drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Spiro Ketal <spiroke...@yahoo.com.au.INVALID>
Subject Re: ldap, kerberos zookeeper and drill integration - Drill failing to  authenticate
Date Thu, 19 Apr 2018 08:30:32 GMT
Hi Sorabh,Thankyou for the quick response (and apologies for the second post - I didn't think
it had gone through). 
I'm effectively trying to model a large machine and wanted to keep my initial post short.
I'll give a more detailed description. The system layout is as follows:node000.local ldap/kerberos/NTP/CA/DNS
node.node001.local zookeeper/kafka/drillnode002.local zookeeper/kafka/drillnode003.local zookeeper/kafka/drillnode004.local
namenode/datanodenode005.local secondary namenode/datanodenode006.local datanodenode007.local
clusterid, local, LOCAL and node00N represent the real hostnames, cluster, REALM and FQDNs.
I've set up principles as follows:zookeeper/clusterid@LOCALzclient/clusterid@LOCAL
I could not get zk to work with a single clusterid principle across the 3-member zk cluster
so resorted to:zookeeper/node001.local -> zookeeper.keytab (on node001)zookeeper/node002.local
->                 "               (on node002)
zookeeper/node002.local ->                 "               (on node003)
zclient/node001.local -> zclient.keytab (on node001)zclient/node002.local ->     
     "              (on node002)
zclient/node002.local ->           "              (on node003)
Zookeeper works with this config.
The relevant drill config is as follows: impersonation: {    enabled: true,    max_chained_user_hops:
3  }, security.auth: {                             mechanisms:["KERBEROS","PLAIN"],   
  principal:"drill/clusterid@LOCAL",      keytab:"/etc/security/keytabs/drill.keytab"   
}  security.user: {    auth.enabled: true,    auth.packages += "org.apache.drill.exec.rpc.user.security", 
  auth.impl: "pam4j",    auth.pam_profiles: ["sudo", "login"],                 
The permissions on the keytab are as follows (I have not tried to integrate HDFS, yet):-rw-------
1 drill     drill     558 Apr 18 20:11 drill.keytab-rw------- 1 drill     drill 
   614 Apr 18 20:11 drill_client.keytab-rw------- 1 zookeeper zookeeper 302 Apr 18 18:27
zclient.keytab-rw------- 1 zookeeper zookeeper 310 Apr 18 18:27 zookeeper.keytab
drill@node000:~$ id drilluid=649(drill) gid=1002(drill) groups=1002(drill),994(zookeeper),993(hadoop)drill@node000:~$
id zookeeperuid=996(zookeeper) gid=994(zookeeper) groups=994(zookeeper)
I'll re-read your posts and take a good look when I'm less tired.Thanks again.Cheers, Chris.

From: Sorabh Hamirwasia <shamirwasia@mapr.com>To: "user@drill.apache.org" <user@drill.apache.org>, 
       Spiro Ketal  <spiroketal@yahoo.com.au>Subject: Re: ldap, kerberos zookeeper
and drill integration - Drill failing to  authenticateDate: Thu, 19 Apr 2018 03:45:40 +0000

Hi Spiro,For the error while connecting using sqlline:- Do you have TGT generated for your
client user which you are using to connect to Drill ? If yes can you check if sqlline process
user has access to that ticket file or not ? Can you please share your sqlline command? Also
can you share your drill-override.conf config ?
Instruction on how to configure for Kerberos on server and client side are here[1]. Not sure
if you got chance to look at it.

As far as enabling Drill authentication to zookeeper is concerned I have not tried it but
Drill internally uses curator framework to connect to Zookeeper. So it will depend upon how
Curator supports authenticating using Kerberos. From quick search it looks like just providing
a JAAS conf file to below system property should be good enough.
I would say first let's try to make DrillClient to Drillbit path working with Kerberos.

[1]: https://drill.apache.org/docs/configuring-kerberos-security/

________________________________From: Spiro Ketal <spiroketal@yahoo.com.au.INVALID>Sent:
Wednesday, April 18, 2018 7:41:55 PMTo: user@drill.apache.orgSubject: ldap, kerberos zookeeper
and drill integration - Drill failing to authenticate
Dear Apache List Members,I have a test system that comprises of several VMs One provides (integrated)
OpenLDAP/Kerberos5 services (LDAP backend) and I've integrated zookeeper with this (via JAAS).
The authentication works but I had to use a per node config (with FQDNs) to achieve this.
(ie. zk/node0001.my.domain; zk/node0002.my.domain, ..., instead of zk/nodes@MY.DOMAIN)My goal
is to have drill authenticate and to be able to use the underlying java DoAs() functionality
to interact with HDFS and zookeeper. I don't quite understand how the kerberos authentication
works in the case of drill. Does the drill software provide a kerberos authenticated client
connection to zookeeper? The drill cluster appears to start OK (without client-side authentication
to zookeeper - which I'd like to remedy) but I seem to be receiving errors relating to GSSAPI
when I attempt to connect to the drill via sqlline: Error: Failure in connecting to Drill:
org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException: Failed to login.
[Caused by javax.security.auth.login.LoginException: Unable to obtain password from user] (state=,code=0)I've
tried various combinations but can't seem to get drill to authenticate.Any assistance or pointers
would be greatly appreciated.Thanks.Cheers, Spiro.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message