Hey Mike,
You can definitely authenticate yourself as with the Kerberos
credentials of your choice. There are generally two ways in you can do this:
1. Login using UserGroupInformation APIs and then make JDBC calls with
the Phoenix JDBC driver (thick or thin)
2. Use the principal+keytab JDBC url "options" and let Phoenix do it for
you.
These have had some issues around them in the past, but, if you're using
a recent release, you should be fine.
I don't believe we have any integration with HBase visibility labels,
and I think this would be extremely tricky to get correct (Phoenix does
a significant amount of reads on your behalf for a query via
coprocessors. You'd have to update each of these to pass through and set
the labels everywhere).
On 10/8/18 4:36 PM, Mike Thomsen wrote:
We have a particular use case where we'd like to be able to effectively
do a SELECT on a table and say either "execute as this user" or "execute
with this list of HBase visibility tokens."
This looks somewhat promising for the former:
https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_installing_manually_book/content/validating-phoenix-installation.html
It looks like we could at least allow some of our users to have a
kerberos tab set up for them.
Any thoughts on how to approach this? I know it may be uncharted
territory for Phoenix and don't mind trying to get my hands dirty on
working on a PR or something.
Thanks,
Mike