phoenix-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Thomsen <mikerthom...@gmail.com>
Subject Re: Specifying HBase cell visibility labels or running as a particular user
Date Tue, 09 Oct 2018 00:15:48 GMT
Josh,

Thanks for the info. Both of those seem like potentially good options.

For what it's worth, I did a really simple demo before asking this. It
involved setting up a simple table with labels and just using Phoenix as a
read-only view. Worked like a charm. The unprivileged user was redacted
just like we expected on the cell they didn't have the final label to see.

Since we're not expecting to give the users write access to the protected
data, all we need is to figure out how to tailor the connection to make
sure HBase knows what authorizations a user has.

Mike

On Mon, Oct 8, 2018 at 7:34 PM Josh Elser <elserj@apache.org> wrote:

> Hey Mike,
>
> You can definitely authenticate yourself as with the Kerberos
> credentials of your choice. There are generally two ways in you can do
> this:
>
> 1. Login using UserGroupInformation APIs and then make JDBC calls with
> the Phoenix JDBC driver (thick or thin)
> 2. Use the principal+keytab JDBC url "options" and let Phoenix do it for
> you.
>
> These have had some issues around them in the past, but, if you're using
> a recent release, you should be fine.
>
> I don't believe we have any integration with HBase visibility labels,
> and I think this would be extremely tricky to get correct (Phoenix does
> a significant amount of reads on your behalf for a query via
> coprocessors. You'd have to update each of these to pass through and set
> the labels everywhere).
>
> On 10/8/18 4:36 PM, Mike Thomsen wrote:
> > We have a particular use case where we'd like to be able to effectively
> > do a SELECT on a table and say either "execute as this user" or "execute
> > with this list of HBase visibility tokens."
> >
> > This looks somewhat promising for the former:
> >
> >
> https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_installing_manually_book/content/validating-phoenix-installation.html
> >
> > It looks like we could at least allow some of our users to have a
> > kerberos tab set up for them.
> >
> > Any thoughts on how to approach this? I know it may be uncharted
> > territory for Phoenix and don't mind trying to get my hands dirty on
> > working on a PR or something.
> >
> > Thanks,
> >
> > Mike
> >
>

Mime
View raw message