[ 
https://issues.apache.org/jira/browse/PHOENIX-3189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15451082#comment-15451082
 ] 

ASF GitHub Bot commented on PHOENIX-3189:
-----------------------------------------

Github user joshelser commented on the issue:

    https://github.com/apache/phoenix/pull/191
  
    > Thanks for pursuing this tricky issue, @joshelser. I think what you have 
here is definitely an improvement and should be pulled in for 4.8.1
    
    Thanks as always for your careful eye.
    
    > but I do think we should look at doing a value-based equality check for 
User instead. There's a fair amount of overhead in what you're doing and 
Phoenix does not do connection pooling but relies on being able to 
quickly/cheaply get a connection. Would you have some cycles to investigate 
that a bit first?
    
    To my point in the last comment, I believe it's become apparent that people 
are misusing this functionality. So, I believe there is some education that 
needs to happen about how clients of Phoenix who need to support multiple 
Kerberos users concurrently should interact with the system. I think this 
documentation is point 1. It flat-out shouldn't be used to concurrently support 
multiple Kerberos users -- developers must write their own code to do this 
correctly. It's difficult to handle this for them because of the required 
doAs() call. Can investigate this further too, maybe I'm overlooking something 
obvious.
    
    I do need to make good on my promise to dig through Hadoop/UGI git-log and 
try to piece together why exactly UGI isn't doing value-based checks already. 
This is point 2.
    
    I'd like to move ahead and push then (rather then let it rot on the vine), 
but will try to address both of these points this week if that's OK with you.


> HBase/ZooKeeper connection leaks when providing principal/keytab in JDBC url
> ----------------------------------------------------------------------------
>
>                 Key: PHOENIX-3189
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3189
>             Project: Phoenix
>          Issue Type: Bug
>    Affects Versions: 4.8.0
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Blocker
>             Fix For: 4.9.0, 4.8.1
>
>
> We've been doing some more testing after PHOENIX-3126 and, with the help of 
> [~arpitgupta] and [~harsha_ch], we've found an issue in a test between Storm 
> and Phoenix.
> Storm was configured to create a JDBC Bolt, specifying the principal and 
> keytab in the JDBC URL, relying on PhoenixDriver to do the Kerberos login for 
> them. After PHOENIX-3126, a ZK server blacklisted the host running the bolt, 
> and we observed that there were over 140 active ZK threads in the JVM.
> This results in a subtle change where every time the client tries to get a 
> new Connection, we end up getting a new UGI instance (because the 
> {{ConnectionQueryServicesImpl#openConnection()}} always does a new login).
> If users are correctly caching Connections, there isn't an issue (best as I 
> can presently tell). However, if users rely on the getting the same 
> connection every time (the pre-PHOENIX-3126), they will saturate their local 
> JVM with connections and crash.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to