You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@phoenix.apache.org by Ash N <74...@gmail.com> on 2017/11/24 17:01:23 UTC
SSL Phoenix
Hello All,
Thank you for the great work the team is doing on Phoenix.
Summary : does Phoenix support SSL connection in Amazon EMR Cluster?
We are running Phoenix on EMR cluster in Amazon. We have a need to connect
to Phoenix over SSL. I don't see much documentation around this topic
anywhere also I saw a couple of jira tickets that did not provide enough
help or direction on this topic.
If Phoenix does not support SSL connections what are my options?
Starting off six months ago, we assumed this should not be an issue. Now
we are in big trouble.
All and any help is greatly appreciated.
Thanks
Ash
Re: SSL Phoenix
Posted by Ash N <74...@gmail.com>.
Thanks Josh.
On Nov 28, 2017 11:24 AM, "Josh Elser" <el...@apache.org> wrote:
Have you read the portion of the HBase book that I previously linked to?
This is handled by SASL and GSSAPI/Kerberos. Please use your favorite
search engine and do some reading.
SSL is just *one* library that can be used to provide privacy of data in
motion.
On 11/27/17 7:25 AM, Ash N wrote:
> Josh,
>
> Thank you for your comment.
>
> 1.
> Could you please point me to any resources around the below statement you
> make?
>
> " there are definitely the tools/configuration that exist to provide end
> to end data privacy "
>
> 2.SSL is just not part of that picture :)
>
> Above statement is contrary to my understanding.
>
> Thought SSL enables secure connections.
>
> Input as always is appropriated.
>
> Thanks.
>
>
> On Nov 26, 2017 8:58 PM, "Josh Elser" <elserj@apache.org <mailto:
> elserj@apache.org>> wrote:
>
> Thanks, Ash. Just to confirm, there are definitely the
> tools/configuration that exist to provide end to end data privacy
> (at rest and in motion). SSL is just not part of that picture :)
>
> On Nov 24, 2017 12:19, "Ash N" <742000@gmail.com
> <ma...@gmail.com>> wrote:
>
> Josh,
>
> Thank you for your quick response.
>
> The data is sensitive personal data of customers. Everything
> needs to be encrypted and secure. In - wire, on-wire,
> in-motion, at rest, everything.
> Our solution was to use SSL/TLS everywhere. Our development
> team reported that Phoenix does not support SSL. Therefore this
> is a big problem.
>
> Based on the above statements, if you have additional ideas, I
> will gladly take them,
> if you have additional input please do provide. I unfortunately
> have very limited to no knowledge on security. So this becomes
> a challenge area for me.
>
> Meanwhile, I will look up the link you have provided and will
> continue to do research on this topic.
>
> thanks,
> -ash
>
> On Fri, Nov 24, 2017 at 12:11 PM, Josh Elser <elserj@apache.org
> <ma...@apache.org>> wrote:
>
> Why do you have a hard-requirement on using SSL?
>
> HBase itself does not use SSL to provide confidentiality on
> its wire communication, it relies on jGSS and SASL to
> implement this security. Under the hood, this actually boils
> down to using GSSAPI, Kerberos specifically, to implement
> privacy (e.g. aes256-cts-hmac-sha1-96).
>
> Take a look at
> https://hbase.apache.org/book.html#_server_side_configuratio
> n_for_secure_operation
> <https://hbase.apache.org/book.html#_server_side_configurati
> on_for_secure_operation>.
>
> Phoenix executes all of its RPCs over HBase RPCs, so if you
> have HBase set up correctly, Phoenix will follow.
>
> If you want to introduce the Phoenix Query Server into your
> architecture, you can place it behind an SSL/TLS proxy
> server (or configure PQS directly with SSL/TLS using a
> sufficiently new version of Phoenix). This would be the only
> way I know of to "use Phoenix with SSL", but, in my
> experience, this is rarely what people actually want when
> they say this ;)
>
> Disclaimer: I have no idea how any of this translates to EMR :)
>
>
> On 11/24/17 12:01 PM, Ash N wrote:
>
> Hello All,
>
> Thank you for the great work the team is doing on Phoenix.
>
> Summary : does Phoenix support SSL connection in Amazon
> EMR Cluster?
>
> We are running Phoenix on EMR cluster in Amazon. We have
> a need to connect to Phoenix over SSL. I don't see much
> documentation around this topic anywhere also I saw a
> couple of jira tickets that did not provide enough help
> or direction on this topic.
>
> If Phoenix does not support SSL connections what are my
> options?
>
> Starting off six months ago, we assumed this should not
> be an issue. Now we are in big trouble.
>
> All and any help is greatly appreciated.
>
> Thanks
> Ash
>
>
>
>
Re: SSL Phoenix
Posted by Josh Elser <el...@apache.org>.
