[PHOENIX-4533] Phoenix Query Server should not use SPNEGO principal to proxy user requests - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 5.0.0-alpha, 4.14.0
Component/s: None
Labels:
None

Flags:

Patch

Description

Currently the HTTP/ principal is used by various components in the HADOOP ecosystem to perform SPNEGO authentication. Since there can only be one HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing key material for local HTTP/ principal is shared among a few applications. With so many applications having access to the HTTP/ credentials, this increases the chances of an attack on the proxy user capabilities of Hadoop. This JIRA proposes that two different key tabs can be used to

1. Authenticate kerberized web requests
2. Communicate with the phoenix back end

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

PHOENIX-4533.squash.patch
12/Feb/18 22:31
11 kB
Josh Elser
PHOENIX-4533.3.patch
10/Feb/18 22:46
4 kB
Lev Bronshtein
PHOENIX-4533.2.patch
10/Feb/18 02:59
2 kB
Lev Bronshtein
PHOENIX-4533.1.patch
01/Feb/18 03:59
9 kB
Lev Bronshtein

Activity

People

Assignee:: Lev Bronshtein

Reporter:: Lev Bronshtein

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 18/Jan/18 03:50

Updated:: 26/Jul/18 01:14

Resolved:: 13/Feb/18 16:49