sun.security.krb5.KrbApReq was creating a static MD5 digest object and not synchronizing access. This has been fixed in jdk8u60.
http://hg.openjdk.java.net/jdk8u/jdk8u60/jdk/rev/02d6b1096e89 One of the visible symptom is RPC reader thread getting ArrayIndexOutOfBoundsException from sun.security.provider.DigestBase.engineUpdate. More concerning case is a reader operating on a wrong digest. Kihwal ________________________________ From: Jean-Baptiste Note <jbn...@gmail.com> To: common-...@hadoop.apache.org Cc: "mapreduce-...@hadoop.apache.org" <mapreduce-...@hadoop.apache.org>; "hdfs-dev@hadoop.apache.org" <hdfs-dev@hadoop.apache.org>; dev <d...@hbase.apache.org>; "yarn-...@hadoop.apache.org" <yarn-...@hadoop.apache.org> Sent: Tuesday, October 13, 2015 5:00 AM Subject: Re: [DISCUSS] About the details of JDK-8 support Hi, As far as security is concerned we (Criteo) are using CDH5 with JDK8 in production with security enabled. We reported some gripes with some specific java versions: https://issues.cloudera.org/browse/DISTRO-732 I would bump the dependency to _u51 or later; _u40 _u45 do have a lot of problems with SPNEGO SSO. JB
