[ https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16343764#comment-16343764 ]
Josh Elser commented on PHOENIX-4533: ------------------------------------- Thanks, Lev! This is exactly the kind of testing I was hoping to see. Just to be super-sure, you could still send new queries to PQS and query the system after the re-login? (at 2018-01-26 11:58:58,399) Can you at least modify {{phoenix-queryserver/src/it/java/org/apache/phoenix/end2end/SecureQueryServerIT.java}} and {{phoenix-queryserver/src/it/java/org/apache/phoenix/end2end/HttpParamImpersonationQueryServerIT.java}} to use the new approach (two keytabs), [~lbronshtein]? I can't think of any kind of non-contrived, net-new test. After this change, I could see us recommending this as the standard set-up for PQS on Kerberized systems. Otherwise, we'll need to make sure the website gets updated with these changes (code is hosted in a separate repo -- I can give you instructions on how to update that, or just push them myself if you'd prefer). > Phoenix Query Server should not use SPNEGO principal to proxy user requests > --------------------------------------------------------------------------- > > Key: PHOENIX-4533 > URL: https://issues.apache.org/jira/browse/PHOENIX-4533 > Project: Phoenix > Issue Type: Improvement > Reporter: Lev Bronshtein > Assignee: Lev Bronshtein > Priority: Minor > Attachments: PHOENIX-4533.1.patch > > > Currently the HTTP/ principal is used by various components in the HADOOP > ecosystem to perform SPNEGO authentication. Since there can only be one > HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing > key material for local HTTP/ principal is shared among a few applications. > With so many applications having access to the HTTP/ credentials, this > increases the chances of an attack on the proxy user capabilities of Hadoop. > This JIRA proposes that two different key tabs can be used to > 1. Authenticate kerberized web requests > 2. Communicate with the phoenix back end -- This message was sent by Atlassian JIRA (v7.6.3#76005)