Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 1CD90200C81 for ; Fri, 26 May 2017 21:18:09 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 1B90F160B9C; Fri, 26 May 2017 19:18:09 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 68C50160BD6 for ; Fri, 26 May 2017 21:18:08 +0200 (CEST) Received: (qmail 73271 invoked by uid 500); 26 May 2017 19:18:07 -0000 Mailing-List: contact dev-help@phoenix.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@phoenix.apache.org Delivered-To: mailing list dev@phoenix.apache.org Received: (qmail 73051 invoked by uid 99); 26 May 2017 19:18:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 26 May 2017 19:18:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id EBE71181946 for ; Fri, 26 May 2017 19:18:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id meZDe3m7RMRS for ; Fri, 26 May 2017 19:18:05 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 0F8FF5F306 for ; Fri, 26 May 2017 19:18:05 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id A9896E0012 for ; Fri, 26 May 2017 19:18:04 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 6888D2193C for ; Fri, 26 May 2017 19:18:04 +0000 (UTC) Date: Fri, 26 May 2017 19:18:04 +0000 (UTC) From: "Josh Elser (JIRA)" To: dev@phoenix.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (PHOENIX-3891) ConnectionQueryServices leak on auto-Kerberos-login without REALM in URL MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 26 May 2017 19:18:09 -0000 [ https://issues.apache.org/jira/browse/PHOENIX-3891?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Josh Elser updated PHOENIX-3891: -------------------------------- Attachment: PHOENIX-3891.002.patch .002 Missed removing an unnecessary import. > ConnectionQueryServices leak on auto-Kerberos-login without REALM in URL > ------------------------------------------------------------------------ > > Key: PHOENIX-3891 > URL: https://issues.apache.org/jira/browse/PHOENIX-3891 > Project: Phoenix > Issue Type: Bug > Reporter: Josh Elser > Assignee: Josh Elser > Priority: Critical > Fix For: 4.11.0 > > Attachments: PHOENIX-3891.001.patch, PHOENIX-3891.002.patch > > > PHOENIX-3189 fixed some logic in construction of a {{ConnectionInfo}} to, when requested by the user, perform the Kerberos login and then construct and cache the ConnectionInfo->ConnectionQueryServices pair. > This approach only works when the principal that the user provides in the JDBC url is exactly what UGI returns as the short name. Logically equivalent principals will result in re-logging in each time and leaking ConnectionQueryService instances (and thus HConnection and ZooKeeper objects). > For example, with Kerberos principals there is a default realm which is implied by krb5.conf when not explicitly provided. Thus: {{elserj}} and {{elserj@APACHE}} would be considered logically equivalent (when the default realm is "APACHE"). We should expand the {{isSameName}} check in ConnectionInfo to be a bit smarter. -- This message was sent by Atlassian JIRA (v6.3.15#6346)