phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lev Bronshtein (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-4533) Phoenix Query Server should not use SPNEGO principal to proxy user requests
Date Wed, 31 Jan 2018 13:52:00 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16346859#comment-16346859
] 

Lev Bronshtein commented on PHOENIX-4533:
-----------------------------------------

Actually I think I already figured it out (though not clear how this affects other components). 
It looks like the login is done eternally.  Just need to make sure the avatica server will
still do SPNEGO auth

> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>
>                 Key: PHOENIX-4533
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4533
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Lev Bronshtein
>            Assignee: Lev Bronshtein
>            Priority: Minor
>         Attachments: PHOENIX-4533.1.patch
>
>
> Currently the HTTP/ principal is used by various components in the HADOOP ecosystem to
perform SPNEGO authentication.  Since there can only be one HTTP/ per host, even outside
of the Hadoop ecosystem, the keytab containing key material for local HTTP/ principal is shared
among a few applications.  With so many applications having access to the HTTP/ credentials,
this increases the chances of an attack on the proxy user capabilities of Hadoop.  This JIRA
proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message