[jira] [Commented] (PHOENIX-3686) De-couple PQS's use of Kerberos to talk to HBase and client authentication

Tue, 28 Feb 2017 09:12:59 -0800 

    [ 
https://issues.apache.org/jira/browse/PHOENIX-3686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15888469#comment-15888469
 ] 

Josh Elser commented on PHOENIX-3686:
-------------------------------------

bq. Actually, I should add a unit test for this one too. Should be able to get 
something given what I already have in place..

Getting the wires crossed. I have test infra up in Avatica, but not down here 
in Phoenix. I'll leave a note for myself to write a test for this scenario 
upstream.

Ping [~jamestaylor] if you have a moment to review.

> De-couple PQS's use of Kerberos to talk to HBase and client authentication
> --------------------------------------------------------------------------
>
>                 Key: PHOENIX-3686
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-3686
>             Project: Phoenix
>          Issue Type: New Feature
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 4.10.0
>
>         Attachments: PHOENIX-3686.001.patch
>
>
> Was trying to help a user that was using 
> https://bitbucket.org/lalinsky/python-phoenixdb to talk to PQS. After 
> upgrading Phoenix (to a version that actually included client 
> authentication), their application suddenly broke and they were upset.
> Because they were running Phoenix/HBase on a cluster with Kerberos 
> authentication enabled, they suddenly "inherited" this client authentication. 
> AFAIK, the python-phoenixdb project doesn't presently include the ability to 
> authenticate via SPNEGO. This means a Phoenix upgrade broke their app which 
> stinks.
> This happens because, presently, when sees that HBase is configured for 
> Kerberos auth (via hbase-site.xml), it assumes that clients should be 
> required to also authenticate via Kerberos to it. In certain circumstances, 
> users might not actually want to do this.
> It's a pretty trivial change I've hacked together which shows that this is 
> possible, and I think that, with adequate disclaimer/documentation about this 
> property, it's OK to do. As long as we are very clear about what exactly this 
> configuration property is doing (allowing *anyone* into your HBase instance 
> as the PQS Kerberos user), it will unblock these users while the various 
> client drivers build proper support for authentication.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to