Have you read the portion of the HBase book that I previously linked to?
This is handled by SASL and GSSAPI/Kerberos. Please use your favorite
search engine and do some reading.
SSL is just *one* library that can be used to provide privacy of data in
motion.
On 11/27/17 7:25 AM, Ash N wrote:
> Josh,
>
> Thank you for your comment.
>
> 1.
> Could you please point me to any resources around the below statement
> you make?
>
> " there are definitely the tools/configuration that exist to provide end
> to end data privacy "
>
> 2.SSL is just not part of that picture :)
>
> Above statement is contrary to my understanding.
>
> Thought SSL enables secure connections.
>
> Input as always is appropriated.
>
> Thanks.
>
>
> On Nov 26, 2017 8:58 PM, "Josh Elser" <elserj@apache.org
> <ma...@apache.org>> wrote:
>
> Thanks, Ash. Just to confirm, there are definitely the
> tools/configuration that exist to provide end to end data privacy
> (at rest and in motion). SSL is just not part of that picture :)
>
> On Nov 24, 2017 12:19, "Ash N" <742000@gmail.com
> <ma...@gmail.com>> wrote:
>
> Josh,
>
> Thank you for your quick response.
>
> The data is sensitive personal data of customers. Everything
> needs to be encrypted and secure. In - wire, on-wire,
> in-motion, at rest, everything.
> Our solution was to use SSL/TLS everywhere. Our development
> team reported that Phoenix does not support SSL. Therefore this
> is a big problem.
>
> Based on the above statements, if you have additional ideas, I
> will gladly take them,
> if you have additional input please do provide. I unfortunately
> have very limited to no knowledge on security. So this becomes
> a challenge area for me.
>
> Meanwhile, I will look up the link you have provided and will
> continue to do research on this topic.
>
> thanks,
> -ash
>
> On Fri, Nov 24, 2017 at 12:11 PM, Josh Elser <elserj@apache.org
> <ma...@apache.org>> wrote:
>
> Why do you have a hard-requirement on using SSL?
>
> HBase itself does not use SSL to provide confidentiality on
> its wire communication, it relies on jGSS and SASL to
> implement this security. Under the hood, this actually boils
> down to using GSSAPI, Kerberos specifically, to implement
> privacy (e.g. aes256-cts-hmac-sha1-96).
>
> Take a look at
> https://hbase.apache.org/book.html#_server_side_configuration_for_secure_operation
> <https://hbase.apache.org/book.html#_server_side_configuration_for_secure_operation>.
> Phoenix executes all of its RPCs over HBase RPCs, so if you
> have HBase set up correctly, Phoenix will follow.
>
> If you want to introduce the Phoenix Query Server into your
> architecture, you can place it behind an SSL/TLS proxy
> server (or configure PQS directly with SSL/TLS using a
> sufficiently new version of Phoenix). This would be the only
> way I know of to "use Phoenix with SSL", but, in my
> experience, this is rarely what people actually want when
> they say this ;)
>
> Disclaimer: I have no idea how any of this translates to EMR :)
>
>
> On 11/24/17 12:01 PM, Ash N wrote:
>
> Hello All,
>
> Thank you for the great work the team is doing on Phoenix.
>
> Summary : does Phoenix support SSL connection in Amazon
> EMR Cluster?
>
> We are running Phoenix on EMR cluster in Amazon. We have
> a need to connect to Phoenix over SSL. I don't see much
> documentation around this topic anywhere also I saw a
> couple of jira tickets that did not provide enough help
> or direction on this topic.
>
> If Phoenix does not support SSL connections what are my
> options?
>
> Starting off six months ago, we assumed this should not
> be an issue. Now we are in big trouble.
>
> All and any help is greatly appreciated.
>
> Thanks
> Ash
>
>
>
Re: SSL Phoenix
Posted by Ash N <74...@gmail.com>.
Josh,
Thank you for your comment.
1.
Could you please point me to any resources around the below statement you
make?
" there are definitely the tools/configuration that exist to provide end to
end data privacy "
2.SSL is just not part of that picture :)
Above statement is contrary to my understanding.
Thought SSL enables secure connections.
Input as always is appropriated.
Thanks.
On Nov 26, 2017 8:58 PM, "Josh Elser" <el...@apache.org> wrote:
Thanks, Ash. Just to confirm, there are definitely the tools/configuration
that exist to provide end to end data privacy (at rest and in motion). SSL
is just not part of that picture :)
On Nov 24, 2017 12:19, "Ash N" <74...@gmail.com> wrote:
> Josh,
>
> Thank you for your quick response.
>
> The data is sensitive personal data of customers. Everything needs to be
> encrypted and secure. In - wire, on-wire, in-motion, at rest, everything.
