[jira] [Commented] (PHOENIX-6414) Access to Phoenix from Python using SPNEGO

Riccardo (Jira) Wed, 17 Mar 2021 11:05:06 -0700


    [ 
https://issues.apache.org/jira/browse/PHOENIX-6414?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17303627#comment-17303627
 ]


Riccardo commented on PHOENIX-6414:
-----------------------------------

Hi Istvan,

the connection to the queryserver is direct and on the server side we see:
```
<2021-03-17T08:42:11.326+0100> <WARN> <security.SpnegoLoginService>: <>
GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept
 at sun.security.jgss.GSSCredentialImpl.getElement(GSSCredentialImpl.java:600)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:317)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:138)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:61)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
 at 
org.apache.calcite.avatica.server.AvaticaSpnegoAuthenticator.validateRequest(AvaticaSpnegoAuthenticator.java:43)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:483)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.server.Server.handle(Server.java:534)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
 at 
org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
 at java.lang.Thread.run(Thread.java:748)
```

For python packages version, I have:
```
Successfully installed SQLAlchemy-1.4.0 certifi-2020.12.5 chardet-4.0.0 
decorator-4.4.2 greenlet-1.0.0 gssapi-1.6.12 idna-2.10 phoenixdb-1.0.0 
protobuf-3.15.6 requests-2.25.1 requests-gssapi-1.2.3 six-1.15.0 urllib3-1.26.4
```

curl works:

```

---->>curl -k --negotiate -u : http://pqs1:8765/thisisatest
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 404 </title>
</head>
<body>
<h2>HTTP ERROR: 404</h2>
<p>Problem accessing /thisisatest. Reason:
<pre> Not Found</pre></p>
<hr /><a href="http://eclipse.org/jetty";>Powered by Jetty:// 
9.3.z-SNAPSHOT</a><hr/>
</body>
</html>
---->>curl http://pqs1:8765/thisisatest
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 </title>
</head>
<body>
<h2>HTTP ERROR: 401</h2>
<p>Problem accessing /thisisatest. Reason:
<pre> Unauthorized</pre></p>
<hr /><a href="http://eclipse.org/jetty";>Powered by Jetty:// 
9.3.z-SNAPSHOT</a><hr/>
</body>
</html>
---->>

 

```



We are using requests_gssapi with other SPNEGO services and it works, so I 
don't think it's a problem of our kerberos config

 

> Access to Phoenix from Python using SPNEGO
> ------------------------------------------
>
>                 Key: PHOENIX-6414
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-6414
>             Project: Phoenix
>          Issue Type: Bug
>          Components: queryserver
>    Affects Versions: 5.0.0
>            Reporter: Carlos García Montoro
>            Priority: Major
>              Labels: patch
>         Attachments: phoenixdb.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> When connecting to Phoenix from Python using "SPNEGO" as the authentication 
> mechanism an exception occurs:
> {{import phoenixdb}}
> {{ import phoenixdb.cursor}}
> {{ database_url = 'http://myphoenixdb:8765/'}}
> {{ conn = phoenixdb.connect(database_url, autocommit=True, 
> authentication="SPNEGO")}}
> Causes this exception:
> {{>>> conn = phoenixdb.connect(database_url, autocommit=True, 
> authentication="SPNEGO")}}
> {{venv/lib/python3.6/site-packages/phoenixdb/avatica/client.py:121: 
> RuntimeWarning: Unexpected end-group tag: Not all data was converted}}
> {{ if not err.ParseFromString(message.wrapped_message):}}
> {{Traceback (most recent call last):}}
> {{ File "<stdin>", line 1, in <module>}}
> {{ File "venv/lib/python3.6/site-packages/phoenixdb/__init__.py", line 121, 
> in connect}}
> {{ return Connection(client, **kwargs)}}
> {{ File "venv/lib/python3.6/site-packages/phoenixdb/connection.py", line 53, 
> in __init__}}
> {{ self.open()}}
> {{ File "venv/lib/python3.6/site-packages/phoenixdb/connection.py", line 98, 
> in open}}
> {{ self._client.open_connection(self._id, info=self._phoenix_props)}}
> {{ File "venv/lib/python3.6/site-packages/phoenixdb/avatica/client.py", line 
> 363, in open_connection}}
> {{ response_data = self._apply(request)}}
> {{ File "venv/lib/python3.6/site-packages/phoenixdb/avatica/client.py", line 
> 215, in _apply}}
> {{ parse_error_protobuf(response_body)}}
> {{ File "venv/lib/python3.6/site-packages/phoenixdb/avatica/client.py", line 
> 128, in parse_error_protobuf}}
> {{ raise_sql_error(err.error_code, err.sql_state, err.error_message)}}
> {{ File "venv/lib/python3.6/site-packages/phoenixdb/avatica/client.py", line 
> 96, in raise_sql_error}}
> {{ raise errors.InternalError(message, code, sqlstate)}}
> {{phoenixdb.errors.InternalError: ('', 0, '', None)}}
> This problem is caused by the authentication mechanism because phoenixdb is 
> using Kerberos 5 instead of SPNEGO.
> To resolve the issue we have patched the package applying the idea behind the 
> "Explicit Mechanism" described in [https://pypi.org/project/requests-gssapi/] 
> when the authentication is SPNEGO. The attached file has the patch applied.
> If you want, I can create a branch and pull request this change.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (PHOENIX-6414) Access to Phoenix from Python using SPNEGO

Reply via email to