Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
None
-
None
-
None
-
Patch
Description
Currently the HTTP/ principal is used by various components in the HADOOP ecosystem to perform SPNEGO authentication. Since there can only be one HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing key material for local HTTP/ principal is shared among a few applications. With so many applications having access to the HTTP/ credentials, this increases the chances of an attack on the proxy user capabilities of Hadoop. This JIRA proposes that two different key tabs can be used to
1. Authenticate kerberized web requests
2. Communicate with the phoenix back end