drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Parag Darji (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (DRILL-5433) Authentication failed: Server requires authentication using [kerberos, plain]
Date Mon, 17 Apr 2017 23:21:41 GMT

    [ https://issues.apache.org/jira/browse/DRILL-5433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15968136#comment-15968136
] 

Parag Darji edited comment on DRILL-5433 at 4/17/17 11:20 PM:
--------------------------------------------------------------

I will look into scenario 1 permission.

Sorry I forgot to do the klist for test user.

{code}
host1:/var/log/ambari-server # su - test
test@:/home/test> klist
Ticket cache: FILE:/tmp/krb5cc_5007
Default principal: test/labhdp@LAB.COM

Valid starting     Expires            Service principal
04/13/17 15:00:25  04/14/17 15:00:25  krbtgt/LAB.COM@LAB.COM
        renew until 04/13/17 15:00:25
test@:/home/test> clear
test@:/home/test> sqlline -u "jdbc:drill:drillbit=host1.fqdn;auth=kerberos;principal=drill/ladhdp@LAB.COM"
Bad level value for property: java.util.logging.ConsoleHandler.level
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
>> Look up native default credential cache
>>>KinitOptions cache name is /tmp/krb5cc_5007
>>>DEBUG <CCacheInputStream>  client principal is test/labhdp@LAB.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/LAB.COM@LAB.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Thu Apr 13 15:00:25 EDT 2017
>>>DEBUG <CCacheInputStream> start time: Thu Apr 13 15:00:25 EDT 2017
>>>DEBUG <CCacheInputStream> end time: Fri Apr 14 15:00:25 EDT 2017
>>>DEBUG <CCacheInputStream> renew_till time: Thu Apr 13 15:00:25 EDT 2017
>>> CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL;
>>>DEBUG <CCacheInputStream>  client principal is test/labhdp@LAB.COM
>>>DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/LAB.COM@LAB.COM
>>>DEBUG <CCacheInputStream> key type: 0
>>>DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
>>>DEBUG <CCacheInputStream> start time: null
>>>DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags()
Can't set level for java.util.logging.ConsoleHandler
Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential)
Found ticket for test/labhdp@LAB.COM to go to krbtgt/LAB.COM@LAB.COM expiring on Fri Apr 14
15:00:25 EDT 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for test/labhdp@LAB.COM to go to krbtgt/LAB.COM@LAB.COM expiring on Fri Apr 14
15:00:25 EDT 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
>>> KrbKdcReq send: kdc=host1.fqdn UDP:88, timeout=3, number of retries =3, #bytes=659
>>> KDCCommunication: kdc=host1.fqdn UDP:88, timeout=3,Attempt =1, #bytes=659
>>> KrbKdcReq send: #bytes read=161
>>> KdcAccessibility: remove host1.fqdn
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
         cTime is Thu Aug 19 05:00:10 EDT 1982 398595610000
         sTime is Thu Apr 13 15:46:13 EDT 2017 1492112773000
         suSec is 302285
         error code is 7
         error Message is Server not found in Kerberos database
         crealm is LAB.COM
         cname is test/labhdp
         realm is LAB.COM
         sname is drill/ladhdp
         msgType is 30
KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:309)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:115)
        at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:454)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:641)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener$1.run(AuthenticationOutcomeListener.java:231)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener$1.run(AuthenticationOutcomeListener.java:228)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.evaluateChallenge(AuthenticationOutcomeListener.java:228)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.initiate(AuthenticationOutcomeListener.java:89)
        at org.apache.drill.exec.rpc.user.UserClient.authenticate(UserClient.java:231)
        at org.apache.drill.exec.rpc.user.UserClient.connect(UserClient.java:155)
        at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:432)
        at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:379)
        at org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:157)
        at org.apache.drill.jdbc.impl.DrillJdbc41Factory.newDrillConnection(DrillJdbc41Factory.java:72)
        at org.apache.drill.jdbc.impl.DrillFactory.newConnection(DrillFactory.java:69)
        at org.apache.calcite.avatica.UnregisteredDriver.connect(UnregisteredDriver.java:143)
        at org.apache.drill.jdbc.Driver.connect(Driver.java:72)
        at sqlline.DatabaseConnection.connect(DatabaseConnection.java:167)
        at sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:213)
        at sqlline.Commands.connect(Commands.java:1083)
        at sqlline.Commands.connect(Commands.java:1015)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
        at sqlline.SqlLine.dispatch(SqlLine.java:742)
        at sqlline.SqlLine.initArgs(SqlLine.java:528)
        at sqlline.SqlLine.begin(SqlLine.java:596)
        at sqlline.SqlLine.start(SqlLine.java:375)
        at sqlline.SqlLine.main(SqlLine.java:268)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:66)
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:61)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
