Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-3232

Automatic Kerberos login via JDBC url can result in clients using other's credentials

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Not A Problem
    • None
    • None
    • None
    • None

    Description

      This is a recent topic of discussion that keeps coming up (PHOENIX-3189, PHOENIX-3216, and PHOENIX-3126).

      The root of the problem are two competing goals:

      1. Try to re-use HBase Connections as much as possible
      2. Change the "global" Kerberos user state (in UserGroupInformation)

      One common manifestation of this problem is when multiple JDBC URLs are used within a single JVM. Instances of PhoenixConnections are not tied to the user that was logged in at construction of the instance, but the global state (shared across the entire JVM). Thus, a second PhoenixConnection constructed with a different user causes the first PhoenixConnection to use the new user's credentials (without any warning).

      https://github.com/joshelser/phoenix-test/blob/master/src/main/java/com/github/joshelser/ConcurrentUse.java is a concrete example of how this breaks down. The second use of the connection by "USER A" is actually done as the other user.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. PHOENIX-3189 HBase/ZooKeeper connection leaks when providing principal/keytab in JDBC url

          • Blocker - Blocks development and/or testing work, production could not run
          • Closed

          Activity

            People

              elserj Josh Elser
              elserj Josh Elser
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: