phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lev Bronshtein (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (PHOENIX-4533) Phoenix Query Server should not use SPNEGO principal to proxy user requests
Date Fri, 26 Jan 2018 17:07:00 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16341283#comment-16341283
] 

Lev Bronshtein edited comment on PHOENIX-4533 at 1/26/18 5:06 PM:
------------------------------------------------------------------

Looks like it works.  I first set the max lifetime for the principal in question to 5 minutes
using kadmin and verified, see text in bold below

 
{quote}1. kadmin.local:  modprinc -maxlife "5 minutes" phoenixqs/f-bcpc-vm1.bcpc.example.com

Principal "phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM" modified.

 

2. kadmin.local:  getprinc phoenixqs/f-bcpc-vm1.bcpc.example.com

Principal: phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM

Expiration date: [never]

Last password change: Fri Jan 19 20:22:31 UTC 2018

Password expiration date: [none]

*Maximum ticket life: 0 days 00:05:00*

Maximum renewable life: 7 days 00:00:00

Last modified: Fri Jan 26 16:27:47 UTC 2018 (root/admin@BCPC.EXAMPLE.COM)

Last successful authentication: [never]

Last failed authentication: [never]

Failed password attempts: 0

Number of keys: 3

Key: vno 2, arcfour-hmac, no salt

Key: vno 2, des3-cbc-sha1, no salt

Key: vno 2, des-cbc-crc, no salt

MKey: vno 1

Attributes:

Policy: [none]
{quote}
And attempted to access PQS a few times in the span of an hour, you can see here that PQS
will realize that its TGT has expired and needs renewal.  Following, it performs a relogin
(see text in RED)

2018-01-26 11:58:58,356 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction
as:ubuntu@BCPC.EXAMPLE.COM (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
(auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
 2018-01-26 11:58:58,379 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction
as:ubuntu@BCPC.EXAMPLE.COM (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
(auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
 2018-01-26 11:58:58,386 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction
as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
 {color:#FF0000}2018-01-26 11:58:58,390 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedActionException as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS)
cause:javax.security.sasl.SaslException:{color} {color:#FF0000}*GSS initiate failed [Caused
by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos
tgt)]*{color}
 2018-01-26 11:58:58,391 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction
as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleSaslConnectionFailure(RpcClientImpl.java:637)
 2018-01-26 11:58:58,393 DEBUG org.apache.hadoop.security.UserGroupInformation: Initiating
logout for phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
 {color:#FF0000}2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation:
hadoop logout{color}
 {color:#FF0000}2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation:
Initiating re-login for phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM{color}
{color:#FF0000} 2018-01-26 11:58:58,398 DEBUG org.apache.hadoop.security.UserGroupInformation:
hadoop login{color}
 2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login
commit
 2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: using existing
subject:[phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM, phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM]
 2018-01-26 11:59:01,227 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction
as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
 2018-01-26 11:59:01,299 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction
as:ubuntu@BCPC.EXAMPLE.COM (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
(auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)


was (Author: lbronshtein):
Looks like it works.  I first set the max lifetime for the principal in question to 5 minutes
using kadmin

 
{quote}1. kadmin.local:  modprinc -maxlife "5 minutes" phoenixqs/f-bcpc-vm1.bcpc.example.com

Principal "phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM" modified.

 

2. kadmin.local:  getprinc phoenixqs/f-bcpc-vm1.bcpc.example.com

Principal: phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM

Expiration date: [never]

Last password change: Fri Jan 19 20:22:31 UTC 2018

Password expiration date: [none]

*Maximum ticket life: 0 days 00:05:00*

Maximum renewable life: 7 days 00:00:00

Last modified: Fri Jan 26 16:27:47 UTC 2018 (root/admin@BCPC.EXAMPLE.COM)

Last successful authentication: [never]

Last failed authentication: [never]

Failed password attempts: 0

Number of keys: 3

Key: vno 2, arcfour-hmac, no salt

Key: vno 2, des3-cbc-sha1, no salt

Key: vno 2, des-cbc-crc, no salt

MKey: vno 1

Attributes:

Policy: [none]
{quote}

And attempted to access PQS a few times in the span of an hour, you can see here that PQS
will realize that its TGT has expired and needs renewal

2018-01-26 11:58:58,356 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction
as:ubuntu@BCPC.EXAMPLE.COM (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
(auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
 2018-01-26 11:58:58,379 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction
as:ubuntu@BCPC.EXAMPLE.COM (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
(auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
 2018-01-26 11:58:58,386 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction
as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
 2018-01-26 11:58:58,390 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedActionException
as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) cause:javax.security.sasl.SaslException:
*GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)]*
 2018-01-26 11:58:58,391 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction
as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleSaslConnectionFailure(RpcClientImpl.java:637)
 2018-01-26 11:58:58,393 DEBUG org.apache.hadoop.security.UserGroupInformation: Initiating
logout for phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
 2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop logout
 2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation: Initiating
re-login for phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
 2018-01-26 11:58:58,398 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login
 2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login
commit
 2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: using existing
subject:[phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM, phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM]
 2018-01-26 11:59:01,227 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction
as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
 2018-01-26 11:59:01,299 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction
as:ubuntu@BCPC.EXAMPLE.COM (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
(auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)

> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>
>                 Key: PHOENIX-4533
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4533
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Lev Bronshtein
>            Assignee: Lev Bronshtein
>            Priority: Minor
>         Attachments: PHOENIX-4533.1.patch
>
>
> Currently the HTTP/ principal is used by various components in the HADOOP ecosystem to
perform SPNEGO authentication.  Since there can only be one HTTP/ per host, even outside
of the Hadoop ecosystem, the keytab containing key material for local HTTP/ principal is shared
among a few applications.  With so many applications having access to the HTTP/ credentials,
this increases the chances of an attack on the proxy user capabilities of Hadoop.  This JIRA
proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message