[ https://issues.apache.org/jira/browse/PHOENIX-3189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15437844#comment-15437844 ]
ASF GitHub Bot commented on PHOENIX-3189: ----------------------------------------- Github user JamesRTaylor commented on a diff in the pull request: https://github.com/apache/phoenix/pull/191#discussion_r76336767 --- Diff: phoenix-core/src/main/java/org/apache/phoenix/jdbc/PhoenixEmbeddedDriver.java --- @@ -333,6 +337,55 @@ public ConnectionInfo normalize(ReadOnlyProps props) throws SQLException { keytab = props.get(QueryServices.HBASE_CLIENT_KEYTAB); } } + if (!isConnectionless()) { + boolean credsProvidedInUrl = null != principal && null != keytab; + boolean credsProvidedInProps = info.containsKey(QueryServices.HBASE_CLIENT_PRINCIPAL) && info.containsKey(QueryServices.HBASE_CLIENT_KEYTAB); + if (credsProvidedInUrl || credsProvidedInProps) { + // PHOENIX-3189 Because ConnectionInfo is immutable, we must make sure all parts of it are correct before + // construction; this also requires the Kerberos user credentials object (since they are compared by reference + // and not by value. If the user provided a principal and keytab via the JDBC url, we must make sure that the + // Kerberos login happens *before* we construct the ConnectionInfo object. Otherwise, the use of ConnectionInfo + // to determine when ConnectionQueryServices impl's should be reused will be broken. + Configuration config = HBaseFactoryProvider.getConfigurationFactory().getConfiguration(); + // Add QueryServices properties + for (Entry<String,String> entry : props) { + config.set(entry.getKey(), entry.getValue()); + } + // Add any user-provided properties (via DriverManager) + if (info != null) { + for (Object key : info.keySet()) { + config.set((String) key, info.getProperty((String) key)); + } + } + // Set the principal and keytab if provided from the URL (overriding those provided in Properties) + if (null != principal) { + config.set(QueryServices.HBASE_CLIENT_PRINCIPAL, principal); + } + if (null != keytab) { + config.set(QueryServices.HBASE_CLIENT_KEYTAB, keytab); + } + try { + // Check if we need to authenticate with kerberos so that we cache the correct ConnectionInfo + UserGroupInformation currentUser = UserGroupInformation.getCurrentUser(); + if (!currentUser.hasKerberosCredentials() || !currentUser.getUserName().equals(principal)) { --- End diff -- Looks like we only use config inside of this block. Can we create it here only instead? > HBase/ZooKeeper connection leaks when providing principal/keytab in JDBC url > ---------------------------------------------------------------------------- > > Key: PHOENIX-3189 > URL: https://issues.apache.org/jira/browse/PHOENIX-3189 > Project: Phoenix > Issue Type: Bug > Affects Versions: 4.8.0 > Reporter: Josh Elser > Assignee: Josh Elser > Priority: Blocker > Fix For: 4.9.0, 4.8.1 > > > We've been doing some more testing after PHOENIX-3126 and, with the help of > [~arpitgupta] and [~harsha_ch], we've found an issue in a test between Storm > and Phoenix. > Storm was configured to create a JDBC Bolt, specifying the principal and > keytab in the JDBC URL, relying on PhoenixDriver to do the Kerberos login for > them. After PHOENIX-3126, a ZK server blacklisted the host running the bolt, > and we observed that there were over 140 active ZK threads in the JVM. > This results in a subtle change where every time the client tries to get a > new Connection, we end up getting a new UGI instance (because the > {{ConnectionQueryServicesImpl#openConnection()}} always does a new login). > If users are correctly caching Connections, there isn't an issue (best as I > can presently tell). However, if users rely on the getting the same > connection every time (the pre-PHOENIX-3126), they will saturate their local > JVM with connections and crash. -- This message was sent by Atlassian JIRA (v6.3.4#6332)