[jira] [Commented] (PHOENIX-4533) Phoenix Query Server should not use SPNEGO principal to proxy user requests

[Lev Bronshtein (JIRA)]

    [ 
https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16341283#comment-16341283
 ] 

Lev Bronshtein commented on PHOENIX-4533:
-----------------------------------------

Looks like it works.  I first set the max lifetime for the principal in 
question to 5 minutes using kadmin

bq

kadmin.local:  modprinc -maxlife "5 minutes" 
phoenixqs/f-bcpc-vm1.bcpc.example.com

Principal "phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com" modified.


 kadmin.local:  getprinc phoenixqs/f-bcpc-vm1.bcpc.example.com

Principal: phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com

Expiration date: [never]

Last password change: Fri Jan 19 20:22:31 UTC 2018

Password expiration date: [none]

Maximum ticket life: 0 days 00:05:00

Maximum renewable life: 7 days 00:00:00

Last modified: Fri Jan 26 16:27:47 UTC 2018 (root/ad...@bcpc.example.com)

Last successful authentication: [never]

Last failed authentication: [never]

Failed password attempts: 0

Number of keys: 3

Key: vno 2, arcfour-hmac, no salt

Key: vno 2, des3-cbc-sha1, no salt

Key: vno 2, des-cbc-crc, no salt

MKey: vno 1

Attributes:

Policy: [none]



2018-01-26 11:58:58,356 DEBUG org.apache.hadoop.security.UserGroupInformation: 
PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via 
phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) 
from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
2018-01-26 11:58:58,379 DEBUG org.apache.hadoop.security.UserGroupInformation: 
PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via 
phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) 
from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
2018-01-26 11:58:58,386 DEBUG org.apache.hadoop.security.UserGroupInformation: 
PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com 
(auth:KERBEROS) 
from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
2018-01-26 11:58:58,390 DEBUG org.apache.hadoop.security.UserGroupInformation: 
PrivilegedActionException 
as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) 
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Failed to find 
any Kerberos tgt)]
2018-01-26 11:58:58,391 DEBUG org.apache.hadoop.security.UserGroupInformation: 
PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com 
(auth:KERBEROS) 
from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleSaslConnectionFailure(RpcClientImpl.java:637)
2018-01-26 11:58:58,393 DEBUG org.apache.hadoop.security.UserGroupInformation: 
Initiating logout for phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation: 
hadoop logout
2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation: 
Initiating re-login for phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
2018-01-26 11:58:58,398 DEBUG org.apache.hadoop.security.UserGroupInformation: 
hadoop login
2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: 
hadoop login commit
2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: 
using existing subject:[phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com, 
phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com]
2018-01-26 11:59:01,227 DEBUG org.apache.hadoop.security.UserGroupInformation: 
PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com 
(auth:KERBEROS) 
from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
2018-01-26 11:59:01,299 DEBUG org.apache.hadoop.security.UserGroupInformation: 
PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via 
phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) 
from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)

> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>
>                 Key: PHOENIX-4533
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4533
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Lev Bronshtein
>            Assignee: Lev Bronshtein
>            Priority: Minor
>         Attachments: PHOENIX-4533.1.patch
>
>
> Currently the HTTP/ principal is used by various components in the HADOOP 
> ecosystem to perform SPNEGO authentication.  Since there can only be one 
> HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing 
> key material for local HTTP/ principal is shared among a few applications.  
> With so many applications having access to the HTTP/ credentials, this 
> increases the chances of an attack on the proxy user capabilities of Hadoop.  
> This JIRA proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)