[
https://issues.apache.org/jira/browse/DRILL-6457?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hari Sekhon updated DRILL-6457:
-------------------------------
Description:
Sqlline requires explicit kerberos 'principal=' parameter in its JDBC
connection string, eg:
{code:java}
zk=<list>;auth=kerberos;principal=mapr/<cluster_name>@REALM{code}
When Drill nodes are configured with individual keytabs containing the node's
fqdn and configured like so:
{code:java}
security: { auth.principal: mapr/_HOST@REALM }{code}
then the ZooKeeper connection string from sqlline does not work and results in
GSS Kerberos error:
{code:java}
sqlline -u
"jdbc:drill:zk=host1:5181,host2:5181,hsot3:5181;auth=kerberos;principal=mapr/_HOST@$REALM"
Error: Failure in connecting to Drill: org.apache.drill.exec.rpc.RpcException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Server not found in Kerberos
database (7))] (state=,code=0)
java.sql.SQLNonTransientConnectionException: Failure in connecting to Drill:
org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException: GSS
initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Server not found in Kerberos database (7))]
at
org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:179)
at
org.apache.drill.jdbc.impl.DrillJdbc41Factory.newDrillConnection(DrillJdbc41Factory.java:73)
at
org.apache.drill.jdbc.impl.DrillFactory.newConnection(DrillFactory.java:69)
at
org.apache.calcite.avatica.UnregisteredDriver.connect(UnregisteredDriver.java:138)
at org.apache.drill.jdbc.Driver.connect(Driver.java:72)
at sqlline.DatabaseConnection.connect(DatabaseConnection.java:167)
at sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:213)
at sqlline.Commands.connect(Commands.java:1083)
at sqlline.Commands.connect(Commands.java:1015)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
at sqlline.SqlLine.dispatch(SqlLine.java:742)
at sqlline.SqlLine.initArgs(SqlLine.java:528)
at sqlline.SqlLine.begin(SqlLine.java:596)
at sqlline.SqlLine.start(SqlLine.java:375)
at sqlline.SqlLine.main(SqlLine.java:268)
Caused by: org.apache.drill.exec.rpc.RpcException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Server not found in Kerberos
database (7))]
at
org.apache.drill.exec.rpc.RpcException.mapException(RpcException.java:60)
at
org.apache.drill.exec.rpc.user.UserClient$1.mapException(UserClient.java:296)
at
org.apache.drill.exec.rpc.user.UserClient$1.mapException(UserClient.java:286)
at
com.google.common.util.concurrent.AbstractCheckedFuture.checkedGet(AbstractCheckedFuture.java:85)
at
org.apache.drill.exec.rpc.user.UserClient.connect(UserClient.java:202)
at
org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:458)
at
org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:402)
at
org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:170)
... 18 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7))]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
at
org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener$1.run(AuthenticationOutcomeListener.java:241)
at
org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener$1.run(AuthenticationOutcomeListener.java:238)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1633)
at
org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.evaluateChallenge(AuthenticationOutcomeListener.java:238)
at
org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.initiate(AuthenticationOutcomeListener.java:91)
at
org.apache.drill.exec.rpc.BasicClient.startSaslHandshake(BasicClient.java:263)
at
org.apache.drill.exec.rpc.user.UserClient.prepareSaslHandshake(UserClient.java:463)
at
org.apache.drill.exec.rpc.ConnectionMultiListener$HandshakeSendHandler.success(ConnectionMultiListener.java:160)
at
org.apache.drill.exec.rpc.ConnectionMultiListener$HandshakeSendHandler.success(ConnectionMultiListener.java:143)
at
org.apache.drill.exec.rpc.RequestIdMap$RpcListener.set(RequestIdMap.java:134)
at
org.apache.drill.exec.rpc.BasicClient$ClientHandshakeHandler.consumeHandshake(BasicClient.java:318)
at
org.apache.drill.exec.rpc.AbstractHandshakeHandler.decode(AbstractHandshakeHandler.java:57)
at
org.apache.drill.exec.rpc.AbstractHandshakeHandler.decode(AbstractHandshakeHandler.java:29)
at
io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:88)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
at
io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
at
io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:312)
at
io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:286)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
at
io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
at
io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1294)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
at
io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:911)
at
io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
at
io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
at
io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580)
at
io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
at
io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:131)
at java.lang.Thread.run(Thread.java:748)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server
not found in Kerberos database (7))
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
... 43 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
at
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
at
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
at
sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
at
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
... 46 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
... 52 more
apache drill 1.13.0-mapr
"start your sql engine"
0: jdbc:drill:zk=lonsl1103386.uk.net.intra:51> select * from sys.drillbits
. . . . . . . . . . . . . . . . . . . . . . .> No current connection
0: jdbc:drill:zk=lonsl1103386.uk.net.intra:51> Error: Failure in connecting to
Drill: org.apache.drill.exec.rpc.RpcException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Server not found in Kerberos
database (7))] (state=,code=0){code}
due to the mismatch between the explicit sqlline kerberos principal and
zookeeper's random drillbit's principal.
