[ https://issues.apache.org/jira/browse/DRILL-6827?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16749564#comment-16749564 ]
Sorabh Hamirwasia commented on DRILL-6827: ------------------------------------------ Your configurations is incorrect. Please refer to documentation here for WebServer configuration: https://drill.apache.org/docs/configuring-drill-to-use-spnego-for-http-authentication/ Also I am seeing that you have both ssl and sasl encryption enabled which is an overkill. {code:java} user.encryption.sasl.enabled: true, user.encryption.sasl.max_wrapped_size: 65536 } , security.user.encryption.ssl: { enabled: true, keyPassword: "XXXXX", handshakeTimeout: 10000, provider: "JDK" } , ssl: { keyStorePath: "XXXXX", keyStorePassword: "XXXXX", trustStorePath: "XXXXX", trustStorePassword: "XXXXX" } {code} > Apache Drill 1.14 on a kerberized Cloudera cluster (CDH 5.14). > -------------------------------------------------------------- > > Key: DRILL-6827 > URL: https://issues.apache.org/jira/browse/DRILL-6827 > Project: Apache Drill > Issue Type: Bug > Components: Security > Affects Versions: 1.14.0 > Environment: * Apache Drill 1.14 > * Cloudera CDH 5.14 > Reporter: Ibrahim Safieddine > Priority: Critical > > Hello, > > I'am using apache Drill 1.14 on a kerberized Cloudera cluster (CDH 5.14). > > When I activate kerberos authentification, drill server refuse to start with > error: > {color:#ff0000}_org.apache.drill.exec.exception.DrillbitStartupException: > Authentication is enabled for WebServer but none of the security mechanism > was configured properly. Please verify the configurations and try > again._{color} > > I can see in the logs that the kerberos authentification is ok: > [main] INFO o.a.d.exec.server.BootStrapContext - Process user name: 'root' > and logged in successfully as 'tata/xx.yy...@xx.yy' > > Can you help me please? > > Based on the Apache Drill documentation, there is my conf/drill-override.conf: > > drill.exec: { > cluster-id: "drillbits1", > zk.connect: "xx.yy.zz:2181", > service_name: "service1", > impersonation: { > enabled: true, > max_chained_user_hops: 3 > }, > security: { > user.auth.enabled:true, > auth.mechanisms:["KERBEROS"], > auth.principal:"tata/xx.yy...@xx.yy", > auth.keytab:"keytab1.keytab", > drill.exec.security.auth.auth_to_local:hive, > auth.realm: "XX.YY", > user.encryption.sasl.enabled: true, > user.encryption.sasl.max_wrapped_size: 65536 > }, > security.user.encryption.ssl: { > enabled: true, > keyPassword: "XXXXX", > handshakeTimeout: 10000, > provider: "JDK" > }, > ssl: { > keyStorePath: "XXXXX", > keyStorePassword: "XXXXX", > trustStorePath: "XXXXX", > trustStorePassword: "XXXXX" > }, > http: { > enabled: true, > auth.enabled: false, > auth.mechanisms: ["KERBEROS"], > ssl_enabled: true, > port: 8047 > session_max_idle_secs: 3600, # Default value 1hr > cors: { > enabled: false, > allowedOrigins: ["null"], > allowedMethods: ["GET", "POST", "HEAD", "OPTIONS"], > allowedHeaders: ["X-Requested-With", "Content-Type", "Accept", > "Origin"], > credentials: true > } > } > } > Thank you > -- This message was sent by Atlassian JIRA (v7.6.3#76005)