[
https://issues.apache.org/jira/browse/DRILL-7149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16968866#comment-16968866
]
Paul Rogers commented on DRILL-7149:
------------------------------------
I'm not a Kerberos expert, but I can perhaps provide a few hints.
Drill information for enabling Kerberos is
[here|http://drill.apache.org/docs/configuring-kerberos-security/].
My advice is to get one Drillbit working on CDH using these instructions. Then,
use that information to configure DoY.
The examples suggest putting the keytab file in the absolute location
{{/etc/drill/conf}}. This is probably not the right choice on a CDH cluster.
If the keytab is the same for all Drill nodes, then place the file in your
{{$DRILL_SITE/conf}} directory. The site directory is copied from your DoY
client machine to each Drill node ("localized" in YARN terminology.)
You will need to change the config file to point to that location. IIRC, the
{{$DRILL_SITE}} environment variable is available to Drill.
The config file shown in the above-cited page is the one you create in your DoY
client site directory. DoY will localize that file to every Drillbit running
under YARN.
If the documentation is accurate, then you only need the config options and the
keytab file. You should be able to pass these along to Drill using the "stock"
DoY.
The trick would come in if you need to generate the keytab file per host. (Here
my knowledge of Kerberos is very weak.) You will learn this as you try the step
suggested above: running Drill on a CDH node by hand to learn what
configuration is required.
> Kerberos Code Missing from Drill on YARN
> ----------------------------------------
>
> Key: DRILL-7149
> URL: https://issues.apache.org/jira/browse/DRILL-7149
> Project: Apache Drill
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.14.0
> Reporter: Charles Givre
> Priority: Blocker
>
> My company is trying to deploy Drill using the Drill on Yarn (DoY) and we
> have run into the issue that DoY does not seem to support passing Kerberos
> credentials in order to interact with HDFS.
> Upon checking the source code available in GIT
> (https://github.com/apache/drill/blob/1.14.0/drill-yarn/src/main/java/org/apache/drill/yarn/core/)
> and referring to Apache YARN documentation
> (https://hadoop.apache.org/docs/current/hadoop-yarn/hadoop-yarn-site/YarnApplicationSecurity.html)
> , we saw no section for passing the security credentials needed by the
> application to interact with any Hadoop cluster services and applications.
> This we feel needs to be added to the source code so that delegation tokens
> can be passed inside the container for the process to be able access Drill
> archive on HDFS and start. It probably should be added to the
> ContainerLaunchContext within the ApplicationSubmissionContext for DoY as
> suggested under Apache documentation.
>
> We tried the same DoY utility on a non-kerberised cluster and the process
> started well. Although we ran into a different issue there of hosts getting
> blacklisted
> We tested with the Single Principal per cluster option.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
