You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@spark.apache.org by GitBox <gi...@apache.org> on 2021/04/27 08:22:33 UTC
[GitHub] [spark] gaborgsomogyi commented on pull request #32344: [SPARK-35226][SQL] Support refreshKrb5Config option in JDBC datasources
gaborgsomogyi commented on pull request #32344:
URL: https://github.com/apache/spark/pull/32344#issuecomment-827417095
@HyukjinKwon thanks for pinging me.
I've had a look at the change and I think it looks good but can introduce a race. Let me share the use-case:
* User sets `refreshKrb5Config` flag with `Security context 1`
* User uses a JDBC connection provider
* User modifies `krb5.conf` but JVM not yet realized that it must be reloaded
* Spark authenticates [here](https://github.com/apache/spark/blob/55dea2d937a375d9929937ee66aa9bfed158b883/sql/core/src/main/scala/org/apache/spark/sql/execution/datasources/jdbc/connection/ConnectionProvider.scala#L68) successfully
* JVM loads the `Security context 2` from the modified `krb5.conf`
* Spark restores the previously saved `Security context 1` [here](https://github.com/apache/spark/blob/55dea2d937a375d9929937ee66aa9bfed158b883/sql/core/src/main/scala/org/apache/spark/sql/execution/datasources/jdbc/connection/ConnectionProvider.scala#L71)
* The modified `krb5.conf` content just gone
This is just one example, the second one is when config update happens between security context modification and authentication. Such case JDBC authentication will fail temporarily.
I'm not against to add this but I think it's a must to mention somewhere that setting this flag can cause severe issues on running workloads. Seems like the doc change is missing, right?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org