phoenix-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <andrew.purt...@gmail.com>
Subject Re: Phoenix query server user authentication?
Date Sat, 05 Sep 2015 17:58:38 GMT
I think instead of the change as proposed it would be cleaner and more flexible to introduce
a plug point in the query server for authentication. Then there could be reusable plugins
for extracting the common SSO tokens (like JWT or SAML) and validating them against the common
identity providers like LDAP or AD. The plugins would get their configuration particulars
out of the site file. Users could implement additional plugins for extracting username and
passwords sent along in an X-header or whatever custom thing they are up to.  For plugin implementation
guidance, you might want to look at how other Apache projects that deal with these concerns
do it, like Knox. 


> On Sep 4, 2015, at 5:46 AM, Steve Howard <stevedhoward@gmail.com> wrote:
> 
> Hi Nick,
> 
> We actually did implement something rudimentary in test by simply adding a constructor
for the getConnection() method that accepted a username and password as the argument.  This
was passed to an InitialDirContext instance that connected to Active Directory.  If this did
not throw an exception, then we know the username and password is good and can then call the
"normal" getConnection() method.
> 
> If there is interest, we can clean up/refactor where needed, add properties configurable
in the hbase config for:
> 
> * the authentication method chosen (phoenix.authentication.ldap as a boolean)
> * the location of the LDAP server, whichever is in use (phoenix.ldap.url)
> * the template for the user DN ({0}@domainname.com).
> 
> Let me know if this sounds workable and we will do what is listed above.
> 
> Thanks,
> 
> Steve
> 
>> On Fri, Sep 4, 2015 at 1:35 AM, Nick Dimiduk <ndimiduk@gmail.com> wrote:
>> Hi Steve,
>> 
>> Security is a consideration of Query Server development. I have a TODO item in this
area, but haven't fleshed it out too much yet. My thinking is that we'll follow the model
example provided by HBase's own REST gateway. HTTPS between client and server; grabbing kerbros
credentials from the environment; server acting on authenticated user's behalf while interacting
with the cluster. I don't know where LDAP might fit into this, but I'm happy to take some
direction. If you're interested in contributing, this would be a great area as we can always
use more help on security.
>> 
>> -n
>> 
>>> On Thu, Sep 3, 2015 at 3:44 AM, Steve Howard <stevedhoward@gmail.com> wrote:
>>> We are interested in using HBase as a backend solution for an SSO stack that
supports persistent backend stores with a JDBC interface.  We would like to authenticate between
the SSO server and the HBase store by using the phoenix query server.  
>>> 
>>> Goal:
>>> ---------
>>> 
>>> client --> SSO --> phoenix query server (https) --> LDAP --> If successful

>>>                                                                             
                 |
>>>                                                                             
                 |
>>>                                                                             
                 |
>>>                                                                             
                 v
>>>                                                                             
                 phoenix query server (https) --> HBase (normal phoenix connection to HBase)
>>> 
>>> The docs state it supports only an http transport between the client (SSO, in
this case) and the phoenix query server.  We are curious about two things:
>>> 
>>> * Has any consideration been given to supporting https?
>>> * Has any consideration been given to authenticating a user in the phoenix query
server, similar to what hive uses when it can be configured to authenticate with LDAP?  This
is outside of kerberos, this is just phoenix reaching out to check a username/password combination
>>> 
>>> If we can't do this, I don't think it will pass governance testing.
> 

Mime
View raw message