Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-3232

Automatic Kerberos login via JDBC url can result in clients using other's credentials

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Not A Problem
    • None
    • None
    • None
    • None

    Description

      This is a recent topic of discussion that keeps coming up (PHOENIX-3189, PHOENIX-3216, and PHOENIX-3126).

      The root of the problem are two competing goals:

      1. Try to re-use HBase Connections as much as possible
      2. Change the "global" Kerberos user state (in UserGroupInformation)

      One common manifestation of this problem is when multiple JDBC URLs are used within a single JVM. Instances of PhoenixConnections are not tied to the user that was logged in at construction of the instance, but the global state (shared across the entire JVM). Thus, a second PhoenixConnection constructed with a different user causes the first PhoenixConnection to use the new user's credentials (without any warning).

      https://github.com/joshelser/phoenix-test/blob/master/src/main/java/com/github/joshelser/ConcurrentUse.java is a concrete example of how this breaks down. The second use of the connection by "USER A" is actually done as the other user.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            elserj Josh Elser
            elserj Josh Elser
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment