Hi Sorabh,Thankyou for the quick response (and apologies for the second post -
I didn't think it had gone through).
I'm effectively trying to model a large machine and wanted to keep my initial
post short. I'll give a more detailed description. The system layout is as
follows:node000.local ldap/kerberos/NTP/CA/DNS node.node001.local
zookeeper/kafka/drillnode002.local zookeeper/kafka/drillnode003.local
zookeeper/kafka/drillnode004.local namenode/datanodenode005.local secondary
namenode/datanodenode006.local datanodenode007.local datanode
clusterid, local, LOCAL and node00N represent the real hostnames, cluster,
REALM and FQDNs.
I've set up principles as
follows:zookeeper/clusterid@LOCALzclient/clusterid@LOCAL
I could not get zk to work with a single clusterid principle across the
3-member zk cluster so resorted to:zookeeper/node001.local -> zookeeper.keytab
(on node001)zookeeper/node002.local -> " (on
node002)
zookeeper/node002.local -> " (on node003)
zclient/node001.local -> zclient.keytab (on node001)zclient/node002.local ->
" (on node002)
zclient/node002.local -> " (on node003)
Zookeeper works with this config.
The relevant drill config is as follows: impersonation: { enabled: true,
max_chained_user_hops: 3 }, security.auth: {
mechanisms:["KERBEROS","PLAIN"], principal:"drill/clusterid@LOCAL",
keytab:"/etc/security/keytabs/drill.keytab" } security.user: {
auth.enabled: true, auth.packages +=
"org.apache.drill.exec.rpc.user.security", auth.impl: "pam4j",
auth.pam_profiles: ["sudo", "login"], }
The permissions on the keytab are as follows (I have not tried to integrate
HDFS, yet):-rw------- 1 drill drill 558 Apr 18 20:11
drill.keytab-rw------- 1 drill drill 614 Apr 18 20:11
drill_client.keytab-rw------- 1 zookeeper zookeeper 302 Apr 18 18:27
zclient.keytab-rw------- 1 zookeeper zookeeper 310 Apr 18 18:27 zookeeper.keytab
drill@node000:~$ id drilluid=649(drill) gid=1002(drill)
groups=1002(drill),994(zookeeper),993(hadoop)drill@node000:~$ id
zookeeperuid=996(zookeeper) gid=994(zookeeper) groups=994(zookeeper)
I'll re-read your posts and take a good look when I'm less tired.Thanks
again.Cheers, Chris.
From: Sorabh Hamirwasia <[email protected]>To: "[email protected]"
<[email protected]>, Spiro Ketal <[email protected]>Subject:
Re: ldap, kerberos zookeeper and drill integration - Drill failing to
authenticateDate: Thu, 19 Apr 2018 03:45:40 +0000
Hi Spiro,For the error while connecting using sqlline:- Do you have TGT
generated for your client user which you are using to connect to Drill ? If yes
can you check if sqlline process user has access to that ticket file or not ?
Can you please share your sqlline command? Also can you share your
drill-override.conf config ?
Instruction on how to configure for Kerberos on server and client side are
here[1]. Not sure if you got chance to look at it.
As far as enabling Drill authentication to zookeeper is concerned I have not
tried it but Drill internally uses curator framework to connect to Zookeeper.
So it will depend upon how Curator supports authenticating using Kerberos. From
quick search it looks like just providing a JAAS conf file to below system
property should be good enough.
-Djava.security.auth.login.config
I would say first let's try to make DrillClient to Drillbit path working with
Kerberos.
[1]: https://drill.apache.org/docs/configuring-kerberos-security/
Thanks,Sorabh
________________________________From: Spiro Ketal
<[email protected]>Sent: Wednesday, April 18, 2018 7:41:55 PMTo:
[email protected]: ldap, kerberos zookeeper and drill integration -
Drill failing to authenticate
Dear Apache List Members,I have a test system that comprises of several VMs One
provides (integrated) OpenLDAP/Kerberos5 services (LDAP backend) and I've
integrated zookeeper with this (via JAAS). The authentication works but I had
to use a per node config (with FQDNs) to achieve this. (ie.
zk/node0001.my.domain; zk/node0002.my.domain, ..., instead of
zk/[email protected])My goal is to have drill authenticate and to be able to use
the underlying java DoAs() functionality to interact with HDFS and zookeeper. I
don't quite understand how the kerberos authentication works in the case of
drill. Does the drill software provide a kerberos authenticated client
connection to zookeeper? The drill cluster appears to start OK (without
client-side authentication to zookeeper - which I'd like to remedy) but I seem
to be receiving errors relating to GSSAPI when I attempt to connect to the
drill via sqlline: Error: Failure in connecting to Drill:
org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException:
Failed to login. [Caused by javax.security.auth.login.LoginException: Unable to
obtain password from user] (state=,code=0)I've tried various combinations but
can't seem to get drill to authenticate.Any assistance or pointers would be
greatly appreciated.Thanks.Cheers, Spiro.