> Our solution was to use SSL/TLS everywhere. Our development team reported
> that Phoenix does not support SSL. Therefore this is a big problem.
>
> Based on the above statements, if you have additional ideas, I will
> gladly take them,
> if you have additional input please do provide. I unfortunately have very
> limited to no knowledge on security. So this becomes a challenge area for
> me.
>
> Meanwhile, I will look up the link you have provided and will continue to
> do research on this topic.
>
> thanks,
> -ash
>
> On Fri, Nov 24, 2017 at 12:11 PM, Josh Elser <el...@apache.org> wrote:
>
>> Why do you have a hard-requirement on using SSL?
>>
>> HBase itself does not use SSL to provide confidentiality on its wire
>> communication, it relies on jGSS and SASL to implement this security. Under
>> the hood, this actually boils down to using GSSAPI, Kerberos specifically,
>> to implement privacy (e.g. aes256-cts-hmac-sha1-96).
>>
>> Take a look at https://hbase.apache.org/book.
>> html#_server_side_configuration_for_secure_operation. Phoenix executes
>> all of its RPCs over HBase RPCs, so if you have HBase set up correctly,
>> Phoenix will follow.
>>
>> If you want to introduce the Phoenix Query Server into your architecture,
>> you can place it behind an SSL/TLS proxy server (or configure PQS directly
>> with SSL/TLS using a sufficiently new version of Phoenix). This would be
>> the only way I know of to "use Phoenix with SSL", but, in my experience,
>> this is rarely what people actually want when they say this ;)
>>
>> Disclaimer: I have no idea how any of this translates to EMR :)
>>
>>
>> On 11/24/17 12:01 PM, Ash N wrote:
>>
>>> Hello All,
>>>
>>> Thank you for the great work the team is doing on Phoenix.
>>>
>>> Summary : does Phoenix support SSL connection in Amazon EMR Cluster?
>>>
>>> We are running Phoenix on EMR cluster in Amazon. We have a need to
>>> connect to Phoenix over SSL. I don't see much documentation around this
>>> topic anywhere also I saw a couple of jira tickets that did not provide
>>> enough help or direction on this topic.
>>>
>>> If Phoenix does not support SSL connections what are my options?
>>>
>>> Starting off six months ago, we assumed this should not be an issue.
>>> Now we are in big trouble.
>>>
>>> All and any help is greatly appreciated.
>>>
>>> Thanks
>>> Ash
>>>
>>
>
Re: SSL Phoenix
Posted by Josh Elser <el...@apache.org>.
Thanks, Ash. Just to confirm, there are definitely the tools/configuration
that exist to provide end to end data privacy (at rest and in motion). SSL
is just not part of that picture :)
On Nov 24, 2017 12:19, "Ash N" <74...@gmail.com> wrote:
> Josh,
>
> Thank you for your quick response.
>
> The data is sensitive personal data of customers. Everything needs to be
> encrypted and secure. In - wire, on-wire, in-motion, at rest, everything.
> Our solution was to use SSL/TLS everywhere. Our development team reported
> that Phoenix does not support SSL. Therefore this is a big problem.
>
> Based on the above statements, if you have additional ideas, I will
> gladly take them,
> if you have additional input please do provide. I unfortunately have very
> limited to no knowledge on security. So this becomes a challenge area for
> me.
>
> Meanwhile, I will look up the link you have provided and will continue to
> do research on this topic.
>
> thanks,
> -ash
>
> On Fri, Nov 24, 2017 at 12:11 PM, Josh Elser <el...@apache.org> wrote:
>
>> Why do you have a hard-requirement on using SSL?
>>
>> HBase itself does not use SSL to provide confidentiality on its wire
>> communication, it relies on jGSS and SASL to implement this security. Under
>> the hood, this actually boils down to using GSSAPI, Kerberos specifically,
>> to implement privacy (e.g. aes256-cts-hmac-sha1-96).
>>
>> Take a look at https://hbase.apache.org/book.
>> html#_server_side_configuration_for_secure_operation. Phoenix executes
>> all of its RPCs over HBase RPCs, so if you have HBase set up correctly,
>> Phoenix will follow.
>>
>> If you want to introduce the Phoenix Query Server into your architecture,
>> you can place it behind an SSL/TLS proxy server (or configure PQS directly
>> with SSL/TLS using a sufficiently new version of Phoenix). This would be
>> the only way I know of to "use Phoenix with SSL", but, in my experience,
>> this is rarely what people actually want when they say this ;)
>>
>> Disclaimer: I have no idea how any of this translates to EMR :)
>>
>>
>> On 11/24/17 12:01 PM, Ash N wrote:
>>
>>> Hello All,
>>>
>>> Thank you for the great work the team is doing on Phoenix.
>>>
>>> Summary : does Phoenix support SSL connection in Amazon EMR Cluster?
