[jira] [Commented] (PHOENIX-3686) De-couple PQS's use of Kerberos to talk to HBase and client authentication

Tue, 21 Feb 2017 11:29:11 -0800 

    [ 
https://issues.apache.org/jira/browse/PHOENIX-3686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15876534#comment-15876534
 ] 

Josh Elser commented on PHOENIX-3686:
-------------------------------------

[~jamestaylor], [~ndimiduk], [~devaraj]: thought you folks might have an 
opinion on this one..

I think it's a good idea (especially given those on older versions of Phoenix 
who upgrade and then are "bitten" by the sudden presence of real 
authentication), but wanted to make sure that I have an ACK from someone else.

> De-couple PQS's use of Kerberos to talk to HBase and client authentication
> --------------------------------------------------------------------------
>
>                 Key: PHOENIX-3686
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3686
>             Project: Phoenix
>          Issue Type: New Feature
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.10.0
>
>         Attachments: PHOENIX-3686.001.patch
>
>
> Was trying to help a user that was using 
> https://bitbucket.org/lalinsky/python-phoenixdb to talk to PQS. After 
> upgrading Phoenix (to a version that actually included client 
> authentication), their application suddenly broke and they were upset.
> Because they were running Phoenix/HBase on a cluster with Kerberos 
> authentication enabled, they suddenly "inherited" this client authentication. 
> AFAIK, the python-phoenixdb project doesn't presently include the ability to 
> authenticate via SPNEGO. This means a Phoenix upgrade broke their app which 
> stinks.
> This happens because, presently, when sees that HBase is configured for 
> Kerberos auth (via hbase-site.xml), it assumes that clients should be 
> required to also authenticate via Kerberos to it. In certain circumstances, 
> users might not actually want to do this.
> It's a pretty trivial change I've hacked together which shows that this is 
> possible, and I think that, with adequate disclaimer/documentation about this 
> property, it's OK to do. As long as we are very clear about what exactly this 
> configuration property is doing (allowing *anyone* into your HBase instance 
> as the PQS Kerberos user), it will unblock these users while the various 
> client drivers build proper support for authentication.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to