        ... 39 more
Error: Failure in connecting to Drill: org.apache.drill.exec.rpc.NonTransientRpcException:
javax.security.sasl.SaslException: Authentication failed unexpectedly. [Caused by java.util.concurrent.ExecutionException:
org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7) - UNKNOWN_SERVER)]] (state=,code=0)
java.sql.SQLException: Failure in connecting to Drill: org.apache.drill.exec.rpc.NonTransientRpcException:
javax.security.sasl.SaslException: Authentication failed unexpectedly. [Caused by java.util.concurrent.ExecutionException:
org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7) - UNKNOWN_SERVER)]]
        at org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:166)
        at org.apache.drill.jdbc.impl.DrillJdbc41Factory.newDrillConnection(DrillJdbc41Factory.java:72)
        at org.apache.drill.jdbc.impl.DrillFactory.newConnection(DrillFactory.java:69)
        at org.apache.calcite.avatica.UnregisteredDriver.connect(UnregisteredDriver.java:143)
        at org.apache.drill.jdbc.Driver.connect(Driver.java:72)
        at sqlline.DatabaseConnection.connect(DatabaseConnection.java:167)
        at sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:213)
        at sqlline.Commands.connect(Commands.java:1083)
        at sqlline.Commands.connect(Commands.java:1015)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
        at sqlline.SqlLine.dispatch(SqlLine.java:742)
        at sqlline.SqlLine.initArgs(SqlLine.java:528)
        at sqlline.SqlLine.begin(SqlLine.java:596)
        at sqlline.SqlLine.start(SqlLine.java:375)
        at sqlline.SqlLine.main(SqlLine.java:268)
Caused by: org.apache.drill.exec.rpc.NonTransientRpcException: javax.security.sasl.SaslException:
Authentication failed unexpectedly. [Caused by java.util.concurrent.ExecutionException: org.apache.drill.exec.rpc.RpcException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]]
        at org.apache.drill.exec.rpc.user.UserClient.connect(UserClient.java:157)
        at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:432)
        at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:379)
        at org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:157)
        ... 18 more
Caused by: javax.security.sasl.SaslException: Authentication failed unexpectedly. [Caused
by java.util.concurrent.ExecutionException: org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Server not found in Kerberos database (7) - UNKNOWN_SERVER)]]
        at org.apache.drill.exec.rpc.user.UserClient$3.mapException(UserClient.java:207)
        at org.apache.drill.exec.rpc.user.UserClient$3.mapException(UserClient.java:197)
        at com.google.common.util.concurrent.AbstractCheckedFuture.checkedGet(AbstractCheckedFuture.java:85)
        at org.apache.drill.exec.rpc.user.UserClient.connect(UserClient.java:155)
        ... 21 more
Caused by: java.util.concurrent.ExecutionException: org.apache.drill.exec.rpc.RpcException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]
        at com.google.common.util.concurrent.AbstractFuture$Sync.getValue(AbstractFuture.java:299)
        at com.google.common.util.concurrent.AbstractFuture$Sync.get(AbstractFuture.java:286)
        at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:116)
        at com.google.common.util.concurrent.ForwardingFuture.get(ForwardingFuture.java:63)
        at com.google.common.util.concurrent.AbstractCheckedFuture.checkedGet(AbstractCheckedFuture.java:78)
        ... 22 more
Caused by: org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException: GSS
initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server
not found in Kerberos database (7) - UNKNOWN_SERVER)]
        at org.apache.drill.exec.rpc.RpcException.mapException(RpcException.java:60)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.initiate(AuthenticationOutcomeListener.java:105)
        at org.apache.drill.exec.rpc.user.UserClient.authenticate(UserClient.java:231)
        ... 22 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)
- UNKNOWN_SERVER)]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener$1.run(AuthenticationOutcomeListener.java:231)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener$1.run(AuthenticationOutcomeListener.java:228)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.evaluateChallenge(AuthenticationOutcomeListener.java:228)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.initiate(AuthenticationOutcomeListener.java:89)
        ... 23 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7) - UNKNOWN_SERVER)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:710)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
        ... 30 more
Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:309)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:115)
        at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:454)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:641)
        ... 33 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:66)
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:61)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
        ... 39 more
apache drill 1.10.0
"the only truly happy people are children, the creative minority and drill users"
{code}


