Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-4533

Phoenix Query Server should not use SPNEGO principal to proxy user requests

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.0.0-alpha, 4.14.0
    • Labels:
      None
    • Flags:
      Patch

      Description

      Currently the HTTP/ principal is used by various components in the HADOOP ecosystem to perform SPNEGO authentication.  Since there can only be one HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing key material for local HTTP/ principal is shared among a few applications.  With so many applications having access to the HTTP/ credentials, this increases the chances of an attack on the proxy user capabilities of Hadoop.  This JIRA proposes that two different key tabs can be used to

      1. Authenticate kerberized web requests
      2. Communicate with the phoenix back end

        Attachments

        1. PHOENIX-4533.squash.patch
          11 kB
          Josh Elser
        2. PHOENIX-4533.3.patch
          4 kB
          Lev Bronshtein
        3. PHOENIX-4533.2.patch
          2 kB
          Lev Bronshtein
        4. PHOENIX-4533.1.patch
          9 kB
          Lev Bronshtein

          Activity

            People

            • Assignee:
              lbronshtein Lev Bronshtein
              Reporter:
              lbronshtein Lev Bronshtein
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: