Hi,
For both Drill RPC and Http path, authentication is enabled using a single
a parameter *security.user.auth.enabled:true,* which is true in your setup.
You have correctly configured auth mechanism as KERBEROS for Drill RPC path
but for HTTP path the corresponding mechanism will be SPNEGO and you will
need to configure other parameters like keytab and principal for it as
well. Please refer to [1] for SPNEGO configuration.
*http.auth.mechanisms:["SPNEGO"],*
Also there are few other parameters in your configuration (like below)
which are not supported. For full list of parameters on ssl and kerberos
please see [2][3].
*security: {*
* auth.realm: "XX.YY",*
* }*
*security.user.encryption.ssl: { handshakeTimeout: 10000, },*
[1]:
https://drill.apache.org/docs/configuring-drill-to-use-spnego-for-http-authentication/
[2]: https://drill.apache.org/docs/configuring-ssl-tls-for-encryption/
[3]: https://drill.apache.org/docs/configuring-kerberos-security/
Thanks,
Sorabh
On Thu, Nov 1, 2018 at 10:44 AM SAFIEDDINE Ibrahim <
[email protected]> wrote:
> Hello,
>
>
> I'am using apache Drill 1.14 on a kerberized Cloudera cluster (CDH 5.14).
>
>
> When I activate kerberos authentification, drill server refuse to start
> with error:
>
> org.apache.drill.exec.exception.DrillbitStartupException: Authentication
> is enabled for WebServer but none of the security mechanism was configured
> properly. Please verify the configurations and try again.
>
>
> I can see in the logs that the kerberos authentification is ok:
>
> [main] INFO o.a.d.exec.server.BootStrapContext - Process user name:
> 'root' and logged in successfully as 'tata/[email protected]?'
>
>
>
> Can you help me please?
>
>
> Based on the Apache Drill documentation, there is my
> conf/drill-override.conf:
>
>
> drill.exec: {
> cluster-id: "drillbits1",
> zk.connect: "xx.yy.zz:2181",
> service_name: "service1",
> impersonation: {
> enabled: true,
> max_chained_user_hops: 3
> },
> security: {
> user.auth.enabled:true,
> auth.mechanisms:["KERBEROS"],
> auth.principal:"tata/[email protected]",
> auth.keytab:"keytab1.keytab",
> drill.exec.security.auth.auth_to_local:hive,
> auth.realm: "XX.YY",
> user.encryption.sasl.enabled: true,
> user.encryption.sasl.max_wrapped_size: 65536
> },
> security.user.encryption.ssl: {
> enabled: true,
> keyPassword: "XXXXX",
> handshakeTimeout: 10000,
> provider: "JDK"
> },
> ssl: {
> keyStorePath: "XXXXX",
> keyStorePassword: "XXXXX",
> trustStorePath: "XXXXX",
> trustStorePassword: "XXXXX"
> },
> http: {
> enabled: true,
> auth.enabled: false,
> auth.mechanisms: ["KERBEROS"],
> ssl_enabled: true,
> port: 8047
> session_max_idle_secs: 3600, # Default value 1hr
> cors: {
> enabled: false,
> allowedOrigins: ["null"],
> allowedMethods: ["GET", "POST", "HEAD", "OPTIONS"],
> allowedHeaders: ["X-Requested-With", "Content-Type", "Accept",
> "Origin"],
> credentials: true
> }
> }
> }
>
> Thank you
>
>
