Community Articles

One quirk of Apache Phoenix when compared to traditional RDBMS is that Phoenix provides no notion of simple username/password based authentication. This largely stems from Apache HBase, which Phoenix is built on, also not providing this as a form of authentication. With the introduction of the Phoenix Query Server, we have a number of new means which can be used to interact with Phoenix. We also have the ability to hook together new systems to provide features, like username/password authentication, which are not traditionally supported.

There are multiple products available which can perform this kind of authentication, but we can trivially show that this works via a common HTTP load balancer, HAProxy. Let's assume that we have the Phoenix Query Server running on our local machine listening on the standard 8765 port. We can enable some trivial authentication using HAProxy. First, we need to create our HAProxy configuration file.

global
  maxconn 256
defaults
  mode http
  option redispatch
  timeout connect 5000ms
  timeout client 50000ms
  timeout server 50000ms
userlist AvaticaUsers
  user josh insecure-password secret
frontend avatica-http-in
  bind  *:9000
  default_backend avaticaservers
backend avaticaservers
  balance source
  server queryserver1 127.0.0.1:8765 check
  acl AuthOkay http_auth(AvaticaUsers)
  http-request auth if !AuthOkay

The above contents can be placed into a file and then should be referenced when starting HAProxy (e.g. `haproxy -f my_auth.conf`). The result will be HAProxy listening on port 9000 and applying HTTP Basic authentication to requests before they are dispatched to the backend PQS. This example will only accept the username password combination of "josh" and "secret". Using an external authentication is left as an example to the user.

With the changes presently staged in PHOENIX-3517, we can easily connect to PQS, via HAProxy, using our username/password and then HTTP Basic authentication method.

./sqlline-thin.py -a BASIC --auth-user=josh --auth-password=secret http://localhost:9000

Similarly, using a username or password that doesn't match the configuration would result in the client receiving an HTTP/403 error and being unable to access Phoenix.

This example can be extrapolated to relevant technology like Apache Knox which provides a fully-featured authentication-gateway service and shows how we can bring username/password authentication to Apache Phoenix in the near future.