phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <>
Subject [jira] [Commented] (PHOENIX-3686) De-couple PQS's use of Kerberos to talk to HBase and client authentication
Date Wed, 01 Mar 2017 01:10:46 GMT


Hudson commented on PHOENIX-3686:

FAILURE: Integrated in Jenkins build Phoenix-master #1569 (See [])
PHOENIX-3686 Allow client-authentication to be disabled for PQS (elserj: rev 8e1d10b3f1e91d003f7dd554f8c261352cbd3b43)
* (edit) phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/
* (edit) phoenix-core/src/main/java/org/apache/phoenix/query/
* (edit) phoenix-core/src/main/java/org/apache/phoenix/query/
* (edit) phoenix-queryserver-client/src/main/java/org/apache/phoenix/queryserver/client/

> De-couple PQS's use of Kerberos to talk to HBase and client authentication
> --------------------------------------------------------------------------
>                 Key: PHOENIX-3686
>                 URL:
>             Project: Phoenix
>          Issue Type: New Feature
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.10.0
>         Attachments: PHOENIX-3686.001.patch
> Was trying to help a user that was using
to talk to PQS. After upgrading Phoenix (to a version that actually included client authentication),
their application suddenly broke and they were upset.
> Because they were running Phoenix/HBase on a cluster with Kerberos authentication enabled,
they suddenly "inherited" this client authentication. AFAIK, the python-phoenixdb project
doesn't presently include the ability to authenticate via SPNEGO. This means a Phoenix upgrade
broke their app which stinks.
> This happens because, presently, when sees that HBase is configured for Kerberos auth
(via hbase-site.xml), it assumes that clients should be required to also authenticate via
Kerberos to it. In certain circumstances, users might not actually want to do this.
> It's a pretty trivial change I've hacked together which shows that this is possible,
and I think that, with adequate disclaimer/documentation about this property, it's OK to do.
As long as we are very clear about what exactly this configuration property is doing (allowing
*anyone* into your HBase instance as the PQS Kerberos user), it will unblock these users while
the various client drivers build proper support for authentication.

This message was sent by Atlassian JIRA

View raw message