Thanks Josh. On Nov 28, 2017 11:24 AM, "Josh Elser" <els...@apache.org> wrote:
Have you read the portion of the HBase book that I previously linked to? This is handled by SASL and GSSAPI/Kerberos. Please use your favorite search engine and do some reading. SSL is just *one* library that can be used to provide privacy of data in motion. On 11/27/17 7:25 AM, Ash N wrote: > Josh, > > Thank you for your comment. > > 1. > Could you please point me to any resources around the below statement you > make? > > " there are definitely the tools/configuration that exist to provide end > to end data privacy " > > 2.SSL is just not part of that picture :) > > Above statement is contrary to my understanding. > > Thought SSL enables secure connections. > > Input as always is appropriated. > > Thanks. > > > On Nov 26, 2017 8:58 PM, "Josh Elser" <els...@apache.org <mailto: > els...@apache.org>> wrote: > > Thanks, Ash. Just to confirm, there are definitely the > tools/configuration that exist to provide end to end data privacy > (at rest and in motion). SSL is just not part of that picture :) > > On Nov 24, 2017 12:19, "Ash N" <742...@gmail.com > <mailto:742...@gmail.com>> wrote: > > Josh, > > Thank you for your quick response. > > The data is sensitive personal data of customers. Everything > needs to be encrypted and secure. In - wire, on-wire, > in-motion, at rest, everything. > Our solution was to use SSL/TLS everywhere. Our development > team reported that Phoenix does not support SSL. Therefore this > is a big problem. > > Based on the above statements, if you have additional ideas, I > will gladly take them, > if you have additional input please do provide. I unfortunately > have very limited to no knowledge on security. So this becomes > a challenge area for me. > > Meanwhile, I will look up the link you have provided and will > continue to do research on this topic. > > thanks, > -ash > > On Fri, Nov 24, 2017 at 12:11 PM, Josh Elser <els...@apache.org > <mailto:els...@apache.org>> wrote: > > Why do you have a hard-requirement on using SSL? > > HBase itself does not use SSL to provide confidentiality on > its wire communication, it relies on jGSS and SASL to > implement this security. Under the hood, this actually boils > down to using GSSAPI, Kerberos specifically, to implement > privacy (e.g. aes256-cts-hmac-sha1-96). > > Take a look at > https://hbase.apache.org/book.html#_server_side_configuratio > n_for_secure_operation > <https://hbase.apache.org/book.html#_server_side_configurati > on_for_secure_operation>. > > Phoenix executes all of its RPCs over HBase RPCs, so if you > have HBase set up correctly, Phoenix will follow. > > If you want to introduce the Phoenix Query Server into your > architecture, you can place it behind an SSL/TLS proxy > server (or configure PQS directly with SSL/TLS using a > sufficiently new version of Phoenix). This would be the only > way I know of to "use Phoenix with SSL", but, in my > experience, this is rarely what people actually want when > they say this ;) > > Disclaimer: I have no idea how any of this translates to EMR :) > > > On 11/24/17 12:01 PM, Ash N wrote: > > Hello All, > > Thank you for the great work the team is doing on Phoenix. > > Summary : does Phoenix support SSL connection in Amazon > EMR Cluster? > > We are running Phoenix on EMR cluster in Amazon. We have > a need to connect to Phoenix over SSL. I don't see much > documentation around this topic anywhere also I saw a > couple of jira tickets that did not provide enough help > or direction on this topic. > > If Phoenix does not support SSL connections what are my > options? > > Starting off six months ago, we assumed this should not > be an issue. Now we are in big trouble. > > All and any help is greatly appreciated. > > Thanks > Ash > > > >