[
https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362628#comment-16362628
]
Josh Elser commented on PHOENIX-4533:
-------------------------------------
Pushed this to the 4.x and 5.x branches. Thanks again, [~lbronshtein].
One final thing: any interest in updating the website with content for the new
configuration properties you've added?
We'd want to add them to https://phoenix.apache.org/server.html.
https://phoenix.apache.org/building_website.html has instructions on how to do
this. If you can get a diff against the website, I'd happily apply that too.
Else, I'll just throw up something today myself.
> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>
> Key: PHOENIX-4533
> URL: https://issues.apache.org/jira/browse/PHOENIX-4533
> Project: Phoenix
> Issue Type: Improvement
> Reporter: Lev Bronshtein
> Assignee: Lev Bronshtein
> Priority: Minor
> Fix For: 5.0.0, 4.14.0
>
> Attachments: PHOENIX-4533.1.patch, PHOENIX-4533.2.patch,
> PHOENIX-4533.3.patch, PHOENIX-4533.squash.patch
>
>
> Currently the HTTP/ principal is used by various components in the HADOOP
> ecosystem to perform SPNEGO authentication. Since there can only be one
> HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing
> key material for local HTTP/ principal is shared among a few applications.
> With so many applications having access to the HTTP/ credentials, this
> increases the chances of an attack on the proxy user capabilities of Hadoop.
> This JIRA proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
