Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-3232

Automatic Kerberos login via JDBC url can result in clients using other's credentials

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Not A Problem
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      This is a recent topic of discussion that keeps coming up (PHOENIX-3189, PHOENIX-3216, and PHOENIX-3126).

      The root of the problem are two competing goals:

      1. Try to re-use HBase Connections as much as possible
      2. Change the "global" Kerberos user state (in UserGroupInformation)

      One common manifestation of this problem is when multiple JDBC URLs are used within a single JVM. Instances of PhoenixConnections are not tied to the user that was logged in at construction of the instance, but the global state (shared across the entire JVM). Thus, a second PhoenixConnection constructed with a different user causes the first PhoenixConnection to use the new user's credentials (without any warning).

      https://github.com/joshelser/phoenix-test/blob/master/src/main/java/com/github/joshelser/ConcurrentUse.java is a concrete example of how this breaks down. The second use of the connection by "USER A" is actually done as the other user.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                elserj Josh Elser
                Reporter:
                elserj Josh Elser
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: