phoenix-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <els...@apache.org>
Subject Re: SSL Phoenix
Date Mon, 27 Nov 2017 01:58:15 GMT
Thanks, Ash. Just to confirm, there are definitely the tools/configuration
that exist to provide end to end data privacy (at rest and in motion). SSL
is just not part of that picture :)

On Nov 24, 2017 12:19, "Ash N" <742000@gmail.com> wrote:

> Josh,
>
> Thank you for your quick response.
>
> The data is sensitive personal data of customers.  Everything needs to be
> encrypted and secure.  In - wire, on-wire, in-motion, at rest, everything.
> Our solution was to use SSL/TLS everywhere.  Our development team reported
> that Phoenix does not support SSL. Therefore this is a big problem.
>
> Based on the above statements,  if you have additional ideas, I will
> gladly take them,
> if you have additional input please do provide.  I unfortunately have very
> limited to no knowledge on security.  So this becomes a challenge area for
> me.
>
> Meanwhile,  I will look up the link you have provided and will continue to
> do research on this topic.
>
> thanks,
> -ash
>
> On Fri, Nov 24, 2017 at 12:11 PM, Josh Elser <elserj@apache.org> wrote:
>
>> Why do you have a hard-requirement on using SSL?
>>
>> HBase itself does not use SSL to provide confidentiality on its wire
>> communication, it relies on jGSS and SASL to implement this security. Under
>> the hood, this actually boils down to using GSSAPI, Kerberos specifically,
>> to implement privacy (e.g. aes256-cts-hmac-sha1-96).
>>
>> Take a look at https://hbase.apache.org/book.
>> html#_server_side_configuration_for_secure_operation. Phoenix executes
>> all of its RPCs over HBase RPCs, so if you have HBase set up correctly,
>> Phoenix will follow.
>>
>> If you want to introduce the Phoenix Query Server into your architecture,
>> you can place it behind an SSL/TLS proxy server (or configure PQS directly
>> with SSL/TLS using a sufficiently new version of Phoenix). This would be
>> the only way I know of to "use Phoenix with SSL", but, in my experience,
>> this is rarely what people actually want when they say this ;)
>>
>> Disclaimer: I have no idea how any of this translates to EMR :)
>>
>>
>> On 11/24/17 12:01 PM, Ash N wrote:
>>
>>> Hello All,
>>>
>>> Thank you for the great work the team is doing on Phoenix.
>>>
>>> Summary :  does Phoenix support SSL connection in Amazon EMR Cluster?
>>>
>>> We are running Phoenix on EMR cluster in Amazon. We have a need to
>>> connect to Phoenix over SSL.  I don't see much documentation around this
>>> topic anywhere also I saw a couple of jira tickets that did not provide
>>> enough help or direction on this topic.
>>>
>>> If Phoenix does not support SSL connections what are my options?
>>>
>>> Starting off six months ago,  we assumed this should not be an issue.
>>> Now we are in big trouble.
>>>
>>> All and any help is greatly appreciated.
>>>
>>> Thanks
>>> Ash
>>>
>>
>

Mime
View raw message