Github user joshelser commented on the issue:
https://github.com/apache/phoenix/pull/191
> Did you get to look at the comment regarding the user login ?
Assuming you mean the below..
> With that said I am not sure that you can support multiple users and
support renewals with the way the UGI works.
> If in the same JVM a driver is instantiated for User A and then another
driver is instantiated for User B the last call to loginUserFromKeytab will set
the the user information in the UGI.
Yes, the best way to approach this is that Phoenix's automatic Kerberos
login should _only_ be used when there a single user accessing Phoenix at one
time. I was thinking that Phoenix could likely use its own docs page on the
interactions with Kerberos. That would be a good place to warn people and
instruct them how they need to properly support multiple concurrent users on
their own.
> Can you allow another to login with a different principal? Would that
cause a security issue?
If we create one driver(One) with user A and then create another
driver(Two) with user B the info in the UGI now is that of user B. So there can
be a situation where driver One will be using credentials of user B.
My thinking is this (but I should probably test it): says userA uses
phoenix, then userB starts using Phoenix. This implies that userA would be
logged out and I would hope that subsequent interactions with Phoenix by the
"human" userA would fail because its credentials are no longer there (the RPCs
themselves would fail). In other words, my thinking is that the RPC
authentication would protect us in Phoenix from this being an issue.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
