Support Questions

Find answers, ask questions, and share your expertise

How to access HBase through ODBC then Phoenix Query Server Securely with Impersonation?

avatar
Contributor

We have HDP 2.5.3 deployed on RedHat Linux with Phoenix Query Server (PQS) in front of Phoenix+HBase. Our plan is to use ODBC on Windows Server through Phoenix Query Server to access HBase.

We are looking for a solution WITHOUT using Kerberos. We would like to turn on httpS on the PQS to secure the connection.

The data flow would look like this.

12409-odbcphoenix.png

We tested that once the ODBC DSN is configured with a username and password, the request sent out from it to PQS does use HTTP Basic Authentication.

We need help on:

  • How to have PQS turn on HTTP Basic authentication to authenticate the calls from ODBC?
  • How to turn on httpS on PQS to secure the connection?
  • How to impersonate the calls from PQS to HBase with the authenticated user? By default, PQS calls HBase as user “hbase” because PQS runs under this user. We need to have PQS call HBase with the impersonated user so that Ranger can be used to control the access. This configuration for impersonation, http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/kerb-config-secure-phoen..., does not seem to work without Kerberos.

Are these above configurations possible? Thanks for any help!

1 ACCEPTED SOLUTION

avatar
Super Guru

"How to have PQS turn on HTTP Basic authentication to authenticate the calls from ODBC?"

This is not supported by PQS, but the code exists in Avatica to support it.

http://calcite.apache.org/avatica/docs/security.html#http-basic-authentication

Your only route presently is to modify Phoenix to support this.

"How to turn on httpS on PQS to secure the connection?"

This presently is not supported by PQS.

"How to impersonate the calls from PQS to HBase with the authenticated user?"

This is only supported via SPNEGO authentication in PQS.

http://calcite.apache.org/avatica/docs/security.html#impersonation

Again, you can modify Phoenix to support this but there is no out of the box solution.

--

You can consider the use of Apache Knox to sit between the ODBC driver and PQS which would provide TLS and configurable authentication.

https://issues.apache.org/jira/browse/KNOX-817

https://issues.apache.org/jira/browse/KNOX-844

View solution in original post

2 REPLIES 2

avatar
Super Guru

"How to have PQS turn on HTTP Basic authentication to authenticate the calls from ODBC?"

This is not supported by PQS, but the code exists in Avatica to support it.

http://calcite.apache.org/avatica/docs/security.html#http-basic-authentication

Your only route presently is to modify Phoenix to support this.

"How to turn on httpS on PQS to secure the connection?"

This presently is not supported by PQS.

"How to impersonate the calls from PQS to HBase with the authenticated user?"

This is only supported via SPNEGO authentication in PQS.

http://calcite.apache.org/avatica/docs/security.html#impersonation

Again, you can modify Phoenix to support this but there is no out of the box solution.

--

You can consider the use of Apache Knox to sit between the ODBC driver and PQS which would provide TLS and configurable authentication.

https://issues.apache.org/jira/browse/KNOX-817

https://issues.apache.org/jira/browse/KNOX-844

avatar
Contributor

HI Josh,

Thank you very much for your reply. Could you take a look at question: https://community.hortonworks.com/questions/83220/how-to-use-knox-to-securely-access-hbase-through-o...?

Thanks!