Sorry for the likely basic question, but I am having a little trouble making sense of the documentation. We are currently running a HDP 2.4 cluster, hosting an unsecured HBase database. All access to HBase is via Phoenix. We connect to Phoenix from our application using the fat client. So, we have no authorization/authentication/etc.
We are now looking to start adding auth, and I want to make sure we are looking at the correct tools. We would like the ability to pass a user/password along when establishing our Phoenix connections, so we can begin to provide read-only access to the cluster to some users, and read/write access for others.
- Do we need to use Kerberos? We are not currently running this in our setup, and would like to avoid if possible - according to our security folks. No external customers will access our cluster, all access is via our app servers, or for engineers running ad-hoc queries for debugging purposes.
- It sounds like Ranger would be the tool to handle authorization (via Kerberos) and authentication for HBase. Does that work for Phoenix as well? Is PQS required, or would it work with the fat client as well?
- Is there something else we should be looking at, maybe a simpler way to create read-only users in our cluster?
We are looking at upgrading to the latest stable HDP in the next several months, if that changes anything.