was (Author: pd47):
I will look into scenario 1 permission.

Sorry I forgot to do the klist for test user.

{code}
host1:/var/log/ambari-server # su - test
test@:/home/test> klist
Ticket cache: FILE:/tmp/krb5cc_5007
Default principal: test/labhdp@LAB.COM

Valid starting     Expires            Service principal
04/13/17 15:00:25  04/14/17 15:00:25  krbtgt/LAB.COM@LAB.COM
        renew until 04/13/17 15:00:25
test@:/home/test> clear
test@:/home/test> sqlline -u "jdbc:drill:drillbit=host1.fqdn;auth=kerberos;principal=drill/ladhdp@LAB.COM"
Bad level value for property: java.util.logging.ConsoleHandler.level
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
>> Look up native default credential cache
>>>KinitOptions cache name is /tmp/krb5cc_5007
>>>DEBUG <CCacheInputStream>  client principal is test/labhdp@LAB.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/LAB.COM@LAB.COM
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Thu Apr 13 15:00:25 EDT 2017
>>>DEBUG <CCacheInputStream> start time: Thu Apr 13 15:00:25 EDT 2017
>>>DEBUG <CCacheInputStream> end time: Fri Apr 14 15:00:25 EDT 2017
>>>DEBUG <CCacheInputStream> renew_till time: Thu Apr 13 15:00:25 EDT 2017
>>> CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL;
>>>DEBUG <CCacheInputStream>  client principal is test/labhdp@LAB.COM
>>>DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/LAB.COM@LAB.COM
>>>DEBUG <CCacheInputStream> key type: 0
>>>DEBUG <CCacheInputStream> auth time: Wed Dec 31 19:00:00 EST 1969
>>>DEBUG <CCacheInputStream> start time: null
>>>DEBUG <CCacheInputStream> end time: Wed Dec 31 19:00:00 EST 1969
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags()
Can't set level for java.util.logging.ConsoleHandler
Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential)
Found ticket for test/labhdp@LAB.COM to go to krbtgt/LAB.COM@LAB.COM expiring on Fri Apr 14
15:00:25 EDT 2017
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for test/labhdp@LAB.COM to go to krbtgt/LAB.COM@LAB.COM expiring on Fri Apr 14
15:00:25 EDT 2017
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 18 17 16 23 1 3.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KdcAccessibility: reset
>>> KrbKdcReq send: kdc=host1.fqdn UDP:88, timeout=3, number of retries =3, #bytes=659
>>> KDCCommunication: kdc=host1.fqdn UDP:88, timeout=3,Attempt =1, #bytes=659
>>> KrbKdcReq send: #bytes read=161
>>> KdcAccessibility: remove altbthdlhdpsb01.cscdev.com
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
         cTime is Thu Aug 19 05:00:10 EDT 1982 398595610000
         sTime is Thu Apr 13 15:46:13 EDT 2017 1492112773000
         suSec is 302285
         error code is 7
         error Message is Server not found in Kerberos database
         crealm is LAB.COM
         cname is test/labhdp
         realm is LAB.COM
         sname is drill/ladhdp
         msgType is 30
KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:309)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:115)
        at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:454)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:641)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener$1.run(AuthenticationOutcomeListener.java:231)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener$1.run(AuthenticationOutcomeListener.java:228)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.evaluateChallenge(AuthenticationOutcomeListener.java:228)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.initiate(AuthenticationOutcomeListener.java:89)
        at org.apache.drill.exec.rpc.user.UserClient.authenticate(UserClient.java:231)
        at org.apache.drill.exec.rpc.user.UserClient.connect(UserClient.java:155)
        at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:432)
        at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:379)
        at org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:157)
        at org.apache.drill.jdbc.impl.DrillJdbc41Factory.newDrillConnection(DrillJdbc41Factory.java:72)
        at org.apache.drill.jdbc.impl.DrillFactory.newConnection(DrillFactory.java:69)
        at org.apache.calcite.avatica.UnregisteredDriver.connect(UnregisteredDriver.java:143)
        at org.apache.drill.jdbc.Driver.connect(Driver.java:72)
        at sqlline.DatabaseConnection.connect(DatabaseConnection.java:167)
        at sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:213)
        at sqlline.Commands.connect(Commands.java:1083)
        at sqlline.Commands.connect(Commands.java:1015)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
        at sqlline.SqlLine.dispatch(SqlLine.java:742)
        at sqlline.SqlLine.initArgs(SqlLine.java:528)
        at sqlline.SqlLine.begin(SqlLine.java:596)
        at sqlline.SqlLine.start(SqlLine.java:375)
        at sqlline.SqlLine.main(SqlLine.java:268)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:66)
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:61)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
        ... 39 more
Error: Failure in connecting to Drill: org.apache.drill.exec.rpc.NonTransientRpcException:
