[ https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16362890#comment-16362890 ]
Hudson commented on PHOENIX-4533: --------------------------------- FAILURE: Integrated in Jenkins build Phoenix-master #1936 (See [https://builds.apache.org/job/Phoenix-master/1936/]) PHOENIX-4533 Modified Query Server to use two sets of Kerberos (elserj: rev a71c4b7e3c11f1c7d1955b51929ad65b252feb62) * (edit) phoenix-queryserver/src/it/java/org/apache/phoenix/end2end/HttpParamImpersonationQueryServerIT.java * (edit) phoenix-core/src/main/java/org/apache/phoenix/query/QueryServices.java * (edit) phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java * (edit) phoenix-queryserver/src/it/java/org/apache/phoenix/end2end/SecureQueryServerIT.java > Phoenix Query Server should not use SPNEGO principal to proxy user requests > --------------------------------------------------------------------------- > > Key: PHOENIX-4533 > URL: https://issues.apache.org/jira/browse/PHOENIX-4533 > Project: Phoenix > Issue Type: Improvement > Reporter: Lev Bronshtein > Assignee: Lev Bronshtein > Priority: Minor > Fix For: 5.0.0, 4.14.0 > > Attachments: PHOENIX-4533.1.patch, PHOENIX-4533.2.patch, > PHOENIX-4533.3.patch, PHOENIX-4533.squash.patch > > > Currently the HTTP/ principal is used by various components in the HADOOP > ecosystem to perform SPNEGO authentication. Since there can only be one > HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing > key material for local HTTP/ principal is shared among a few applications. > With so many applications having access to the HTTP/ credentials, this > increases the chances of an attack on the proxy user capabilities of Hadoop. > This JIRA proposes that two different key tabs can be used to > 1. Authenticate kerberized web requests > 2. Communicate with the phoenix back end -- This message was sent by Atlassian JIRA (v7.6.3#76005)