phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-4533) Phoenix Query Server should not use SPNEGO principal to proxy user requests
Date Mon, 05 Feb 2018 23:31:00 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16353094#comment-16353094
] 

Josh Elser commented on PHOENIX-4533:
-------------------------------------

[~lbronshtein], are you sure the ITs are passing? Remember that Maven integration tests are
executed with the {{mvn verify}} lifecycle phase instead of the {{mvn package}} phase (which
is for unit tests).

I'm seeing the ITs failing with the following exception in the logs:

{noformat}
2018-02-05 18:21:48,053 DEBUG [pool-55-thread-1] server.QueryServer(236): Current user is
phoenixqs/localhost@EXAMPLE.COM (auth:KERBEROS)
2018-02-05 18:21:48,054 FATAL [pool-55-thread-1] server.QueryServer(283): Unrecoverable service
error. Shutting down.
java.lang.IllegalArgumentException: Could not find '@' symbol in 'HTTP/localhost' to parse
the Kerberos realm from the principal
        at org.apache.calcite.avatica.server.HttpServer$Builder.withSpnego(HttpServer.java:489)
        at org.apache.phoenix.queryserver.server.QueryServer.run(QueryServer.java:261)
        at org.apache.phoenix.queryserver.server.QueryServer.run(QueryServer.java:377)
        at org.apache.phoenix.end2end.SecureQueryServerIT$2$1.run(SecureQueryServerIT.java:254)
        at org.apache.phoenix.end2end.SecureQueryServerIT$2$1.run(SecureQueryServerIT.java:252)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:360)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1734)
        at org.apache.phoenix.end2end.SecureQueryServerIT$2.run(SecureQueryServerIT.java:252)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
{noformat}

Similarly, the {{startQueryServer()}} method in {{SecureQueryServerIT}} isn't catching and
failing the test like it should which is why the test hung instead of failing outright. LMK
if this isn't clear.

> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>
>                 Key: PHOENIX-4533
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4533
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Lev Bronshtein
>            Assignee: Lev Bronshtein
>            Priority: Minor
>         Attachments: PHOENIX-4533.1.patch
>
>
> Currently the HTTP/ principal is used by various components in the HADOOP ecosystem to
perform SPNEGO authentication.  Since there can only be one HTTP/ per host, even outside
of the Hadoop ecosystem, the keytab containing key material for local HTTP/ principal is shared
among a few applications.  With so many applications having access to the HTTP/ credentials,
this increases the chances of an attack on the proxy user capabilities of Hadoop.  This JIRA
proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message