
oracle db connections round the clock.
I tested running the kinit job and my applications running in parallel and
find that the connections fail due to cache credential error. This makes me
think that kinit is not atomic, can you please suggest possible solutions
to this concurrency issue?
When I googled, I could see some generalized solutions listed below .
1) Have a retry logic in the application to make db connections. I can't do
this as I dont have the source code.
2) Explore unix Advisory/Mandatory locking features that could set some
properties on the cache file which would make sure that the cache file is
always locked when its opened by any process. I have to explore if its
supported in my app env as I see its highly related to the type of mounted
filesystem and the operating system. I use Solaris / Linux.
3) Run the kinit during off-peak hours
Please let me know your thoughts.
Thanks,
Srivatsan Nallazhagappan
More information about the Kerberos
mailing list