phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <>
Subject [jira] [Commented] (PHOENIX-4533) Phoenix Query Server should not use SPNEGO principal to proxy user requests
Date Mon, 05 Feb 2018 23:31:00 GMT


Josh Elser commented on PHOENIX-4533:

[~lbronshtein], are you sure the ITs are passing? Remember that Maven integration tests are
executed with the {{mvn verify}} lifecycle phase instead of the {{mvn package}} phase (which
is for unit tests).

I'm seeing the ITs failing with the following exception in the logs:

2018-02-05 18:21:48,053 DEBUG [pool-55-thread-1] server.QueryServer(236): Current user is
phoenixqs/localhost@EXAMPLE.COM (auth:KERBEROS)
2018-02-05 18:21:48,054 FATAL [pool-55-thread-1] server.QueryServer(283): Unrecoverable service
error. Shutting down.
java.lang.IllegalArgumentException: Could not find '@' symbol in 'HTTP/localhost' to parse
the Kerberos realm from the principal
        at org.apache.calcite.avatica.server.HttpServer$Builder.withSpnego(
        at org.apache.phoenix.end2end.SecureQueryServerIT$2$
        at org.apache.phoenix.end2end.SecureQueryServerIT$2$
        at Method)
        at org.apache.phoenix.end2end.SecureQueryServerIT$
        at java.util.concurrent.Executors$
        at java.util.concurrent.ThreadPoolExecutor.runWorker(
        at java.util.concurrent.ThreadPoolExecutor$

Similarly, the {{startQueryServer()}} method in {{SecureQueryServerIT}} isn't catching and
failing the test like it should which is why the test hung instead of failing outright. LMK
if this isn't clear.

> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>                 Key: PHOENIX-4533
>                 URL:
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Lev Bronshtein
>            Assignee: Lev Bronshtein
>            Priority: Minor
>         Attachments: PHOENIX-4533.1.patch
> Currently the HTTP/ principal is used by various components in the HADOOP ecosystem to
perform SPNEGO authentication.  Since there can only be one HTTP/ per host, even outside
of the Hadoop ecosystem, the keytab containing key material for local HTTP/ principal is shared
among a few applications.  With so many applications having access to the HTTP/ credentials,
this increases the chances of an attack on the proxy user capabilities of Hadoop.  This JIRA
proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end

This message was sent by Atlassian JIRA

View raw message