Github user joshelser commented on the issue:
https://github.com/apache/phoenix/pull/203
> Regarding the renewal, I understand from,
http://stackoverflow.com/questions/34616676/should-i-call-ugi-checktgtandreloginfromkeytab-before-every-action-on-hadoop,
that the RPC layer takes care of that.
Well, if you're talking to HDFS directly it would take care of it :). But
we're talking about accessing HBase here. I'm not sure if the same holds true.
I know there is something similar in the HBase RPC level, but I'd have to find
it again in code to double check.
> I am trying to fix the scenario in which multiple threads call
loginUserFromKeytab concurrently and then the renewal process no longer works
as expected.
> If only one login happens the renewal works properly.
Is this the same principal over and over again? Are you essentially
providing the same principal and keytab in the JDBC URL, expecting Phoenix to
do everything for you instead of doing the login in Storm?
> Your concern regarding security is correct.
Ok. I would like to redirect your efforts to PHOENIX-3189 then. We cannot
sacrifice security for multi-threading (as you can already handle the Kerberos
login yourself). Can you take a look at the changes I have staged on #191? If
this is the above case I outlined, we can add some concurrency control to
prevent concurrent logins from happening.
> you can see that this class is not thread safe and not designed to have
different users login in the same JVM as loginUser is defined in this way.
Phoenix itself is not well-designed to support concurrent (different) users
accessing HBase because of how UGI works. If your application (Storm) needs to
provide this functionality, Storm should perform logins itself, cache the UGI
instances, and use {{UGI.doAs(..)}} instead of relying on the static state in
UGI.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
