Thanks, Ash. Just to confirm, there are definitely the tools/configuration that exist to provide end to end data privacy (at rest and in motion). SSL is just not part of that picture :)
On Nov 24, 2017 12:19, "Ash N" <742...@gmail.com> wrote: > Josh, > > Thank you for your quick response. > > The data is sensitive personal data of customers. Everything needs to be > encrypted and secure. In - wire, on-wire, in-motion, at rest, everything. > Our solution was to use SSL/TLS everywhere. Our development team reported > that Phoenix does not support SSL. Therefore this is a big problem. > > Based on the above statements, if you have additional ideas, I will > gladly take them, > if you have additional input please do provide. I unfortunately have very > limited to no knowledge on security. So this becomes a challenge area for > me. > > Meanwhile, I will look up the link you have provided and will continue to > do research on this topic. > > thanks, > -ash > > On Fri, Nov 24, 2017 at 12:11 PM, Josh Elser <els...@apache.org> wrote: > >> Why do you have a hard-requirement on using SSL? >> >> HBase itself does not use SSL to provide confidentiality on its wire >> communication, it relies on jGSS and SASL to implement this security. Under >> the hood, this actually boils down to using GSSAPI, Kerberos specifically, >> to implement privacy (e.g. aes256-cts-hmac-sha1-96). >> >> Take a look at https://hbase.apache.org/book. >> html#_server_side_configuration_for_secure_operation. Phoenix executes >> all of its RPCs over HBase RPCs, so if you have HBase set up correctly, >> Phoenix will follow. >> >> If you want to introduce the Phoenix Query Server into your architecture, >> you can place it behind an SSL/TLS proxy server (or configure PQS directly >> with SSL/TLS using a sufficiently new version of Phoenix). This would be >> the only way I know of to "use Phoenix with SSL", but, in my experience, >> this is rarely what people actually want when they say this ;) >> >> Disclaimer: I have no idea how any of this translates to EMR :) >> >> >> On 11/24/17 12:01 PM, Ash N wrote: >> >>> Hello All, >>> >>> Thank you for the great work the team is doing on Phoenix. >>> >>> Summary : does Phoenix support SSL connection in Amazon EMR Cluster? >>> >>> We are running Phoenix on EMR cluster in Amazon. We have a need to >>> connect to Phoenix over SSL. I don't see much documentation around this >>> topic anywhere also I saw a couple of jira tickets that did not provide >>> enough help or direction on this topic. >>> >>> If Phoenix does not support SSL connections what are my options? >>> >>> Starting off six months ago, we assumed this should not be an issue. >>> Now we are in big trouble. >>> >>> All and any help is greatly appreciated. >>> >>> Thanks >>> Ash >>> >> >
