[
https://issues.apache.org/jira/browse/PHOENIX-2817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15226690#comment-15226690
]
Sergey Soldatov commented on PHOENIX-2817:
------------------------------------------
{quote}
do we really need match case and concat after
{quote}
Since the result is supposed to be Option[String] we need to return None in
case if there is no values in the configuration.
{quote}
I think MR framework serializes the client configuration and made it available
in all M/R context. And bulkload tool(FormatToBytesWritableMapper#setup) in
phoenix use it to open connection.
{quote}
There is the problem. usually keytab file is host specific property, so it can
be located in different place. The application should obtain it from local
hbase configuration as well as principal name, since it usually contains FQDN.
I'm still thinking that the security part of Phoenix need to be revised
> Phoenix-Spark plugin doesn't work in secured env
> ------------------------------------------------
>
> Key: PHOENIX-2817
> URL: https://issues.apache.org/jira/browse/PHOENIX-2817
> Project: Phoenix
> Issue Type: Bug
> Affects Versions: 4.4.0, 4.7.0
> Reporter: Sergey Soldatov
> Assignee: Sergey Soldatov
> Attachments: PHOENIX-2817-1.patch, PHOENIX-2817-2.patch,
> PHOENIX-2817-3.patch
>
>
> When phoenix spark plugin is used with secured setup any attempt to perform
> operation with PhoenixRDD cause an exception :
> {noformat}
> Caused by: java.io.IOException: Login failure for 2181 from keytab /hbase:
> javax.security.auth.login.LoginException: Unable to obtain password from user
> at
> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:962)
> at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:275)
> at
> org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:386)
> at org.apache.hadoop.hbase.security.User.login(User.java:253)
> at
> org.apache.phoenix.query.ConnectionQueryServicesImpl.openConnection(ConnectionQueryServicesImpl.java:282)
> ... 107 more
> Caused by: javax.security.auth.login.LoginException: Unable to obtain
> password from user
> at
> com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)
> at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)
> at
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
> at
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
> at
> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:953)
> ... 111 more
> {noformat}
> The reason is the how zkUrl is handled in PhoenixRDD:
> {noformat}
> config.set(HConstants.ZOOKEEPER_QUORUM, url )
> {noformat}
> At the same time the {{ConnectionUtil.getInputConnection}} expects to see all
> parameters (quorum address, port, znodeParent) in different Configuration
> properties. As the result it gets default values for port and znodeParent and
> adds it to the provided url, so the {{PhoenixEmbededDriver.create}} receives
> something like that:
> {noformat}
> jdbc:phoenix:quorum:2181:/hbase-secure:2181:/hbase
> {noformat}
> and consider 2 fields as kerberos principal and keytab.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
