Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-3891

ConnectionQueryServices leak on auto-Kerberos-login without REALM in URL

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • None
    • 4.11.0
    • None
    • None

    Description

      PHOENIX-3189 fixed some logic in construction of a ConnectionInfo to, when requested by the user, perform the Kerberos login and then construct and cache the ConnectionInfo->ConnectionQueryServices pair.

      This approach only works when the principal that the user provides in the JDBC url is exactly what UGI returns as the short name. Logically equivalent principals will result in re-logging in each time and leaking ConnectionQueryService instances (and thus HConnection and ZooKeeper objects).

      For example, with Kerberos principals there is a default realm which is implied by krb5.conf when not explicitly provided. Thus: elserj and elserj@APACHE would be considered logically equivalent (when the default realm is "APACHE"). We should expand the isSameName check in ConnectionInfo to be a bit smarter.

      Attachments

        1. PHOENIX-3891.001.patch
          8 kB
          Josh Elser
        2. PHOENIX-3891.002.patch
          8 kB
          Josh Elser

        Issue Links

          Activity

            People

              elserj Josh Elser
              elserj Josh Elser
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: