[jira] [Commented] (DRILL-6457) Sqlline - infer Kerberos principal dynamically to be able to use individual keytabs across Drill nodes and still use ZooKeeper connection string for High Availability

Mon, 04 Jun 2018 15:41:26 -0700 


    [ 
https://issues.apache.org/jira/browse/DRILL-6457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16500972#comment-16500972
 ] 

Arjun commented on DRILL-6457:
------------------------------

[~harisekhon] Can you try with service_name=mapr instead of providing principal 
as given below ?
sqlline -u 
"jdbc:drill:zk=host1:5181,host2:5181,host3:5181;auth=kerberos;service_name=mapr"

> Sqlline - infer Kerberos principal dynamically to be able to use individual 
> keytabs across Drill nodes and still use ZooKeeper connection string for High 
> Availability
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DRILL-6457
>                 URL: https://issues.apache.org/jira/browse/DRILL-6457
>             Project: Apache Drill
>          Issue Type: Improvement
>          Components: Client - CLI, Client - JDBC, Security, Tools, Build 
> & Test
>    Affects Versions: 1.13.0
>         Environment: MapR 6
>            Reporter: Hari Sekhon
>            Priority: Major
>
> Sqlline requires explicit kerberos 'principal=' parameter in its JDBC 
> connection string, eg: 
> {code:java}
> zk=<list>;auth=kerberos;principal=mapr/<cluster_name>@REALM{code}
> When Drill nodes are configured with individual keytabs containing the node's 
> fqdn and configured like so:
> {code:java}
> security: { auth.principal: mapr/_HOST@REALM }{code}
> then the ZooKeeper connection string from sqlline does not work and results 
> in GSS Kerberos error:
> {code:java}
> Caused by: KrbException: Identifier doesn't match expected value{code}
> due to the mismatch between the explicit sqlline kerberos principal and 
> zookeeper's random drillbit's principal.
> For the connection to work in this case requires something more like:
> {code:java}
> drillbits=$(hostname -f);auth=kerberos;principal=mapr/$(hostname 
> -f)@REALM{code}
> but this lacks the high availability of using the ZooKeeper connection string 
> to connect to any available node
> Hence it would be good if there was a way for sqlline arguments to be able to 
> either infer the correct kerberos principal to match the host that zookeeper 
> tells it to connect to or else accept a more generic parameter such as:
> {code:java}
> zk=<list>;auth=kerberos;principal=mapr/_HOST@REALM{code}
> I've tested the above but it doesn't work showing that sqlline is not using a 
> dynamic kerberos principal to match the host it is connecting to.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to