[
https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16346936#comment-16346936
]
Josh Elser commented on PHOENIX-4533:
-------------------------------------
bq. Actually I think I already figured it out (though not clear how this
affects other components). It looks like the login is done eternally. Just
need to make sure the avatica server will still do SPNEGO auth
Yup, you got it. That was meant to disable Avatica from trying to login while
when we already did the login in the test setup.
As long as you have {{kerberos}} set as the value for
{{QueryServices.QUERY_SERVER_HBASE_SECURITY_CONF_ATTRIB}}, PQS should end up
calling {{withSpnegoAuth(..)}} which is what forces the SPNEGO authentication
to happen.
> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>
> Key: PHOENIX-4533
> URL: https://issues.apache.org/jira/browse/PHOENIX-4533
> Project: Phoenix
> Issue Type: Improvement
> Reporter: Lev Bronshtein
> Assignee: Lev Bronshtein
> Priority: Minor
> Attachments: PHOENIX-4533.1.patch
>
>
> Currently the HTTP/ principal is used by various components in the HADOOP
> ecosystem to perform SPNEGO authentication. Since there can only be one
> HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing
> key material for local HTTP/ principal is shared among a few applications.
> With so many applications having access to the HTTP/ credentials, this
> increases the chances of an attack on the proxy user capabilities of Hadoop.
> This JIRA proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
