[jira] [Commented] (DRILL-7149) Kerberos Code Missing from Drill on YARN

Wed, 15 Jan 2020 05:56:36 -0800 


    [ 
https://issues.apache.org/jira/browse/DRILL-7149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17016003#comment-17016003
 ] 

Anton Gozhiy commented on DRILL-7149:
-------------------------------------

I was able to successfully start Dril-on-Yarn with Kerberos security (Drill 
version: 1.18.0-SNAPSHOT, commit 755529f3ac7ca77797f68b60e1d0713ad126e227).
[~cgivre] , if you still have this issue, could you please provide some 
details, such as:
 * Your configuration (hadoop version, config files etc.)
 * Steps to reproduce
 * Expected result
 * Actual result

> Kerberos Code Missing from Drill on YARN
> ----------------------------------------
>
>                 Key: DRILL-7149
>                 URL: https://issues.apache.org/jira/browse/DRILL-7149
>             Project: Apache Drill
>          Issue Type: Improvement
>          Components: Security
>    Affects Versions: 1.14.0
>            Reporter: Charles Givre
>            Assignee: Anton Gozhiy
>            Priority: Major
>              Labels: kerberos, security
>
> My company is trying to deploy Drill using the Drill on Yarn (DoY) and we 
> have run into the issue that DoY does not seem to support passing Kerberos 
> credentials in order to interact with HDFS. 
> Upon checking the source code available in GIT 
> (https://github.com/apache/drill/blob/1.14.0/drill-yarn/src/main/java/org/apache/drill/yarn/core/)
>  and referring to Apache YARN documentation 
> (https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html)
>  , we saw no section for passing the security credentials needed by the 
> application to interact with any Hadoop cluster services and applications. 
> This we feel needs to be added to the source code so that delegation tokens 
> can be passed inside the container for the process to be able access Drill 
> archive on HDFS and start. It probably should be added to the 
> ContainerLaunchContext within the ApplicationSubmissionContext for DoY as 
> suggested under Apache documentation.
>  
> We tried the same DoY utility on a non-kerberised cluster and the process 
> started well. Although we ran into a different issue there of hosts getting 
> blacklisted
> We tested with the Single Principal per cluster option.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to