phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lev Bronshtein (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-4533) Phoenix Query Server should not use SPNEGO principal to proxy user requests
Date Fri, 26 Jan 2018 18:38:00 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16341410#comment-16341410
] 

Lev Bronshtein commented on PHOENIX-4533:
-----------------------------------------

Also here are my Configuration changes

 
h3. *BEFORE*
h4. *hbase-site.xml*

  <property>

    <name>phoenix.queryserver.kerberos.principal</name>

    <value>HTTP/f-bcpc-vm2.bcpc.example.com@BCPC.EXAMPLE.COM</value>

  </property>

  <property>

    <name>phoenix.queryserver.keytab.file</name>

    <value>/etc/security/keytabs/spnego.service.keytab</value>

  </property>

  <property>

    <name>phoenix.queryserver.serialization</name>

    <value>JSON</value>

  </property>

 

<property>

    <name>hadoop.proxyuser.HTTP.hosts</name>

    <value>*</value>

  </property>

  <property>

    <name>hadoop.proxyuser.HTTP.users</name>

    <value>*</value>

  </property>

 
h4. core-site.xml

  <property>

    <name>hadoop.proxyuser.HTTP.hosts</name>

    <value>*</value>

  </property>

  <property>

    <name>hadoop.proxyuser.HTTP.users</name>

    <value>*</value>

  </property>

 
h3. *AFTER*
h4. *hbase-site.xml*

  <property>

    <name>phoenix.queryserver.kerberos.http.principal</name>

    <value>HTTP/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM</value>

  </property>

  <property>

    <name>phoenix.queryserver.http.keytab.file</name>

    <value>/etc/security/keytabs/spnego.service.keytab</value>

  </property>

  <property>

    <name>phoenix.queryserver.kerberos.principal</name>

    <value>phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM</value>

  </property>

  <property>

    <name>phoenix.queryserver.keytab.file</name>

    <value>/etc/security/keytabs/phoenixqs.service.keytab</value>

  </property>

 
h4. core-site.xml

  <property>

    <name>hadoop.proxyuser.phoenixqs.hosts</name>

    <value>*</value>

  </property>

  <property>

    <name>hadoop.proxyuser.phoenixqs.users</name>

    <value>*</value>

  </property>

> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>
>                 Key: PHOENIX-4533
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4533
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Lev Bronshtein
>            Assignee: Lev Bronshtein
>            Priority: Minor
>         Attachments: PHOENIX-4533.1.patch
>
>
> Currently the HTTP/ principal is used by various components in the HADOOP ecosystem to
perform SPNEGO authentication.  Since there can only be one HTTP/ per host, even outside
of the Hadoop ecosystem, the keytab containing key material for local HTTP/ principal is shared
among a few applications.  With so many applications having access to the HTTP/ credentials,
this increases the chances of an attack on the proxy user capabilities of Hadoop.  This JIRA
proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message