phoenix-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <>
Subject Re: Specifying HBase cell visibility labels or running as a particular user
Date Mon, 08 Oct 2018 23:33:57 GMT
Hey Mike,

You can definitely authenticate yourself as with the Kerberos 
credentials of your choice. There are generally two ways in you can do this:

1. Login using UserGroupInformation APIs and then make JDBC calls with 
the Phoenix JDBC driver (thick or thin)
2. Use the principal+keytab JDBC url "options" and let Phoenix do it for 

These have had some issues around them in the past, but, if you're using 
a recent release, you should be fine.

I don't believe we have any integration with HBase visibility labels, 
and I think this would be extremely tricky to get correct (Phoenix does 
a significant amount of reads on your behalf for a query via 
coprocessors. You'd have to update each of these to pass through and set 
the labels everywhere).

On 10/8/18 4:36 PM, Mike Thomsen wrote:
> We have a particular use case where we'd like to be able to effectively 
> do a SELECT on a table and say either "execute as this user" or "execute 
> with this list of HBase visibility tokens."
> This looks somewhat promising for the former:
> It looks like we could at least allow some of our users to have a 
> kerberos tab set up for them.
> Any thoughts on how to approach this? I know it may be uncharted 
> territory for Phoenix and don't mind trying to get my hands dirty on 
> working on a PR or something.
> Thanks,
> Mike

View raw message