Github user joshelser commented on the issue: https://github.com/apache/phoenix/pull/191 > Did you get to look at the comment regarding the user login ? Assuming you mean the below.. > With that said I am not sure that you can support multiple users and support renewals with the way the UGI works. > If in the same JVM a driver is instantiated for User A and then another driver is instantiated for User B the last call to loginUserFromKeytab will set the the user information in the UGI. Yes, the best way to approach this is that Phoenix's automatic Kerberos login should _only_ be used when there a single user accessing Phoenix at one time. I was thinking that Phoenix could likely use its own docs page on the interactions with Kerberos. That would be a good place to warn people and instruct them how they need to properly support multiple concurrent users on their own. > Can you allow another to login with a different principal? Would that cause a security issue? If we create one driver(One) with user A and then create another driver(Two) with user B the info in the UGI now is that of user B. So there can be a situation where driver One will be using credentials of user B. My thinking is this (but I should probably test it): says userA uses phoenix, then userB starts using Phoenix. This implies that userA would be logged out and I would hope that subsequent interactions with Phoenix by the "human" userA would fail because its credentials are no longer there (the RPCs themselves would fail). In other words, my thinking is that the RPC authentication would protect us in Phoenix from this being an issue.
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---