You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@phoenix.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2017/02/20 23:56:44 UTC
[jira] [Commented] (PHOENIX-3686) De-couple PQS's use of Kerberos
to talk to HBase and client authentication
[ https://issues.apache.org/jira/browse/PHOENIX-3686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15875141#comment-15875141 ]
Hadoop QA commented on PHOENIX-3686:
------------------------------------
{color:red}-1 overall{color}. Here are the results of testing the latest attachment
http://issues.apache.org/jira/secure/attachment/12853611/PHOENIX-3686.001.patch
against master branch at commit d18da38afa0d7bbc0221f6472bc3b037edc6e3d4.
ATTACHMENT ID: 12853611
{color:green}+1 @author{color}. The patch does not contain any @author tags.
{color:red}-1 tests included{color}. The patch doesn't appear to include any new or modified tests.
Please justify why no new tests are needed for this patch.
Also please list what manual steps were performed to verify this patch.
{color:green}+1 javac{color}. The applied patch does not increase the total number of javac compiler warnings.
{color:red}-1 javadoc{color}. The javadoc tool appears to have generated 43 warning messages.
{color:green}+1 release audit{color}. The applied patch does not increase the total number of release audit warnings.
{color:red}-1 lineLengths{color}. The patch introduces the following lines longer than 100:
+ public static final String QUERY_SERVER_SPNEGO_AUTH_DISABLED_ATTRIB = "phoenix.queryserver.spnego.auth.disabled";
+ public static final String QUERY_SERVER_SPNEGO_AUTH_DISABLED_ATTRIB = "phoenix.queryserver.spnego.auth.disabled";
+ final boolean disableSpnego = getConf().getBoolean(QueryServices.QUERY_SERVER_SPNEGO_AUTH_DISABLED_ATTRIB,
{color:green}+1 core tests{color}. The patch passed unit tests in .
Test results: https://builds.apache.org/job/PreCommit-PHOENIX-Build/774//testReport/
Javadoc warnings: https://builds.apache.org/job/PreCommit-PHOENIX-Build/774//artifact/patchprocess/patchJavadocWarnings.txt
Console output: https://builds.apache.org/job/PreCommit-PHOENIX-Build/774//console
This message is automatically generated.
> De-couple PQS's use of Kerberos to talk to HBase and client authentication
> --------------------------------------------------------------------------
>
> Key: PHOENIX-3686
> URL: https://issues.apache.org/jira/browse/PHOENIX-3686
> Project: Phoenix
> Issue Type: New Feature
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: 4.10.0
>
> Attachments: PHOENIX-3686.001.patch
>
>
> Was trying to help a user that was using https://bitbucket.org/lalinsky/python-phoenixdb to talk to PQS. After upgrading Phoenix (to a version that actually included client authentication), their application suddenly broke and they were upset.
> Because they were running Phoenix/HBase on a cluster with Kerberos authentication enabled, they suddenly "inherited" this client authentication. AFAIK, the python-phoenixdb project doesn't presently include the ability to authenticate via SPNEGO. This means a Phoenix upgrade broke their app which stinks.
> This happens because, presently, when sees that HBase is configured for Kerberos auth (via hbase-site.xml), it assumes that clients should be required to also authenticate via Kerberos to it. In certain circumstances, users might not actually want to do this.
> It's a pretty trivial change I've hacked together which shows that this is possible, and I think that, with adequate disclaimer/documentation about this property, it's OK to do. As long as we are very clear about what exactly this configuration property is doing (allowing *anyone* into your HBase instance as the PQS Kerberos user), it will unblock these users while the various client drivers build proper support for authentication.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)