For the connection to work in this case requires something more like:
{code:java}
drillbits=$(hostname -f);auth=kerberos;principal=mapr/$(hostname -f)@REALM{code}
but this lacks the high availability of using the ZooKeeper connection string
to connect to any available node
Hence it would be good if there was a way for sqlline arguments to be able to
either infer the correct kerberos principal to match the host that zookeeper
tells it to connect to or else accept a more generic parameter such as:
{code:java}
zk=<list>;auth=kerberos;principal=mapr/_HOST@REALM{code}
I've tested the above but it doesn't work showing that sqlline is not using a
dynamic kerberos principal to match the host it is connecting to.
was:
Sqlline requires explicit kerberos 'principal=' parameter in its JDBC
connection string, eg:
{code:java}
zk=<list>;auth=kerberos;principal=mapr/<cluster_name>@REALM{code}
When Drill nodes are configured with individual keytabs containing the node's
fqdn and configured like so:
{code:java}
security: { auth.principal: mapr/_HOST@REALM }{code}
then the ZooKeeper connection string from sqlline does not work and results in
GSS Kerberos errors due to the mismatch between the explicit sqlline kerberos
principal and zookeeper's random drillbit's principal.
For the connection to work in this case requires something more like:
{code:java}
drillbits=$(hostname -f);auth=kerberos;principal=mapr/$(hostname -f)@REALM{code}
but this lacks the high availability of using the ZooKeeper connection string
to connect to any available node
Hence it would be good if there was a way for sqlline arguments to be able to
either infer the correct kerberos principal to match the host that zookeeper
tells it to connect to or else accept a more generic parameter such as:
{code:java}
zk=<list>;auth=kerberos;principal=mapr/_HOST@REALM{code}
I've tested the above but it doesn't work showing that sqlline is not using a
dynamic kerberos principal to match the host it is connecting to.
> Sqlline - infer Kerberos principal dynamically to be able to use individual
> keytabs across Drill nodes and still use ZooKeeper connection string for High
> Availability
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DRILL-6457
> URL: https://issues.apache.org/jira/browse/DRILL-6457
> Project: Apache Drill
> Issue Type: Improvement
> Components: Client - CLI, Client - JDBC, Security, Tools, Build
> & Test
> Affects Versions: 1.13.0
> Environment: MapR 6
> Reporter: Hari Sekhon
> Priority: Major
>
> Sqlline requires explicit kerberos 'principal=' parameter in its JDBC
> connection string, eg:
> {code:java}
> zk=<list>;auth=kerberos;principal=mapr/<cluster_name>@REALM{code}
> When Drill nodes are configured with individual keytabs containing the node's
> fqdn and configured like so:
> {code:java}
> security: { auth.principal: mapr/_HOST@REALM }{code}
> then the ZooKeeper connection string from sqlline does not work and results
> in GSS Kerberos error:
> {code:java}
> sqlline -u
> "jdbc:drill:zk=host1:5181,host2:5181,hsot3:5181;auth=kerberos;principal=mapr/_HOST@$REALM"
> Error: Failure in connecting to Drill:
> org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException:
> GSS initiate failed [Caused by GSSException: No valid credentials provided
> (Mechanism level: Server not found in Kerberos database (7))] (state=,code=0)
> java.sql.SQLNonTransientConnectionException: Failure in connecting to Drill:
> org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException:
> GSS initiate failed [Caused by GSSException: No valid credentials provided
> (Mechanism level: Server not found in Kerberos database (7))]
> at
> org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:179)
> at
> org.apache.drill.jdbc.impl.DrillJdbc41Factory.newDrillConnection(DrillJdbc41Factory.java:73)
> at
> org.apache.drill.jdbc.impl.DrillFactory.newConnection(DrillFactory.java:69)
> at
> org.apache.calcite.avatica.UnregisteredDriver.connect(UnregisteredDriver.java:138)
> at org.apache.drill.jdbc.Driver.connect(Driver.java:72)
> at sqlline.DatabaseConnection.connect(DatabaseConnection.java:167)
> at
> sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:213)
> at sqlline.Commands.connect(Commands.java:1083)
> at sqlline.Commands.connect(Commands.java:1015)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
> at sqlline.SqlLine.dispatch(SqlLine.java:742)
> at sqlline.SqlLine.initArgs(SqlLine.java:528)
> at sqlline.SqlLine.begin(SqlLine.java:596)
> at sqlline.SqlLine.start(SqlLine.java:375)
> at sqlline.SqlLine.main(SqlLine.java:268)
> Caused by: org.apache.drill.exec.rpc.RpcException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7))]
> at
> org.apache.drill.exec.rpc.RpcException.mapException(RpcException.java:60)
> at
> org.apache.drill.exec.rpc.user.UserClient$1.mapException(UserClient.java:296)
> at
> org.apache.drill.exec.rpc.user.UserClient$1.mapException(UserClient.java:286)
> at
> com.google.common.util.concurrent.AbstractCheckedFuture.checkedGet(AbstractCheckedFuture.java:85)
