phoenix-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <els...@apache.org>
Subject Re: SSL Phoenix
Date Tue, 28 Nov 2017 16:24:39 GMT
Have you read the portion of the HBase book that I previously linked to? 
This is handled by SASL and GSSAPI/Kerberos. Please use your favorite 
search engine and do some reading.

SSL is just *one* library that can be used to provide privacy of data in 
motion.

On 11/27/17 7:25 AM, Ash N wrote:
> Josh,
> 
> Thank you for your comment.
> 
> 1.
> Could you please  point me to any resources around the below statement 
> you make?
> 
> " there are definitely the tools/configuration that exist to provide end 
> to end data  privacy  "
> 
> 2.SSL is just not part of that picture :)
> 
> Above statement is contrary to my understanding.
> 
> Thought SSL enables secure connections.
> 
> Input as always is appropriated.
> 
> Thanks.
> 
> 
> On Nov 26, 2017 8:58 PM, "Josh Elser" <elserj@apache.org 
> <mailto:elserj@apache.org>> wrote:
> 
>     Thanks, Ash. Just to confirm, there are definitely the
>     tools/configuration that exist to provide end to end data privacy
>     (at rest and in motion). SSL is just not part of that picture :)
> 
>     On Nov 24, 2017 12:19, "Ash N" <742000@gmail.com
>     <mailto:742000@gmail.com>> wrote:
> 
>         Josh,
> 
>         Thank you for your quick response.
> 
>         The data is sensitive personal data of customers.  Everything
>         needs to be encrypted and secure.  In - wire, on-wire,
>         in-motion, at rest, everything.
>         Our solution was to use SSL/TLS everywhere.  Our development
>         team reported that Phoenix does not support SSL. Therefore this
>         is a big problem.
> 
>         Based on the above statements,  if you have additional ideas, I
>         will gladly take them,
>         if you have additional input please do provide.  I unfortunately
>         have very limited to no knowledge on security.  So this becomes
>         a challenge area for me.
> 
>         Meanwhile,  I will look up the link you have provided and will
>         continue to do research on this topic.
> 
>         thanks,
>         -ash
> 
>         On Fri, Nov 24, 2017 at 12:11 PM, Josh Elser <elserj@apache.org
>         <mailto:elserj@apache.org>> wrote:
> 
>             Why do you have a hard-requirement on using SSL?
> 
>             HBase itself does not use SSL to provide confidentiality on
>             its wire communication, it relies on jGSS and SASL to
>             implement this security. Under the hood, this actually boils
>             down to using GSSAPI, Kerberos specifically, to implement
>             privacy (e.g. aes256-cts-hmac-sha1-96).
> 
>             Take a look at
>             https://hbase.apache.org/book.html#_server_side_configuration_for_secure_operation
>             <https://hbase.apache.org/book.html#_server_side_configuration_for_secure_operation>.
>             Phoenix executes all of its RPCs over HBase RPCs, so if you
>             have HBase set up correctly, Phoenix will follow.
> 
>             If you want to introduce the Phoenix Query Server into your
>             architecture, you can place it behind an SSL/TLS proxy
>             server (or configure PQS directly with SSL/TLS using a
>             sufficiently new version of Phoenix). This would be the only
>             way I know of to "use Phoenix with SSL", but, in my
>             experience, this is rarely what people actually want when
>             they say this ;)
> 
>             Disclaimer: I have no idea how any of this translates to EMR :)
> 
> 
>             On 11/24/17 12:01 PM, Ash N wrote:
> 
>                 Hello All,
> 
>                 Thank you for the great work the team is doing on Phoenix.
> 
>                 Summary :  does Phoenix support SSL connection in Amazon
>                 EMR Cluster?
> 
>                 We are running Phoenix on EMR cluster in Amazon. We have
>                 a need to connect to Phoenix over SSL.  I don't see much
>                 documentation around this topic anywhere also I saw a
>                 couple of jira tickets that did not provide enough help
>                 or direction on this topic.
> 
>                 If Phoenix does not support SSL connections what are my
>                 options?
> 
>                 Starting off six months ago,  we assumed this should not
>                 be an issue.  Now we are in big trouble.
> 
>                 All and any help is greatly appreciated.
> 
>                 Thanks
>                 Ash
> 
> 
> 

Mime
View raw message