Josh Elser created PHOENIX-3232:
-----------------------------------
Summary: Automatic Kerberos login via JDBC url can result in
clients using other's credentials
Key: PHOENIX-3232
URL: https://issues.apache.org/jira/browse/PHOENIX-3232
Project: Phoenix
Issue Type: Bug
Reporter: Josh Elser
Assignee: Josh Elser
Priority: Critical
This is a recent topic of discussion that keeps coming up (PHOENIX-3189,
PHOENIX-3216, and PHOENIX-3126).
The root of the problem are two competing goals:
1. Try to re-use HBase Connections as much as possible
2. Change the "global" Kerberos user state (in UserGroupInformation)
One common manifestation of this problem is when multiple JDBC URLs are used
within a single JVM. Instances of PhoenixConnections are not tied to the user
that was logged in at construction of the instance, but the global state
(shared across the entire JVM). Thus, a second PhoenixConnection constructed
with a different user causes the first PhoenixConnection to use the new user's
credentials (without any warning).
https://github.com/joshelser/phoenix-test/blob/master/src/main/java/com/github/joshelser/ConcurrentUse.java
is a concrete example of how this breaks down. The [second use of the
connection by "USER
A"|https://github.com/joshelser/phoenix-test/blob/master/src/main/java/com/github/joshelser/ConcurrentUse.java#L82]
is actually done as the other user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
