Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Phoenix read only access

Phoenix read only access

New Contributor

Sorry for the likely basic question, but I am having a little trouble making sense of the documentation. We are currently running a HDP 2.4 cluster, hosting an unsecured HBase database. All access to HBase is via Phoenix. We connect to Phoenix from our application using the fat client. So, we have no authorization/authentication/etc.

We are now looking to start adding auth, and I want to make sure we are looking at the correct tools. We would like the ability to pass a user/password along when establishing our Phoenix connections, so we can begin to provide read-only access to the cluster to some users, and read/write access for others.

  • Do we need to use Kerberos? We are not currently running this in our setup, and would like to avoid if possible - according to our security folks. No external customers will access our cluster, all access is via our app servers, or for engineers running ad-hoc queries for debugging purposes.
  • It sounds like Ranger would be the tool to handle authorization (via Kerberos) and authentication for HBase. Does that work for Phoenix as well? Is PQS required, or would it work with the fat client as well?
  • Is there something else we should be looking at, maybe a simpler way to create read-only users in our cluster?

We are looking at upgrading to the latest stable HDP in the next several months, if that changes anything.

2 REPLIES 2

Re: Phoenix read only access

Contributor
  • Yes, if you want to be sure that the user say who they say they are, you have to use Kerberos. Kerberos *is* for internal authentication. People/services who come from outside can avoid accessing the cluster via Kerberos by using Knox as the secure gateway to Hadoop
  • Ranger handles authorization via plugins. Ranger can also be used as centralized authorization platform in a cluster, that is not kerberized. ( Ranger = Authorization, Kerberos = Authentication)
  • Phoenix tables are actually HBase tables. So you'd need to create Ranger policies for the HBase plugin to authorize users on Phoenix tables.

Start reading an article I posted earlier here. It will explain the security concepts: https://community.hortonworks.com/content/kbentry/102957/hadoop-security-concepts.html

Highlighted

Re: Phoenix read only access

Contributor

@Jason Knaster Was that helpful? Any other questions? :)