[jira] [Commented] (PHOENIX-4533) Phoenix Query Server should not use SPNEGO principal to proxy user requests

Lev Bronshtein (JIRA) Wed, 14 Feb 2018 14:04:26 -0800

    [ 
https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16364841#comment-16364841
 ]


Lev Bronshtein commented on PHOENIX-4533:
-----------------------------------------

Josh, is this what you are looking for?

$ svn diff
Index: site/publish/server.html
===================================================================
--- site/publish/server.html (revision 1824225)
+++ site/publish/server.html (working copy)
@@ -289,10 +289,20 @@
 <td><i>unset</i></td>
 </tr>
 <tr class="a">
+ <td><small>phoenix.queryserver.http.keytab.file</small></td>
+ <td style="text-align: left;">The key to look for keytab file. This 
configuration MUST be specified if phoenix.queryserver.kerberos.http.principal 
is configured</td>
+ <td><i>unset</i></td>
+ </tr>
+ <tr class="b">
 <td><small>phoenix.queryserver.kerberos.principal</small></td>
- <td style="text-align: left;">The kerberos principal to use when 
authenticating.</td>
+ <td style="text-align: left;">The kerberos principal to use when 
authenticating. If phoenix.queryserver.kerberos.http.principal is not 
configured, the principlaa specified will be also used to both authenticate 
SPNEGO connections and to connect to HBase. Unless 
phoenix.queryserver.http.keytab.file is also specified, this configuration will 
be ignored</td>
 <td><i>unset</i></td>
 </tr>
+ <tr class="a">
+ <td><small>phoenix.queryserver.kerberos.http.principal</small></td>
+ <td style="text-align: left;">The kerberos principal to use when 
authenticating SPNEGO connections</td>
+ <td><i>unset</i></td>
+ </tr>
 <tr class="b">
 <td><small>phoenix.queryserver.dns.nameserver</small></td>
 <td style="text-align: left;">The DNS hostname</td>

> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>
>                 Key: PHOENIX-4533
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-4533
>             Project: Phoenix
>          Issue Type: Improvement
>            Reporter: Lev Bronshtein
>            Assignee: Lev Bronshtein
>            Priority: Minor
>             Fix For: 5.0.0, 4.14.0
>
>         Attachments: PHOENIX-4533.1.patch, PHOENIX-4533.2.patch, 
> PHOENIX-4533.3.patch, PHOENIX-4533.squash.patch
>
>
> Currently the HTTP/ principal is used by various components in the HADOOP 
> ecosystem to perform SPNEGO authentication.  Since there can only be one 
> HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing 
> key material for local HTTP/ principal is shared among a few applications.  
> With so many applications having access to the HTTP/ credentials, this 
> increases the chances of an attack on the proxy user capabilities of Hadoop.  
> This JIRA proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (PHOENIX-4533) Phoenix Query Server should not use SPNEGO principal to proxy user requests

Reply via email to