Github user joshelser commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/191#discussion_r76484922
--- Diff:
phoenix-core/src/main/java/org/apache/phoenix/jdbc/PhoenixEmbeddedDriver.java
---
@@ -333,6 +337,55 @@ public ConnectionInfo normalize(ReadOnlyProps props)
throws SQLException {
keytab =
props.get(QueryServices.HBASE_CLIENT_KEYTAB);
}
}
+ if (!isConnectionless()) {
+ boolean credsProvidedInUrl = null != principal && null !=
keytab;
+ boolean credsProvidedInProps =
info.containsKey(QueryServices.HBASE_CLIENT_PRINCIPAL) &&
info.containsKey(QueryServices.HBASE_CLIENT_KEYTAB);
+ if (credsProvidedInUrl || credsProvidedInProps) {
+ // PHOENIX-3189 Because ConnectionInfo is immutable,
we must make sure all parts of it are correct before
+ // construction; this also requires the Kerberos user
credentials object (since they are compared by reference
+ // and not by value. If the user provided a principal
and keytab via the JDBC url, we must make sure that the
+ // Kerberos login happens *before* we construct the
ConnectionInfo object. Otherwise, the use of ConnectionInfo
+ // to determine when ConnectionQueryServices impl's
should be reused will be broken.
+ Configuration config =
HBaseFactoryProvider.getConfigurationFactory().getConfiguration();
+ // Add QueryServices properties
+ for (Entry<String,String> entry : props) {
+ config.set(entry.getKey(), entry.getValue());
+ }
+ // Add any user-provided properties (via DriverManager)
+ if (info != null) {
+ for (Object key : info.keySet()) {
+ config.set((String) key,
info.getProperty((String) key));
+ }
+ }
+ // Set the principal and keytab if provided from the
URL (overriding those provided in Properties)
+ if (null != principal) {
+ config.set(QueryServices.HBASE_CLIENT_PRINCIPAL,
principal);
+ }
+ if (null != keytab) {
+ config.set(QueryServices.HBASE_CLIENT_KEYTAB,
keytab);
+ }
+ try {
+ // Check if we need to authenticate with kerberos
so that we cache the correct ConnectionInfo
+ UserGroupInformation currentUser =
UserGroupInformation.getCurrentUser();
+ if (!currentUser.hasKerberosCredentials() ||
!currentUser.getUserName().equals(principal)) {
--- End diff --
Yes, good catch. Can definitely do this only when necessary.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