> at
> org.apache.drill.exec.rpc.user.UserClient.connect(UserClient.java:202)
> at
> org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:458)
> at
> org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:402)
> at
> org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:170)
> ... 18 more
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7))]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
> at
> org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener$1.run(AuthenticationOutcomeListener.java:241)
> at
> org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener$1.run(AuthenticationOutcomeListener.java:238)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1633)
> at
> org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.evaluateChallenge(AuthenticationOutcomeListener.java:238)
> at
> org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.initiate(AuthenticationOutcomeListener.java:91)
> at
> org.apache.drill.exec.rpc.BasicClient.startSaslHandshake(BasicClient.java:263)
> at
> org.apache.drill.exec.rpc.user.UserClient.prepareSaslHandshake(UserClient.java:463)
> at
> org.apache.drill.exec.rpc.ConnectionMultiListener$HandshakeSendHandler.success(ConnectionMultiListener.java:160)
> at
> org.apache.drill.exec.rpc.ConnectionMultiListener$HandshakeSendHandler.success(ConnectionMultiListener.java:143)
> at
> org.apache.drill.exec.rpc.RequestIdMap$RpcListener.set(RequestIdMap.java:134)
> at
> org.apache.drill.exec.rpc.BasicClient$ClientHandshakeHandler.consumeHandshake(BasicClient.java:318)
> at
> org.apache.drill.exec.rpc.AbstractHandshakeHandler.decode(AbstractHandshakeHandler.java:57)
> at
> org.apache.drill.exec.rpc.AbstractHandshakeHandler.decode(AbstractHandshakeHandler.java:29)
> at
> io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:88)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
> at
> io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
> at
> io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:312)
> at
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:286)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
> at
> io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
> at
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:335)
> at
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1294)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:356)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:342)
> at
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:911)
> at
> io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580)
> at
> io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497)
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:131)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Server not found in Kerberos database (7))
> at
> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
> at
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
> at
> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
> ... 43 more
> Caused by: KrbException: Server not found in Kerberos database (7)
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
> at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
> at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
> at
> sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
> at
> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
> at
> sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
> at
> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
> ... 46 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
> at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
> at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
> ... 52 more
> apache drill 1.13.0-mapr
> "start your sql engine"
> 0: jdbc:drill:zk=lonsl1103386.uk.net.intra:51> select * from sys.drillbits
> . . . . . . . . . . . . . . . . . . . . . . .> No current connection
> 0: jdbc:drill:zk=lonsl1103386.uk.net.intra:51> Error: Failure in connecting
> to Drill: org.apache.drill.exec.rpc.RpcException:
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Server not
> found in Kerberos database (7))] (state=,code=0){code}
> due to the mismatch between the explicit sqlline kerberos principal and
> zookeeper's random drillbit's principal.
> For the connection to work in this case requires something more like:
> {code:java}
> drillbits=$(hostname -f);auth=kerberos;principal=mapr/$(hostname
> -f)@REALM{code}
> but this lacks the high availability of using the ZooKeeper connection string
> to connect to any available node
> Hence it would be good if there was a way for sqlline arguments to be able to
> either infer the correct kerberos principal to match the host that zookeeper
> tells it to connect to or else accept a more generic parameter such as:
> {code:java}
> zk=<list>;auth=kerberos;principal=mapr/_HOST@REALM{code}
> I've tested the above but it doesn't work showing that sqlline is not using a
> dynamic kerberos principal to match the host it is connecting to.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