javax.security.sasl.SaslException: Authentication failed unexpectedly. [Caused by java.util.concurrent.ExecutionException:
org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7) - UNKNOWN_SERVER)]] (state=,code=0)
java.sql.SQLException: Failure in connecting to Drill: org.apache.drill.exec.rpc.NonTransientRpcException:
javax.security.sasl.SaslException: Authentication failed unexpectedly. [Caused by java.util.concurrent.ExecutionException:
org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7) - UNKNOWN_SERVER)]]
        at org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:166)
        at org.apache.drill.jdbc.impl.DrillJdbc41Factory.newDrillConnection(DrillJdbc41Factory.java:72)
        at org.apache.drill.jdbc.impl.DrillFactory.newConnection(DrillFactory.java:69)
        at org.apache.calcite.avatica.UnregisteredDriver.connect(UnregisteredDriver.java:143)
        at org.apache.drill.jdbc.Driver.connect(Driver.java:72)
        at sqlline.DatabaseConnection.connect(DatabaseConnection.java:167)
        at sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:213)
        at sqlline.Commands.connect(Commands.java:1083)
        at sqlline.Commands.connect(Commands.java:1015)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
        at sqlline.SqlLine.dispatch(SqlLine.java:742)
        at sqlline.SqlLine.initArgs(SqlLine.java:528)
        at sqlline.SqlLine.begin(SqlLine.java:596)
        at sqlline.SqlLine.start(SqlLine.java:375)
        at sqlline.SqlLine.main(SqlLine.java:268)
Caused by: org.apache.drill.exec.rpc.NonTransientRpcException: javax.security.sasl.SaslException:
Authentication failed unexpectedly. [Caused by java.util.concurrent.ExecutionException: org.apache.drill.exec.rpc.RpcException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]]
        at org.apache.drill.exec.rpc.user.UserClient.connect(UserClient.java:157)
        at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:432)
        at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:379)
        at org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:157)
        ... 18 more
Caused by: javax.security.sasl.SaslException: Authentication failed unexpectedly. [Caused
by java.util.concurrent.ExecutionException: org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Server not found in Kerberos database (7) - UNKNOWN_SERVER)]]
        at org.apache.drill.exec.rpc.user.UserClient$3.mapException(UserClient.java:207)
        at org.apache.drill.exec.rpc.user.UserClient$3.mapException(UserClient.java:197)
        at com.google.common.util.concurrent.AbstractCheckedFuture.checkedGet(AbstractCheckedFuture.java:85)
        at org.apache.drill.exec.rpc.user.UserClient.connect(UserClient.java:155)
        ... 21 more
Caused by: java.util.concurrent.ExecutionException: org.apache.drill.exec.rpc.RpcException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials
provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]
        at com.google.common.util.concurrent.AbstractFuture$Sync.getValue(AbstractFuture.java:299)
        at com.google.common.util.concurrent.AbstractFuture$Sync.get(AbstractFuture.java:286)
        at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:116)
        at com.google.common.util.concurrent.ForwardingFuture.get(ForwardingFuture.java:63)
        at com.google.common.util.concurrent.AbstractCheckedFuture.checkedGet(AbstractCheckedFuture.java:78)
        ... 22 more
Caused by: org.apache.drill.exec.rpc.RpcException: javax.security.sasl.SaslException: GSS
initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server
not found in Kerberos database (7) - UNKNOWN_SERVER)]
        at org.apache.drill.exec.rpc.RpcException.mapException(RpcException.java:60)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.initiate(AuthenticationOutcomeListener.java:105)
        at org.apache.drill.exec.rpc.user.UserClient.authenticate(UserClient.java:231)
        ... 22 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)
- UNKNOWN_SERVER)]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener$1.run(AuthenticationOutcomeListener.java:231)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener$1.run(AuthenticationOutcomeListener.java:228)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.evaluateChallenge(AuthenticationOutcomeListener.java:228)
        at org.apache.drill.exec.rpc.security.AuthenticationOutcomeListener.initiate(AuthenticationOutcomeListener.java:89)
        ... 23 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7) - UNKNOWN_SERVER)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:710)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
        ... 30 more
Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:309)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:115)
        at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:454)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:641)
        ... 33 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:66)
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:61)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
        ... 39 more
apache drill 1.10.0
"the only truly happy people are children, the creative minority and drill users"
{code}

