Have you read the portion of the HBase book that I previously linked to?
This is handled by SASL and GSSAPI/Kerberos. Please use your favorite
search engine and do some reading.
SSL is just *one* library that can be used to provide privacy of data in
motion.
On 11/27/17 7:25 AM, Ash N wrote:
Josh,
Thank you for your comment.
1.
Could you please point me to any resources around the below statement
you make?
" there are definitely the tools/configuration that exist to provide end
to end data privacy "
2.SSL is just not part of that picture :)
Above statement is contrary to my understanding.
Thought SSL enables secure connections.
Input as always is appropriated.
Thanks.
On Nov 26, 2017 8:58 PM, "Josh Elser" <els...@apache.org
<mailto:els...@apache.org>> wrote:
Thanks, Ash. Just to confirm, there are definitely the
tools/configuration that exist to provide end to end data privacy
(at rest and in motion). SSL is just not part of that picture :)
On Nov 24, 2017 12:19, "Ash N" <742...@gmail.com
<mailto:742...@gmail.com>> wrote:
Josh,
Thank you for your quick response.
The data is sensitive personal data of customers. Everything
needs to be encrypted and secure. In - wire, on-wire,
in-motion, at rest, everything.
Our solution was to use SSL/TLS everywhere. Our development
team reported that Phoenix does not support SSL. Therefore this
is a big problem.
Based on the above statements, if you have additional ideas, I
will gladly take them,
if you have additional input please do provide. I unfortunately
have very limited to no knowledge on security. So this becomes
a challenge area for me.
Meanwhile, I will look up the link you have provided and will
continue to do research on this topic.
thanks,
-ash
On Fri, Nov 24, 2017 at 12:11 PM, Josh Elser <els...@apache.org
<mailto:els...@apache.org>> wrote:
Why do you have a hard-requirement on using SSL?
HBase itself does not use SSL to provide confidentiality on
its wire communication, it relies on jGSS and SASL to
implement this security. Under the hood, this actually boils
down to using GSSAPI, Kerberos specifically, to implement
privacy (e.g. aes256-cts-hmac-sha1-96).
Take a look at
https://hbase.apache.org/book.html#_server_side_configuration_for_secure_operation
<https://hbase.apache.org/book.html#_server_side_configuration_for_secure_operation>.
Phoenix executes all of its RPCs over HBase RPCs, so if you
have HBase set up correctly, Phoenix will follow.
If you want to introduce the Phoenix Query Server into your
architecture, you can place it behind an SSL/TLS proxy
server (or configure PQS directly with SSL/TLS using a
sufficiently new version of Phoenix). This would be the only
way I know of to "use Phoenix with SSL", but, in my
experience, this is rarely what people actually want when
they say this ;)
Disclaimer: I have no idea how any of this translates to EMR :)
On 11/24/17 12:01 PM, Ash N wrote:
Hello All,
Thank you for the great work the team is doing on Phoenix.
Summary : does Phoenix support SSL connection in Amazon
EMR Cluster?
We are running Phoenix on EMR cluster in Amazon. We have
a need to connect to Phoenix over SSL. I don't see much
documentation around this topic anywhere also I saw a
couple of jira tickets that did not provide enough help
or direction on this topic.
If Phoenix does not support SSL connections what are my
options?
Starting off six months ago, we assumed this should not
be an issue. Now we are in big trouble.
All and any help is greatly appreciated.
Thanks
Ash