Re: Questions on Kerberos usage with YARN and JDBC
Kerberos seems to be working otherwise ... for example, we're using it successfully to control access to HDFS and it's linked to AD ... we're using Ranger if that helps. I'm not a systems admin guy so this is really not my area of expertise. ___ *Mike Wright* Principal Architect, Software Engineering S Capital IQ and SNL 434-951-7816 *p* 434-244-4466 *f* 540-470-0119 *m* mwri...@snl.com On Fri, Dec 11, 2015 at 4:36 PM, Todd Simmerwrote: > hey Mike, > > Are these part of an Active Directory Domain? If so are they pointed at > the AD domain controllers that hosts the Kerberos server? Windows AD create > SRV records in DNS to help windows clients find the Kerberos server for > their domain. If you look you can see if you have a kdc record in Windows > DNS and what it's pointing at. Can you do a > > kinit *username * > > on that host? It should tell you if it can find the KDC. > > Let me know if that's helpful at all. > > Todd > > On Fri, Dec 11, 2015 at 1:50 PM, Mike Wright wrote: > >> As part of our implementation, we are utilizing a full "Kerberized" >> cluster built on the Hortonworks suite. We're using Job Server as the front >> end to initiate short-run jobs directly from our client-facing product >> suite. >> >> 1) We believe we have configured the job server to start with the >> appropriate credentials, specifying a principal and keytab. We switch to >> YARN-CLIENT mode and can see Job Server attempt to connect to the resource >> manager, and the result is that whatever the principal name is, it "cannot >> impersonate root." We have been unable to solve this. >> >> 2) We are primarily a Windows shop, hence our cluelessness here. That >> said, we're using the JDBC driver version 4.2 and want to use JavaKerberos >> authentication to connect to SQL Server. The queries performed by the job >> are done in the driver, and hence would be running on the Job Server, which >> we confirmed is running as the principal we have designated. However, when >> attempting to connect with this option enabled I receive a "Unable to >> obtain Principal Name for authentication" exception. >> >> Reading this: >> >> https://msdn.microsoft.com/en-us/library/ms378428.aspx >> >> We have Kerberos working on the machine and thus have krb5.conf setup >> correctly. However the section, " >> >> Enabling the Domain Configuration File and the Login Module Configuration >> File" seems to indicate we've missed a step somewhere. >> >> Forgive my ignorance here ... I've been on Windows for 20 years and this >> is all new to. >> >> Thanks for any guidance you can provide. >> > >
Re: Questions on Kerberos usage with YARN and JDBC
hey Mike, Are these part of an Active Directory Domain? If so are they pointed at the AD domain controllers that hosts the Kerberos server? Windows AD create SRV records in DNS to help windows clients find the Kerberos server for their domain. If you look you can see if you have a kdc record in Windows DNS and what it's pointing at. Can you do a kinit *username * on that host? It should tell you if it can find the KDC. Let me know if that's helpful at all. Todd On Fri, Dec 11, 2015 at 1:50 PM, Mike Wrightwrote: > As part of our implementation, we are utilizing a full "Kerberized" > cluster built on the Hortonworks suite. We're using Job Server as the front > end to initiate short-run jobs directly from our client-facing product > suite. > > 1) We believe we have configured the job server to start with the > appropriate credentials, specifying a principal and keytab. We switch to > YARN-CLIENT mode and can see Job Server attempt to connect to the resource > manager, and the result is that whatever the principal name is, it "cannot > impersonate root." We have been unable to solve this. > > 2) We are primarily a Windows shop, hence our cluelessness here. That > said, we're using the JDBC driver version 4.2 and want to use JavaKerberos > authentication to connect to SQL Server. The queries performed by the job > are done in the driver, and hence would be running on the Job Server, which > we confirmed is running as the principal we have designated. However, when > attempting to connect with this option enabled I receive a "Unable to > obtain Principal Name for authentication" exception. > > Reading this: > > https://msdn.microsoft.com/en-us/library/ms378428.aspx > > We have Kerberos working on the machine and thus have krb5.conf setup > correctly. However the section, " > > Enabling the Domain Configuration File and the Login Module Configuration > File" seems to indicate we've missed a step somewhere. > > Forgive my ignorance here ... I've been on Windows for 20 years and this > is all new to. > > Thanks for any guidance you can provide. >
Questions on Kerberos usage with YARN and JDBC
As part of our implementation, we are utilizing a full "Kerberized" cluster built on the Hortonworks suite. We're using Job Server as the front end to initiate short-run jobs directly from our client-facing product suite. 1) We believe we have configured the job server to start with the appropriate credentials, specifying a principal and keytab. We switch to YARN-CLIENT mode and can see Job Server attempt to connect to the resource manager, and the result is that whatever the principal name is, it "cannot impersonate root." We have been unable to solve this. 2) We are primarily a Windows shop, hence our cluelessness here. That said, we're using the JDBC driver version 4.2 and want to use JavaKerberos authentication to connect to SQL Server. The queries performed by the job are done in the driver, and hence would be running on the Job Server, which we confirmed is running as the principal we have designated. However, when attempting to connect with this option enabled I receive a "Unable to obtain Principal Name for authentication" exception. Reading this: https://msdn.microsoft.com/en-us/library/ms378428.aspx We have Kerberos working on the machine and thus have krb5.conf setup correctly. However the section, " Enabling the Domain Configuration File and the Login Module Configuration File" seems to indicate we've missed a step somewhere. Forgive my ignorance here ... I've been on Windows for 20 years and this is all new to. Thanks for any guidance you can provide.