[ https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16361543#comment-16361543 ]
Josh Elser commented on PHOENIX-4533: ------------------------------------- {{mvn verify}} with the PQS ITs passes for me. I think the only thing that caught my eye was that you have the IT putting both keys into one keytab file. This doesn't mimic what most people will do in reality, but there shouldn't be any functional difference in doing it in one or multiple keytab files so _shrug_. Will run this through tests on each branch and push it out if it's good! Thanks for your help, Lev! For the future, it's preferred if each patch is standalone, rather than building on the previous, Lev. I'll attach a new patch file here which is the collection of changes you've made across all three commits. > Phoenix Query Server should not use SPNEGO principal to proxy user requests > --------------------------------------------------------------------------- > > Key: PHOENIX-4533 > URL: https://issues.apache.org/jira/browse/PHOENIX-4533 > Project: Phoenix > Issue Type: Improvement > Reporter: Lev Bronshtein > Assignee: Lev Bronshtein > Priority: Minor > Attachments: PHOENIX-4533.1.patch, PHOENIX-4533.2.patch, > PHOENIX-4533.3.patch > > > Currently the HTTP/ principal is used by various components in the HADOOP > ecosystem to perform SPNEGO authentication. Since there can only be one > HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing > key material for local HTTP/ principal is shared among a few applications. > With so many applications having access to the HTTP/ credentials, this > increases the chances of an attack on the proxy user capabilities of Hadoop. > This JIRA proposes that two different key tabs can be used to > 1. Authenticate kerberized web requests > 2. Communicate with the phoenix back end -- This message was sent by Atlassian JIRA (v7.6.3#76005)