[ https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16341283#comment-16341283 ]
Lev Bronshtein edited comment on PHOENIX-4533 at 1/26/18 5:02 PM: ------------------------------------------------------------------ Looks like it works. I first set the max lifetime for the principal in question to 5 minutes using kadmin kadmin.local: modprinc -maxlife "5 minutes" phoenixqs/f-bcpc-vm1.bcpc.example.com Principal "phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com" modified. kadmin.local: getprinc phoenixqs/f-bcpc-vm1.bcpc.example.com Principal: phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com Expiration date: [never] Last password change: Fri Jan 19 20:22:31 UTC 2018 Password expiration date: [none] *Maximum ticket life: 0 days 00:05:00* Maximum renewable life: 7 days 00:00:00 Last modified: Fri Jan 26 16:27:47 UTC 2018 (root/ad...@bcpc.example.com) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 3 Key: vno 2, arcfour-hmac, no salt Key: vno 2, des3-cbc-sha1, no salt Key: vno 2, des-cbc-crc, no salt MKey: vno 1 Attributes: Policy: [none] 2018-01-26 11:58:58,356 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313) 2018-01-26 11:58:58,379 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313) 2018-01-26 11:58:58,386 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734) 2018-01-26 11:58:58,390 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedActionException as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 2018-01-26 11:58:58,391 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleSaslConnectionFailure(RpcClientImpl.java:637) 2018-01-26 11:58:58,393 DEBUG org.apache.hadoop.security.UserGroupInformation: Initiating logout for phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com 2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop logout 2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation: Initiating re-login for phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com 2018-01-26 11:58:58,398 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login 2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login commit 2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: using existing subject:[phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com, phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com] 2018-01-26 11:59:01,227 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734) 2018-01-26 11:59:01,299 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313) was (Author: lbronshtein): Looks like it works. I first set the max lifetime for the principal in question to 5 minutes using kadmin bq kadmin.local: modprinc -maxlife "5 minutes" phoenixqs/f-bcpc-vm1.bcpc.example.com Principal "phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com" modified. kadmin.local: getprinc phoenixqs/f-bcpc-vm1.bcpc.example.com Principal: phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com Expiration date: [never] Last password change: Fri Jan 19 20:22:31 UTC 2018 Password expiration date: [none] Maximum ticket life: 0 days 00:05:00 Maximum renewable life: 7 days 00:00:00 Last modified: Fri Jan 26 16:27:47 UTC 2018 (root/ad...@bcpc.example.com) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 3 Key: vno 2, arcfour-hmac, no salt Key: vno 2, des3-cbc-sha1, no salt Key: vno 2, des-cbc-crc, no salt MKey: vno 1 Attributes: Policy: [none] 2018-01-26 11:58:58,356 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313) 2018-01-26 11:58:58,379 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313) 2018-01-26 11:58:58,386 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734) 2018-01-26 11:58:58,390 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedActionException as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 2018-01-26 11:58:58,391 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleSaslConnectionFailure(RpcClientImpl.java:637) 2018-01-26 11:58:58,393 DEBUG org.apache.hadoop.security.UserGroupInformation: Initiating logout for phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com 2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop logout 2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation: Initiating re-login for phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com 2018-01-26 11:58:58,398 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login 2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login commit 2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: using existing subject:[phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com, phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com] 2018-01-26 11:59:01,227 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734) 2018-01-26 11:59:01,299 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313) > Phoenix Query Server should not use SPNEGO principal to proxy user requests > --------------------------------------------------------------------------- > > Key: PHOENIX-4533 > URL: https://issues.apache.org/jira/browse/PHOENIX-4533 > Project: Phoenix > Issue Type: Improvement > Reporter: Lev Bronshtein > Assignee: Lev Bronshtein > Priority: Minor > Attachments: PHOENIX-4533.1.patch > > > Currently the HTTP/ principal is used by various components in the HADOOP > ecosystem to perform SPNEGO authentication. Since there can only be one > HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing > key material for local HTTP/ principal is shared among a few applications. > With so many applications having access to the HTTP/ credentials, this > increases the chances of an attack on the proxy user capabilities of Hadoop. > This JIRA proposes that two different key tabs can be used to > 1. Authenticate kerberized web requests > 2. Communicate with the phoenix back end -- This message was sent by Atlassian JIRA (v7.6.3#76005)