https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-HBase-through-ODBC-then-Phoenix-Query-Server/m-p/172292#M54286 <P>HI Josh,</P><P>Thank you very much for your reply. Could you take a look at question: <A href="https://community.hortonworks.com/questions/83220/how-to-use-knox-to-securely-access-hbase-through-o.html" target="_blank">https://community.hortonworks.com/questions/83220/how-to-use-knox-to-securely-access-hbase-through-o.html</A>?</P><P>Thanks!</P> Tue, 14 Feb 2017 00:12:56 GMT hong_yu 2017-02-14T00:12:56Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-HBase-through-ODBC-then-Phoenix-Query-Server/m-p/172290#M54284 <P>We have HDP 2.5.3 deployed on RedHat Linux with Phoenix Query Server (PQS) in front of Phoenix+HBase. Our plan is to use ODBC on Windows Server through Phoenix Query Server to access HBase.</P><P>We are looking for a solution WITHOUT using Kerberos. We would like to turn on httpS on the PQS to secure the connection.</P><P>The data flow would look like this.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="12409-odbcphoenix.png" style="width: 903px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/20006iFEC25A9B3F3B79A6/image-size/medium?v=v2&amp;px=400" role="button" title="12409-odbcphoenix.png" alt="12409-odbcphoenix.png" /></span></P><P>We tested that once the ODBC DSN is configured with a username and password, the request sent out from it to PQS does use HTTP Basic Authentication.</P><P>We need help on:</P><UL><LI>How to have PQS turn on HTTP Basic authentication to authenticate the calls from ODBC?<STRONG></STRONG></LI><LI>How to turn on http<STRONG>S</STRONG> on PQS to secure the connection? </LI><LI>How to impersonate the calls from PQS to HBase with the authenticated user? By default, PQS calls HBase as user “hbase” because PQS runs under this user. We need to have PQS call HBase with the impersonated user so that Ranger can be used to control the access. This configuration for impersonation, <A href="http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/kerb-config-secure-phoenix.html" target="_blank" rel="nofollow noopener noreferrer">http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/kerb-config-secure-phoenix.html</A>, does not seem to work without Kerberos.</LI></UL><P>Are these above configurations possible? Thanks for any help!</P> Sun, 18 Aug 2019 10:33:48 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-HBase-through-ODBC-then-Phoenix-Query-Server/m-p/172290#M54284 hong_yu 2019-08-18T10:33:48Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-HBase-through-ODBC-then-Phoenix-Query-Server/m-p/172291#M54285 <P>"How to have PQS turn on HTTP Basic authentication to authenticate the calls from ODBC?"</P><P style="margin-left: 20px;">This is not supported by PQS, but the code exists in Avatica to support it.</P><P><A href="http://calcite.apache.org/avatica/docs/security.html#http-basic-authentication" target="_blank">http://calcite.apache.org/avatica/docs/security.html#http-basic-authentication</A></P><P style="margin-left: 20px;">Your only route presently is to modify Phoenix to support this.</P><P>"How to turn on http<STRONG>S</STRONG> on PQS to secure the connection?"</P><P style="margin-left: 20px;">This presently is not supported by PQS.</P><P>"How to impersonate the calls from PQS to HBase with the authenticated user?"</P><P style="margin-left: 20px;">This is only supported via SPNEGO authentication in PQS.</P><P style="margin-left: 20px;"><A href="http://calcite.apache.org/avatica/docs/security.html#impersonation" target="_blank">http://calcite.apache.org/avatica/docs/security.html#impersonation</A></P><P style="margin-left: 20px;">Again, you can modify Phoenix to support this but there is no out of the box solution.</P><P>--</P><P>You can consider the use of Apache Knox to sit between the ODBC driver and PQS which would provide TLS and configurable authentication.</P><P><A href="https://issues.apache.org/jira/browse/KNOX-817" target="_blank">https://issues.apache.org/jira/browse/KNOX-817</A></P><P><A href="https://issues.apache.org/jira/browse/KNOX-844" target="_blank">https://issues.apache.org/jira/browse/KNOX-844</A></P> Tue, 14 Feb 2017 00:09:16 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-HBase-through-ODBC-then-Phoenix-Query-Server/m-p/172291#M54285 elserj 2017-02-14T00:09:16Z https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-HBase-through-ODBC-then-Phoenix-Query-Server/m-p/172292#M54286 <P>HI Josh,</P><P>Thank you very much for your reply. Could you take a look at question: <A href="https://community.hortonworks.com/questions/83220/how-to-use-knox-to-securely-access-hbase-through-o.html" target="_blank">https://community.hortonworks.com/questions/83220/how-to-use-knox-to-securely-access-hbase-through-o.html</A>?</P><P>Thanks!</P> Tue, 14 Feb 2017 00:12:56 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/How-to-access-HBase-through-ODBC-then-Phoenix-Query-Server/m-p/172292#M54286 hong_yu 2017-02-14T00:12:56Z