[GitHub] phoenix issue #203: [PHOENIX-3216] Kerberos ticket is not renewed when using...
Github user dbahir commented on the issue: https://github.com/apache/phoenix/pull/203 Closing, this issue will be fixed by [#191](https://github.com/apache/phoenix/pull/191) --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] phoenix pull request #203: [PHOENIX-3216] Kerberos ticket is not renewed whe...
Github user dbahir closed the pull request at: https://github.com/apache/phoenix/pull/203 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] phoenix pull request #:
Github user dbahir commented on the pull request: https://github.com/apache/phoenix/commit/b5be8d85bfd05aeb3ea17b1c734eda06d914f516#commitcomment-18834022 My bad regarding the synchronization, you are correct. Did you get to look at the comment regarding the user login ? Can you allow another to login with a different principal? Would taht cause a security issue? If we create one driver(One) with user A and then create another driver(Two) with user B the info in the UGI now is that of user B. So there can be a situation where driver One will be using credentials of user B. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] phoenix pull request #:
Github user dbahir commented on the pull request: https://github.com/apache/phoenix/commit/b5be8d85bfd05aeb3ea17b1c734eda06d914f516#commitcomment-18831582 UserGroupInformation.getCurrentUser() will not be thread safe, uploaded a patch of how to fix it. [phoenix.txt](https://github.com/apache/phoenix/files/445294/phoenix.txt) --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] phoenix issue #191: PHOENIX-3189 Perform Kerberos login before ConnectionInf...
Github user dbahir commented on the issue: https://github.com/apache/phoenix/pull/191 This solution is not thread safe and will not allow to safely create multiple instances of a driver on different threads in the JVM. This area should be protected, https://github.com/joshelser/phoenix/blob/d17a8d855dc4a2c8cff578dd26e14c6c2c13cc3a/phoenix-core/src/main/java/org/apache/phoenix/jdbc/PhoenixEmbeddedDriver.java#L351. With that said I am not sure that you can support multiple users and support renewals with the way the UGI works. If in the same JVM a driver is instantiated for User A and then another driver is instantiated for User B the last call to loginUserFromKeytab will set the the user information in the UGI. loginUserFromKeytabAndReturnUGI can be used which will preserve the original user info in the UGI but I think will not work correctly with renewing. Do we want the Phoenix driver to allow multiple instances instantiated with a different logged in user for each in the same JVM ? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] phoenix issue #203: [PHOENIX-3216] Kerberos ticket is not renewed when using...
Github user dbahir commented on the issue: https://github.com/apache/phoenix/pull/203 HBase renew implementation is similar to the HDFS one. https://github.com/apache/hbase/blob/master/hbase-client/src/main/java/org/apache/hadoop/hbase/ipc/RpcClientImpl.java#L658 Thanks for your comments, will look at your changes and see where these changes can fit in. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] phoenix issue #203: [PHOENIX-3216] Kerberos ticket is not renewed when using...
Github user dbahir commented on the issue: https://github.com/apache/phoenix/pull/203 If you look at https://github.com/hanborq/hadoop/blob/master/src/core/org/apache/hadoop/security/UserGroupInformation.java you can see that this class is not thread safe and not designed to have different users login in the same JVM as loginUser is defined in this way. private static UserGroupInformation loginUser = null; --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] phoenix issue #203: [PHOENIX-3216] Kerberos ticket is not renewed when using...
Github user dbahir commented on the issue: https://github.com/apache/phoenix/pull/203 Regarding the renewal, I understand from, http://stackoverflow.com/questions/34616676/should-i-call-ugi-checktgtandreloginfromkeytab-before-every-action-on-hadoop, that the RPC layer takes care of that. I am trying to fix the scenario in which multiple threads call loginUserFromKeytab concurrently and then the renewal process no longer works as expected. An example of that scenario is a storm topology that has multiple HBase/Phoenix/HDFS bolts in the same JVM. When the topology starts it will initialize all bolts which will execute a login from each one, when that happens the renewal no longer works. If only one login happens the renewal works properly. In regarding to Phoenix, we came got into a similar situation with a multi-threaded application that caused loginUserFromKeytab to be called concurrently. The code change was made to protect that and works. Your concern regarding security is correct. I looked into PHOENIX-3189 which i was not aware of. The fix can be folded into it however we would need to handle synchronization of the loginUserFromKeytab if multple instances of the driver are created. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] phoenix issue #203: [PHOENIX-3216] Kerberos ticket is not renewed when using...
Github user dbahir commented on the issue: https://github.com/apache/phoenix/pull/203 This fix has been tested and it solves the issue, the same fix has been applied to the storm hdfs and hbase connectors. https://issues.apache.org/jira/browse/STORM-1521 https://issues.apache.org/jira/browse/STORM-1535 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
