Sorry for the likely basic question, but I am having a little trouble making sense of the documentation. We are currently running a HDP 2.4 cluster, hosting an unsecured HBase database. All access to HBase is via Phoenix. We connect to Phoenix from our application using the fat client. So, we have no authorization/authentication/etc.
We are now looking to start adding auth, and I want to make sure we are looking at the correct tools. We would like the ability to pass a user/password along when establishing our Phoenix connections, so we can begin to provide read-only access to the cluster to some users, and read/write access for others.
Do we need to use Kerberos? We are not currently running this in our setup, and would like to avoid if possible - according to our security folks. No external customers will access our cluster, all access is via our app servers, or for engineers running ad-hoc queries for debugging purposes.
It sounds like Ranger would be the tool to handle authorization (via Kerberos) and authentication for HBase. Does that work for Phoenix as well? Is PQS required, or would it work with the fat client as well?
Is there something else we should be looking at, maybe a simpler way to create read-only users in our cluster?
We are looking at upgrading to the latest stable HDP in the next several months, if that changes anything.
Yes, if you want to be sure that the user say who they say they are, you have to use Kerberos. Kerberos *is* for internal authentication. People/services who come from outside can avoid accessing the cluster via Kerberos by using Knox as the secure gateway to Hadoop
Ranger handles authorization via plugins. Ranger can also be used as centralized authorization platform in a cluster, that is not kerberized. ( Ranger = Authorization, Kerberos = Authentication)
Phoenix tables are actually HBase tables. So you'd need to create Ranger policies for the HBase plugin to authorize users on Phoenix tables.