[jira] [Comment Edited] (PHOENIX-2817) Phoenix-Spark plugin doesn't work in secured env

[Gonzalo Herreros (JIRA)]

    [ 
https://issues.apache.org/jira/browse/PHOENIX-2817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15251700#comment-15251700
 ] 

Gonzalo Herreros edited comment on PHOENIX-2817 at 4/21/16 10:50 AM:
---------------------------------------------------------------------

For people waiting on this fix there is a very simple workaround provided that 
you use the default zk port and path.
It's as simple as only listing the the server names "server1,server2" so the 
plugin builds the url correctly:
jdbc:phoenix:server1,server2:2181:/hbase

Then the delegation tokens setup by spark-submit take care of security so 
Phoenix doesn't need to do anything with principals or keytabs.

The thing I find a bit confusing is that for other tools the zookeeper quorum 
URL includes the port and the path, while for Phoenix the zk quorum property is 
just the server list.


was (Author: gherreros):
For people waiting on this fix there is a very simple workaround provided that 
you use the default zk port and path.
It's as simple as only listing the the server names "server1,server2" so the 
plugin builds the url correctly:
jdbc:phoenix:server1,server2:2181:/hbase

Then the delegation tokens setup by spark-submit take care of security so 
Phoenix doesn't need to do anything with principals or keytabs.

The thing I find a bit confusing is that for other tools the zookeeper quorum 
URL includes the port and the path, while for Phoenix the zk quorum is just the 
server list.

> Phoenix-Spark plugin doesn't work in secured env
> ------------------------------------------------
>
>                 Key: PHOENIX-2817
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-2817
>             Project: Phoenix
>          Issue Type: Bug
>    Affects Versions: 4.4.0, 4.7.0
>            Reporter: Sergey Soldatov
>            Assignee: Sergey Soldatov
>             Fix For: 4.8.0
>
>         Attachments: PHOENIX-2817-1.patch, PHOENIX-2817-2.patch, 
> PHOENIX-2817-3.patch
>
>
> When phoenix spark plugin is used with secured setup any attempt to perform 
> operation with PhoenixRDD cause an exception : 
> {noformat}
> Caused by: java.io.IOException: Login failure for 2181 from keytab /hbase: 
> javax.security.auth.login.LoginException: Unable to obtain password from user
>       at 
> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:962)
>       at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:275)
>       at 
> org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:386)
>       at org.apache.hadoop.hbase.security.User.login(User.java:253)
>       at 
> org.apache.phoenix.query.ConnectionQueryServicesImpl.openConnection(ConnectionQueryServicesImpl.java:282)
>       ... 107 more
> Caused by: javax.security.auth.login.LoginException: Unable to obtain 
> password from user
>       at 
> com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)
>       at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)
>       at 
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>       at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>       at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>       at java.lang.reflect.Method.invoke(Method.java:497)
>       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
>       at 
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
>       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
>       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
>       at java.security.AccessController.doPrivileged(Native Method)
>       at 
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>       at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
>       at 
> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:953)
>       ... 111 more
> {noformat}
> The reason is the how zkUrl is handled in PhoenixRDD: 
> {noformat}
> config.set(HConstants.ZOOKEEPER_QUORUM, url )
> {noformat}
> At the same time the {{ConnectionUtil.getInputConnection}} expects to see all 
> parameters (quorum address, port, znodeParent) in different Configuration 
> properties. As the result it gets default values for port and znodeParent and 
> adds it to the provided url, so the {{PhoenixEmbededDriver.create}} receives 
> something like that:
> {noformat}
> jdbc:phoenix:quorum:2181:/hbase-secure:2181:/hbase
> {noformat}
> and consider 2 fields as kerberos principal and keytab.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)