[
https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16341283#comment-16341283
]
Lev Bronshtein edited comment on PHOENIX-4533 at 1/26/18 5:04 PM:
------------------------------------------------------------------
Looks like it works. I first set the max lifetime for the principal in
question to 5 minutes using kadmin
{quote}1. kadmin.local: modprinc -maxlife "5 minutes"
phoenixqs/f-bcpc-vm1.bcpc.example.com
Principal "phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com" modified.
2. kadmin.local: getprinc phoenixqs/f-bcpc-vm1.bcpc.example.com
Principal: phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
Expiration date: [never]
Last password change: Fri Jan 19 20:22:31 UTC 2018
Password expiration date: [none]
*Maximum ticket life: 0 days 00:05:00*
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Jan 26 16:27:47 UTC 2018 (root/ad...@bcpc.example.com)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 2, arcfour-hmac, no salt
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, des-cbc-crc, no salt
MKey: vno 1
Attributes:
Policy: [none]
{quote}
And attempted to access PQS a few times in the span of an hour, you can see
here that PQS will realize that its TGT has expired and needs renewal
2018-01-26 11:58:58,356 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via
phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS)
from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
2018-01-26 11:58:58,379 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via
phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS)
from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
2018-01-26 11:58:58,386 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
(auth:KERBEROS)
from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
2018-01-26 11:58:58,390 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedActionException
as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS)
cause:javax.security.sasl.SaslException: *GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)]*
2018-01-26 11:58:58,391 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
(auth:KERBEROS)
from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleSaslConnectionFailure(RpcClientImpl.java:637)
2018-01-26 11:58:58,393 DEBUG org.apache.hadoop.security.UserGroupInformation:
Initiating logout for phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation:
hadoop logout
2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation:
Initiating re-login for phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
2018-01-26 11:58:58,398 DEBUG org.apache.hadoop.security.UserGroupInformation:
hadoop login
2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation:
hadoop login commit
2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation:
using existing subject:[phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com,
phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com]
2018-01-26 11:59:01,227 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
(auth:KERBEROS)
from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
2018-01-26 11:59:01,299 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via
phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS)
from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
was (Author: lbronshtein):
Looks like it works. I first set the max lifetime for the principal in
question to 5 minutes using kadmin
kadmin.local: modprinc -maxlife "5 minutes"
phoenixqs/f-bcpc-vm1.bcpc.example.com
Principal "phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com" modified.
kadmin.local: getprinc phoenixqs/f-bcpc-vm1.bcpc.example.com
Principal: phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
Expiration date: [never]
Last password change: Fri Jan 19 20:22:31 UTC 2018
Password expiration date: [none]
*Maximum ticket life: 0 days 00:05:00*
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Jan 26 16:27:47 UTC 2018 (root/ad...@bcpc.example.com)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 2, arcfour-hmac, no salt
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, des-cbc-crc, no salt
MKey: vno 1
Attributes:
Policy: [none]
2018-01-26 11:58:58,356 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via
phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS)
from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
2018-01-26 11:58:58,379 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via
phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS)
from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
2018-01-26 11:58:58,386 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
(auth:KERBEROS)
from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
2018-01-26 11:58:58,390 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedActionException
as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS)
cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)]
2018-01-26 11:58:58,391 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
(auth:KERBEROS)
from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleSaslConnectionFailure(RpcClientImpl.java:637)
2018-01-26 11:58:58,393 DEBUG org.apache.hadoop.security.UserGroupInformation:
Initiating logout for phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation:
hadoop logout
2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation:
Initiating re-login for phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
2018-01-26 11:58:58,398 DEBUG org.apache.hadoop.security.UserGroupInformation:
hadoop login
2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation:
hadoop login commit
2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation:
using existing subject:[phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com,
phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com]
2018-01-26 11:59:01,227 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com
(auth:KERBEROS)
from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
2018-01-26 11:59:01,299 DEBUG org.apache.hadoop.security.UserGroupInformation:
PrivilegedAction as:ubu...@bcpc.example.com (auth:PROXY) via
phoenixqs/f-bcpc-vm1.bcpc.example....@bcpc.example.com (auth:KERBEROS)
from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>
> Key: PHOENIX-4533
> URL: https://issues.apache.org/jira/browse/PHOENIX-4533
> Project: Phoenix
> Issue Type: Improvement
> Reporter: Lev Bronshtein
> Assignee: Lev Bronshtein
> Priority: Minor
> Attachments: PHOENIX-4533.1.patch
>
>
> Currently the HTTP/ principal is used by various components in the HADOOP
> ecosystem to perform SPNEGO authentication. Since there can only be one
> HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing
> key material for local HTTP/ principal is shared among a few applications.
> With so many applications having access to the HTTP/ credentials, this
> increases the chances of an attack on the proxy user capabilities of Hadoop.
> This JIRA proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
