phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-4533) Phoenix Query Server should not use SPNEGO principal to proxy user requests
Date Wed, 31 Jan 2018 14:47:00 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16346936#comment-16346936
] 

Josh Elser commented on PHOENIX-4533:
-------------------------------------

bq. Actually I think I already figured it out (though not clear how this affects other components).
 It looks like the login is done eternally.  Just need to make sure the avatica server will
still do SPNEGO auth

Yup, you got it. That was meant to disable Avatica from trying to login while when we already
did the login in the test setup.

As long as you have {{kerberos}} set as the value for {{QueryServices.QUERY_SERVER_HBASE_SECURITY_CONF_ATTRIB}},
PQS should end up calling {{withSpnegoAuth(..)}} which is what forces the SPNEGO authentication
to happen.

> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>
>                 Key: PHOENIX-4533
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4533
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Lev Bronshtein
>            Assignee: Lev Bronshtein
>            Priority: Minor
>         Attachments: PHOENIX-4533.1.patch
>
>
> Currently the HTTP/ principal is used by various components in the HADOOP ecosystem to
perform SPNEGO authentication.  Since there can only be one HTTP/ per host, even outside
of the Hadoop ecosystem, the keytab containing key material for local HTTP/ principal is shared
among a few applications.  With so many applications having access to the HTTP/ credentials,
this increases the chances of an attack on the proxy user capabilities of Hadoop.  This JIRA
proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message