Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to use Knox to securely access HBase through ODBC then Phoenix Query Server?

avatar
author-rank hong_yu
Contributor

Created on ‎02-13-2017 03:31 PM - edited ‎08-18-2019 03:32 AM

We have HDP 2.5.3 deployed on RedHat Linux with Phoenix Query Server (PQS) in front of Phoenix+HBase. Our plan is to use ODBC on Windows Server through Phoenix Query Server to access HBase.

Since we do NOT plan to use Kerberos yet, we plan to use Knox as the secure server to proxy the data flow, as the diagram below:

12410-odbcknoxphoenix.png

We set up the Knox for PQS as described here, http://knox.apache.org/books/knox-0-11-0/user-guide.html#Avatica. Even though this user guide is for Knox 0.11 and HDP 2.5.3 uses Knox 0.9, according to @Josh Elser fix for https://issues.apache.org/jira/browse/KNOX-844, it should work for earlier Knox.

The setup does work in our system. The traffic from ODBC hit PQS successfully. However, there is a problem, the PQS failed to parse the request because the http request coming out of ODBC is not urlencoded, but the content is urlencoded after Knox.

After tracing all the calls, it seems that it is caused by ODBC driver sending out Avatica Http request with content-type set to "application/x-www-form-urlencoded”, even though the content is NOT urlencoded at all. But, when the request passes through Knox, it comes out as urlencoded. The PQS seems not able to parse urlencoded content. It seems to take the input as it is.

In comparison, the jdbc thin driver sends out http request with content-type “application/octet-stream”, which seems to be more appropriate.

Question:

Is there any way to change the content type of ODBC driver to use content type “application/octet-stream” instead? Or is there anyway to tell Knox server not to urlencode the content even though the content type is "application/x-www-form-urlencoded”? Do prefer the first approach.

We also need help on the following questions to use Ranger control:

  • How can Knox pass the authenticated user to PQS along with the proxy-ed HTTP request?
  • Then How can PQS impersonate as the authenticated user to call HBase so that Ranger can control the access by that user? Since PQS runs as "hbase" and it calls PQS as "hbase", ranger control cannot be used.

Thanks for any help!

3,835 Views
1 ACCEPTED SOLUTION

avatar
author-rank elserj author-rank
Super Guru

Created ‎02-13-2017 04:18 PM

"After tracing all the calls, it seems that it is caused by ODBC driver sending out Avatica Http request with content-type set to "application/x-www-form-urlencoded”, even though the content is NOT urlencoded at all. But, when the request passes through Knox, it comes out as urlencoded. The PQS seems not able to parse urlencoded content. It seems to take the input as it is."

This sounds like a bug in the ODBC driver. I'll have to see what I can find...

"Then How can PQS impersonate as the authenticated user to call HBase so that Ranger can control the access by that user? Since PQS runs as "hbase" and it calls PQS as "hbase", ranger control cannot be used."

This is a factor of impersonation from PQS to HBase (really, Phoenix) only being configured when Kerberos authentication is enabled. My answer to your other question on https://community.hortonworks.com/questions/83203/how-to-access-hbase-through-odbc-then-phoenix-quer... already covered this.

"How can Knox pass the authenticated user to PQS along with the proxy-ed HTTP request?"

There is some on-going work which would help enable this in Avatica https://issues.apache.org/jira/browse/CALCITE-1539

View solution in original post

2,918 Views
7 REPLIES 7

avatar
author-rank elserj author-rank
Super Guru

Created ‎02-13-2017 04:18 PM

"After tracing all the calls, it seems that it is caused by ODBC driver sending out Avatica Http request with content-type set to "application/x-www-form-urlencoded”, even though the content is NOT urlencoded at all. But, when the request passes through Knox, it comes out as urlencoded. The PQS seems not able to parse urlencoded content. It seems to take the input as it is."

This sounds like a bug in the ODBC driver. I'll have to see what I can find...

"Then How can PQS impersonate as the authenticated user to call HBase so that Ranger can control the access by that user? Since PQS runs as "hbase" and it calls PQS as "hbase", ranger control cannot be used."

This is a factor of impersonation from PQS to HBase (really, Phoenix) only being configured when Kerberos authentication is enabled. My answer to your other question on https://community.hortonworks.com/questions/83203/how-to-access-hbase-through-odbc-then-phoenix-quer... already covered this.

"How can Knox pass the authenticated user to PQS along with the proxy-ed HTTP request?"

There is some on-going work which would help enable this in Avatica https://issues.apache.org/jira/browse/CALCITE-1539

2,919 Views

avatar
author-rank hong_yu
Contributor

Created ‎02-13-2017 04:28 PM

Thank you Josh. Please let us know whether the ODBC problem can be solved. We can live with the rest if the ODBC to Knox to PQS is working. Thanks!

2,918 Views
0 Kudos

avatar
author-rank hong_yu
Contributor

Created ‎02-15-2017 02:21 PM

Hi Josh, is there any way to setup Knox server to not urlencode (or change) the http body regardless of the content-type when http requests pass through it?

Thanks.

2,918 Views
0 Kudos

avatar
author-rank elserj author-rank
Super Guru

Created ‎02-15-2017 04:04 PM

Not sure, Hong, but I'm also a Knox newbie. Let me see if I can find someone with more expertise 🙂

2,918 Views
0 Kudos

avatar
author-rank elserj author-rank
Super Guru

Created ‎02-15-2017 06:41 PM

It sounds like this is presently not possible to disable this re-encoding. The thought is that other services actually require this to be done. If you'd like, please feel free to create a JIRA issue in the KNOX project at Apache (or I can do that). We can try to come up with an improvement for Knox in the future to prevent this problem for other services.

I'm also in talks with the ODBC devs who said that they can likely fix the driver to address this issue at the source as well.

2,918 Views

avatar
author-rank hong_yu
Contributor

Created ‎02-15-2017 07:18 PM

Thank you Josh for looking into this. It would be convenient if Knox can have a configuration switch that would preserve the http body regardless of the content-type of incoming requests, as a proxy server essentially. Please open a JIRA issue if you think it is a good feature.

Thank you very much for your help of looking into the ODBC driver issue. Hopefully the fix can come out soon.

2,918 Views
0 Kudos

avatar
author-rank ashojose
New Contributor

Created ‎12-08-2017 09:56 AM

@Josh Elser , We seem to hit the same issue, is this resolved ?

2,918 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements