Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-3891

ConnectionQueryServices leak on auto-Kerberos-login without REALM in URL

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.11.0
    • Labels:
      None

      Description

      PHOENIX-3189 fixed some logic in construction of a ConnectionInfo to, when requested by the user, perform the Kerberos login and then construct and cache the ConnectionInfo->ConnectionQueryServices pair.

      This approach only works when the principal that the user provides in the JDBC url is exactly what UGI returns as the short name. Logically equivalent principals will result in re-logging in each time and leaking ConnectionQueryService instances (and thus HConnection and ZooKeeper objects).

      For example, with Kerberos principals there is a default realm which is implied by krb5.conf when not explicitly provided. Thus: elserj and elserj@APACHE would be considered logically equivalent (when the default realm is "APACHE"). We should expand the isSameName check in ConnectionInfo to be a bit smarter.

        Attachments

        1. PHOENIX-3891.002.patch
          8 kB
          Josh Elser
        2. PHOENIX-3891.001.patch
          8 kB
          Josh Elser

          Issue Links

            Activity

              People

              • Assignee:
                elserj Josh Elser
                Reporter:
                elserj Josh Elser
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: