Hari Sekhon created DRILL-6457:
----------------------------------
Summary: Sqlline - infer Kerberos principal dynamically to be able
to use individual keytabs across Drill nodes and still use ZooKeeper connection
string for High Availability
Key: DRILL-6457
URL: https://issues.apache.org/jira/browse/DRILL-6457
Project: Apache Drill
Issue Type: Improvement
Components: Client - CLI, Client - JDBC, Security, Tools, Build &
Test
Affects Versions: 1.13.0
Environment: MapR 6
Reporter: Hari Sekhon
Sqlline requires explicit kerberos 'principal=' parameter in its JDBC
connection string, eg:
{code:java}
zk=<list>;auth=kerberos;principal=mapr/<cluster_name>@REALM{code}
When Drill nodes are configured with individual keytabs containing the node's
fqdn and configured like so:
{code:java}
security: { auth.principal: mapr/_HOST@REALM }{code}
then the ZooKeeper connection string from sqlline does not work and results in
GSS Kerberos errors due to the mismatch between the explicit sqlline kerberos
principal and zookeeper's random drillbit's principal.
For the connection to work in this case requires something more like:
{code:java}
drillbits=$(hostname -f);auth=kerberos;principal=mapr/$(hostname -f)@REALM{code}
but this lacks the high availability of using the ZooKeeper connection string
to connect to any available node
Hence it would be good if there was a way for sqlline arguments to be able to
either infer the correct kerberos principal to match the host that zookeeper
tells it to connect to or else accept a more generic parameter such as:
{code:java}
zk=<list>;auth=kerberos;principal=mapr/_HOST@REALM{code}
I've tested the above but it doesn't work showing that sqlline is not using a
dynamic kerberos principal to match the host it is connecting to.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
