phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <>
Subject [jira] [Commented] (PHOENIX-4533) Phoenix Query Server should not use SPNEGO principal to proxy user requests
Date Mon, 29 Jan 2018 18:20:00 GMT


Josh Elser commented on PHOENIX-4533:

Thanks, Lev! This is exactly the kind of testing I was hoping to see. Just to be super-sure,
you could still send new queries to PQS and query the system after the re-login? (at 2018-01-26

Can you at least modify {{phoenix-queryserver/src/it/java/org/apache/phoenix/end2end/}}
and {{phoenix-queryserver/src/it/java/org/apache/phoenix/end2end/}}
to use the new approach (two keytabs), [~lbronshtein]? I can't think of any kind of non-contrived,
net-new test. After this change, I could see us recommending this as the standard set-up for
PQS on Kerberized systems.

Otherwise, we'll need to make sure the website gets updated with these changes (code is hosted
in a separate repo -- I can give you instructions on how to update that, or just push them
myself if you'd prefer). 

> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>                 Key: PHOENIX-4533
>                 URL:
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Lev Bronshtein
>            Assignee: Lev Bronshtein
>            Priority: Minor
>         Attachments: PHOENIX-4533.1.patch
> Currently the HTTP/ principal is used by various components in the HADOOP ecosystem to
perform SPNEGO authentication.  Since there can only be one HTTP/ per host, even outside
of the Hadoop ecosystem, the keytab containing key material for local HTTP/ principal is shared
among a few applications.  With so many applications having access to the HTTP/ credentials,
this increases the chances of an attack on the proxy user capabilities of Hadoop.  This JIRA
proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end

This message was sent by Atlassian JIRA

View raw message