One quirk of Apache Phoenix when compared to traditional RDBMS is that Phoenix provides no notion of simple username/password based authentication. This largely stems from Apache HBase, which Phoenix is built on, also not providing this as a form of authentication. With the introduction of the Phoenix Query Server, we have a number of new means which can be used to interact with Phoenix. We also have the ability to hook together new systems to provide features, like username/password authentication, which are not traditionally supported.
There are multiple products available which can perform this kind of authentication, but we can trivially show that this works via a common HTTP load balancer, HAProxy. Let's assume that we have the Phoenix Query Server running on our local machine listening on the standard 8765 port. We can enable some trivial authentication using HAProxy. First, we need to create our HAProxy configuration file.
global maxconn 256 defaults mode http option redispatch timeout connect 5000ms timeout client 50000ms timeout server 50000ms userlist AvaticaUsers user josh insecure-password secret frontend avatica-http-in bind *:9000 default_backend avaticaservers backend avaticaservers balance source server queryserver1 127.0.0.1:8765 check acl AuthOkay http_auth(AvaticaUsers) http-request auth if !AuthOkay
The above contents can be placed into a file and then should be referenced when starting HAProxy (e.g. `haproxy -f my_auth.conf`). The result will be HAProxy listening on port 9000 and applying HTTP Basic authentication to requests before they are dispatched to the backend PQS. This example will only accept the username password combination of "josh" and "secret". Using an external authentication is left as an example to the user.
With the changes presently staged in PHOENIX-3517, we can easily connect to PQS, via HAProxy, using our username/password and then HTTP Basic authentication method.
./sqlline-thin.py -a BASIC --auth-user=josh --auth-password=secret http://localhost:9000
Similarly, using a username or password that doesn't match the configuration would result in the client receiving an HTTP/403 error and being unable to access Phoenix.
This example can be extrapolated to relevant technology like Apache Knox which provides a fully-featured authentication-gateway service and shows how we can bring username/password authentication to Apache Phoenix in the near future.