>>>
>>> We are running Phoenix on EMR cluster in Amazon. We have a need to
>>> connect to Phoenix over SSL. I don't see much documentation around this
>>> topic anywhere also I saw a couple of jira tickets that did not provide
>>> enough help or direction on this topic.
>>>
>>> If Phoenix does not support SSL connections what are my options?
>>>
>>> Starting off six months ago, we assumed this should not be an issue.
>>> Now we are in big trouble.
>>>
>>> All and any help is greatly appreciated.
>>>
>>> Thanks
>>> Ash
>>>
>>
>
Re: SSL Phoenix
Posted by Ash N <74...@gmail.com>.
Josh,
Thank you for your quick response.
The data is sensitive personal data of customers. Everything needs to be
encrypted and secure. In - wire, on-wire, in-motion, at rest, everything.
Our solution was to use SSL/TLS everywhere. Our development team reported
that Phoenix does not support SSL. Therefore this is a big problem.
Based on the above statements, if you have additional ideas, I will gladly
take them,
if you have additional input please do provide. I unfortunately have very
limited to no knowledge on security. So this becomes a challenge area for
me.
Meanwhile, I will look up the link you have provided and will continue to
do research on this topic.
thanks,
-ash
On Fri, Nov 24, 2017 at 12:11 PM, Josh Elser <el...@apache.org> wrote:
> Why do you have a hard-requirement on using SSL?
>
> HBase itself does not use SSL to provide confidentiality on its wire
> communication, it relies on jGSS and SASL to implement this security. Under
> the hood, this actually boils down to using GSSAPI, Kerberos specifically,
> to implement privacy (e.g. aes256-cts-hmac-sha1-96).
>
> Take a look at https://hbase.apache.org/book.
> html#_server_side_configuration_for_secure_operation. Phoenix executes
> all of its RPCs over HBase RPCs, so if you have HBase set up correctly,
> Phoenix will follow.
>
> If you want to introduce the Phoenix Query Server into your architecture,
> you can place it behind an SSL/TLS proxy server (or configure PQS directly
> with SSL/TLS using a sufficiently new version of Phoenix). This would be
> the only way I know of to "use Phoenix with SSL", but, in my experience,
> this is rarely what people actually want when they say this ;)
>
> Disclaimer: I have no idea how any of this translates to EMR :)
>
>
> On 11/24/17 12:01 PM, Ash N wrote:
>
>> Hello All,
>>
>> Thank you for the great work the team is doing on Phoenix.
>>
>> Summary : does Phoenix support SSL connection in Amazon EMR Cluster?
>>
>> We are running Phoenix on EMR cluster in Amazon. We have a need to
>> connect to Phoenix over SSL. I don't see much documentation around this
>> topic anywhere also I saw a couple of jira tickets that did not provide
>> enough help or direction on this topic.
>>
>> If Phoenix does not support SSL connections what are my options?
>>
>> Starting off six months ago, we assumed this should not be an issue.
>> Now we are in big trouble.
>>
>> All and any help is greatly appreciated.
>>
>> Thanks
>> Ash
>>
>
Re: SSL Phoenix
Posted by Josh Elser <el...@apache.org>.
Why do you have a hard-requirement on using SSL?
HBase itself does not use SSL to provide confidentiality on its wire
communication, it relies on jGSS and SASL to implement this security.
Under the hood, this actually boils down to using GSSAPI, Kerberos
specifically, to implement privacy (e.g. aes256-cts-hmac-sha1-96).
Take a look at
https://hbase.apache.org/book.html#_server_side_configuration_for_secure_operation.
Phoenix executes all of its RPCs over HBase RPCs, so if you have HBase
set up correctly, Phoenix will follow.
If you want to introduce the Phoenix Query Server into your
architecture, you can place it behind an SSL/TLS proxy server (or
configure PQS directly with SSL/TLS using a sufficiently new version of
Phoenix). This would be the only way I know of to "use Phoenix with
SSL", but, in my experience, this is rarely what people actually want
when they say this ;)
Disclaimer: I have no idea how any of this translates to EMR :)
On 11/24/17 12:01 PM, Ash N wrote:
> Hello All,
>
> Thank you for the great work the team is doing on Phoenix.
>
> Summary : does Phoenix support SSL connection in Amazon EMR Cluster?
>
> We are running Phoenix on EMR cluster in Amazon. We have a need to
> connect to Phoenix over SSL. I don't see much documentation around this
> topic anywhere also I saw a couple of jira tickets that did not provide
> enough help or direction on this topic.
>
> If Phoenix does not support SSL connections what are my options?
>
> Starting off six months ago, we assumed this should not be an issue.
> Now we are in big trouble.
>
> All and any help is greatly appreciated.
>
> Thanks
> Ash