phoenix-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <els...@apache.org>
Subject Re: Specifying HBase cell visibility labels or running as a particular user
Date Mon, 08 Oct 2018 23:33:57 GMT
Hey Mike,

You can definitely authenticate yourself as with the Kerberos 
credentials of your choice. There are generally two ways in you can do this:

1. Login using UserGroupInformation APIs and then make JDBC calls with 
the Phoenix JDBC driver (thick or thin)
2. Use the principal+keytab JDBC url "options" and let Phoenix do it for 
you.

These have had some issues around them in the past, but, if you're using 
a recent release, you should be fine.

I don't believe we have any integration with HBase visibility labels, 
and I think this would be extremely tricky to get correct (Phoenix does 
a significant amount of reads on your behalf for a query via 
coprocessors. You'd have to update each of these to pass through and set 
the labels everywhere).

On 10/8/18 4:36 PM, Mike Thomsen wrote:
> We have a particular use case where we'd like to be able to effectively 
> do a SELECT on a table and say either "execute as this user" or "execute 
> with this list of HBase visibility tokens."
> 
> This looks somewhat promising for the former:
> 
> https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_installing_manually_book/content/validating-phoenix-installation.html
> 
> It looks like we could at least allow some of our users to have a 
> kerberos tab set up for them.
> 
> Any thoughts on how to approach this? I know it may be uncharted 
> territory for Phoenix and don't mind trying to get my hands dirty on 
> working on a PR or something.
> 
> Thanks,
> 
> Mike
> 

Mime
View raw message