[jira] [Commented] (PHOENIX-3189) HBase/ZooKeeper connection leaks when providing principal/keytab in JDBC url

Wed, 31 Aug 2016 12:48:51 -0700 

    [ 
https://issues.apache.org/jira/browse/PHOENIX-3189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15453179#comment-15453179
 ] 

ASF GitHub Bot commented on PHOENIX-3189:
-----------------------------------------

Github user joshelser commented on the issue:

    https://github.com/apache/phoenix/pull/191
  
    > My thinking is this (but I should probably test it): says userA uses 
phoenix, then userB starts using Phoenix. This implies that userA would be 
logged out and I would hope that subsequent interactions with Phoenix by the 
"human" userA would fail because its credentials are no longer there (the RPCs 
themselves would fail). In other words, my thinking is that the RPC 
authentication would protect us in Phoenix from this being an issue.
    
    No dice. This is still a hole (although not a new hole as I understand it). 
Will track this separately.


> HBase/ZooKeeper connection leaks when providing principal/keytab in JDBC url
> ----------------------------------------------------------------------------
>
>                 Key: PHOENIX-3189
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3189
>             Project: Phoenix
>          Issue Type: Bug
>    Affects Versions: 4.8.0
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Blocker
>             Fix For: 4.9.0, 4.8.1
>
>
> We've been doing some more testing after PHOENIX-3126 and, with the help of 
> [~arpitgupta] and [~harsha_ch], we've found an issue in a test between Storm 
> and Phoenix.
> Storm was configured to create a JDBC Bolt, specifying the principal and 
> keytab in the JDBC URL, relying on PhoenixDriver to do the Kerberos login for 
> them. After PHOENIX-3126, a ZK server blacklisted the host running the bolt, 
> and we observed that there were over 140 active ZK threads in the JVM.
> This results in a subtle change where every time the client tries to get a 
> new Connection, we end up getting a new UGI instance (because the 
> {{ConnectionQueryServicesImpl#openConnection()}} always does a new login).
> If users are correctly caching Connections, there isn't an issue (best as I 
> can presently tell). However, if users rely on the getting the same 
> connection every time (the pre-PHOENIX-3126), they will saturate their local 
> JVM with connections and crash.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to