You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@phoenix.apache.org by "Lev Bronshtein (JIRA)" <ji...@apache.org> on 2018/01/26 17:02:00 UTC
[jira] [Comment Edited] (PHOENIX-4533) Phoenix Query Server should
not use SPNEGO principal to proxy user requests
[ https://issues.apache.org/jira/browse/PHOENIX-4533?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16341283#comment-16341283 ]
Lev Bronshtein edited comment on PHOENIX-4533 at 1/26/18 5:02 PM:
------------------------------------------------------------------
Looks like it works. I first set the max lifetime for the principal in question to 5 minutes using kadmin
kadmin.local: modprinc -maxlife "5 minutes" phoenixqs/f-bcpc-vm1.bcpc.example.com
Principal "phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM" modified.
kadmin.local: getprinc phoenixqs/f-bcpc-vm1.bcpc.example.com
Principal: phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
Expiration date: [never]
Last password change: Fri Jan 19 20:22:31 UTC 2018
Password expiration date: [none]
*Maximum ticket life: 0 days 00:05:00*
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Jan 26 16:27:47 UTC 2018 (root/admin@BCPC.EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 2, arcfour-hmac, no salt
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, des-cbc-crc, no salt
MKey: vno 1
Attributes:
Policy: [none]
2018-01-26 11:58:58,356 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:ubuntu@BCPC.EXAMPLE.COM (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
2018-01-26 11:58:58,379 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:ubuntu@BCPC.EXAMPLE.COM (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
2018-01-26 11:58:58,386 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
2018-01-26 11:58:58,390 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedActionException as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
2018-01-26 11:58:58,391 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleSaslConnectionFailure(RpcClientImpl.java:637)
2018-01-26 11:58:58,393 DEBUG org.apache.hadoop.security.UserGroupInformation: Initiating logout for phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop logout
2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation: Initiating re-login for phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
2018-01-26 11:58:58,398 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login
2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login commit
2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: using existing subject:[phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM, phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM]
2018-01-26 11:59:01,227 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
2018-01-26 11:59:01,299 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:ubuntu@BCPC.EXAMPLE.COM (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
was (Author: lbronshtein):
Looks like it works. I first set the max lifetime for the principal in question to 5 minutes using kadmin
bq
kadmin.local: modprinc -maxlife "5 minutes" phoenixqs/f-bcpc-vm1.bcpc.example.com
Principal "phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM" modified.
kadmin.local: getprinc phoenixqs/f-bcpc-vm1.bcpc.example.com
Principal: phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
Expiration date: [never]
Last password change: Fri Jan 19 20:22:31 UTC 2018
Password expiration date: [none]
Maximum ticket life: 0 days 00:05:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Jan 26 16:27:47 UTC 2018 (root/admin@BCPC.EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 3
Key: vno 2, arcfour-hmac, no salt
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, des-cbc-crc, no salt
MKey: vno 1
Attributes:
Policy: [none]
2018-01-26 11:58:58,356 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:ubuntu@BCPC.EXAMPLE.COM (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
2018-01-26 11:58:58,379 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:ubuntu@BCPC.EXAMPLE.COM (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
2018-01-26 11:58:58,386 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
2018-01-26 11:58:58,390 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedActionException as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
2018-01-26 11:58:58,391 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleSaslConnectionFailure(RpcClientImpl.java:637)
2018-01-26 11:58:58,393 DEBUG org.apache.hadoop.security.UserGroupInformation: Initiating logout for phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop logout
2018-01-26 11:58:58,394 DEBUG org.apache.hadoop.security.UserGroupInformation: Initiating re-login for phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM
2018-01-26 11:58:58,398 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login
2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login commit
2018-01-26 11:58:58,399 DEBUG org.apache.hadoop.security.UserGroupInformation: using existing subject:[phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM, phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM]
2018-01-26 11:59:01,227 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:734)
2018-01-26 11:59:01,299 DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:ubuntu@BCPC.EXAMPLE.COM (auth:PROXY) via phoenixqs/f-bcpc-vm1.bcpc.example.com@BCPC.EXAMPLE.COM (auth:KERBEROS) from:org.apache.phoenix.queryserver.server.Main$PhoenixDoAsCallback.doAsRemoteUser(Main.java:313)
> Phoenix Query Server should not use SPNEGO principal to proxy user requests
> ---------------------------------------------------------------------------
>
> Key: PHOENIX-4533
> URL: https://issues.apache.org/jira/browse/PHOENIX-4533
> Project: Phoenix
> Issue Type: Improvement
> Reporter: Lev Bronshtein
> Assignee: Lev Bronshtein
> Priority: Minor
> Attachments: PHOENIX-4533.1.patch
>
>
> Currently the HTTP/ principal is used by various components in the HADOOP ecosystem to perform SPNEGO authentication. Since there can only be one HTTP/ per host, even outside of the Hadoop ecosystem, the keytab containing key material for local HTTP/ principal is shared among a few applications. With so many applications having access to the HTTP/ credentials, this increases the chances of an attack on the proxy user capabilities of Hadoop. This JIRA proposes that two different key tabs can be used to
> 1. Authenticate kerberized web requests
> 2. Communicate with the phoenix back end
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)