[ 
https://issues.apache.org/jira/browse/PHOENIX-3216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15446423#comment-15446423
 ] 

ASF GitHub Bot commented on PHOENIX-3216:
-----------------------------------------

Github user joshelser commented on the issue:

    https://github.com/apache/phoenix/pull/203
  
    Ignoring the aforementioned issue, I don't think this change is correctly 
handling multiple users.
    
    It would be re-introducing the bug that was talked about in PHOENIX-3126. 
If there was a user that was already logged in and then a different URL was 
provided with different credentials, the old user's credentials would be used 
instead of the new user's credentials. This would be a security vulnerability.


> Kerberos ticket is not renewed when using Kerberos authentication with 
> Phoenix JDBC driver
> ------------------------------------------------------------------------------------------
>
>                 Key: PHOENIX-3216
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3216
>             Project: Phoenix
>          Issue Type: Bug
>    Affects Versions: 4.4.0, 4.5.0, 4.5.1, 4.6.0, 4.5.2, 4.8.0
>         Environment: Kerberized
>            Reporter: Dan Bahir
>            Assignee: Dan Bahir
>             Fix For: 4.9.0, 4.8.1
>
>
> When using Phoenix jdbc driver in a Kerberized environment and logging in 
> with a keytab is not automatically renewed.
> Expected:The ticket will be automatically renewed and the Phoenix driver will 
> be able to write to the database.
> Actual: The ticket is not renewed and driver loses access to the database.
> 2016-08-15 00:00:59.738 WARN  AbstractRpcClient 
> [hconnection-0x4763c727-metaLookup-shared--pool1-t686] - Exception 
> encountered 
> while connecting to the server : javax.security.sasl.Sa
> slException: GSS initiate failed [Caused by GSSException: No valid 
> credentials 
> provided (Mechanism level: Failed to find any Kerberos tgt)]
> 2016-08-15 00:00:59.739 ERROR AbstractRpcClient 
> [hconnection-0x4763c727-metaLookup-shared--pool1-t686] - SASL authentication 
> failed. The most likely cause is missing or invalid crede
> ntials. Consider 'kinit'.
> javax.security.sasl.SaslException: GSS initiate failed [Caused by 
> GSSException: 
> No valid credentials provided (Mechanism level: Failed to find any Kerberos 
> tgt)]
>         at 
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java
> :211)
>         at 
> org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClie
> nt.java:179)
>         at 
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClie
> ntImpl.java:611)
>         at 
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$600(RpcClientImpl.ja
> va:156)
>         at 
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:73
> 7)
>         at 
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:73
> 4)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.ja



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to