You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@phoenix.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2017/05/26 16:27:04 UTC

[jira] [Created] (PHOENIX-3891) ConnectionQueryServices leak on auto-Kerberos-login without REALM in URL

Josh Elser created PHOENIX-3891:
-----------------------------------

             Summary: ConnectionQueryServices leak on auto-Kerberos-login without REALM in URL
                 Key: PHOENIX-3891
                 URL: https://issues.apache.org/jira/browse/PHOENIX-3891
             Project: Phoenix
          Issue Type: Bug
            Reporter: Josh Elser
            Assignee: Josh Elser
            Priority: Critical
             Fix For: 4.11.0


PHOENIX-3189 fixed some logic in construction of a {{ConnectionInfo}} to, when requested by the user, perform the Kerberos login and then construct and cache the ConnectionInfo->ConnectionQueryServices pair.

This approach only works when the principal that the user provides in the JDBC url is exactly what UGI returns as the short name. Logically equivalent principals will result in re-logging in each time and leaking ConnectionQueryService instances (and thus HConnection and ZooKeeper objects).

For example, with Kerberos principals there is a default realm which is implied by krb5.conf when not explicitly provided. Thus: {{elserj}} and {{elserj@APACHE}} would be considered logically equivalent (when the default realm is "APACHE"). We should expand the {{isSameName}} check in ConnectionInfo to be a bit smarter.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)