> Authentication failed: Server requires authentication using [kerberos, plain]
> -----------------------------------------------------------------------------
>
>                 Key: DRILL-5433
>                 URL: https://issues.apache.org/jira/browse/DRILL-5433
>             Project: Apache Drill
>          Issue Type: Task
>          Components: Functions - Drill
>    Affects Versions: 1.10.0
>         Environment: OS: Redhat Linux 6.7, HDP 2.5.3, Kerberos enabled, Hardware: VmWare
>            Reporter: Parag Darji
>            Priority: Minor
>              Labels: newbie, security
>             Fix For: 1.10.0
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> I've setup Apace drill 1.10.0 on RHEL 6.7, HDP 2.5.3, kerberos enabled
> I'm getting below error while running "drill-conf" or sqlline as user "drill" which is
configured in the "drill-override.conf" file. 
> {code}
> drill@host:/opt/drill/bin>  drill-conf
> Error: Failure in connecting to Drill: org.apache.drill.exec.rpc.NonTransientRpcException:
javax.security.sasl.SaslException: Authentication failed: Server requires authentication using
[kerberos, plain]. Insufficient credentials? [Caused by javax.security.sasl.SaslException:
Server requires authentication using [kerberos, plain]. Insufficient credentials?] (state=,code=0)
> java.sql.SQLException: Failure in connecting to Drill: org.apache.drill.exec.rpc.NonTransientRpcException:
javax.security.sasl.SaslException: Authentication failed: Server requires authentication using
[kerberos, plain]. Insufficient credentials? [Caused by javax.security.sasl.SaslException:
Server requires authentication using [kerberos, plain]. Insufficient credentials?]
>         at org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:166)
>         at org.apache.drill.jdbc.impl.DrillJdbc41Factory.newDrillConnection(DrillJdbc41Factory.java:72)
>         at org.apache.drill.jdbc.impl.DrillFactory.newConnection(DrillFactory.java:69)
>         at org.apache.calcite.avatica.UnregisteredDriver.connect(UnregisteredDriver.java:143)
>         at org.apache.drill.jdbc.Driver.connect(Driver.java:72)
>         at sqlline.DatabaseConnection.connect(DatabaseConnection.java:167)
>         at sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:213)
>         at sqlline.Commands.connect(Commands.java:1083)
>         at sqlline.Commands.connect(Commands.java:1015)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
>         at sqlline.SqlLine.dispatch(SqlLine.java:742)
>         at sqlline.SqlLine.initArgs(SqlLine.java:528)
>         at sqlline.SqlLine.begin(SqlLine.java:596)
>         at sqlline.SqlLine.start(SqlLine.java:375)
>         at sqlline.SqlLine.main(SqlLine.java:268)
> Caused by: org.apache.drill.exec.rpc.NonTransientRpcException: javax.security.sasl.SaslException:
Authentication failed: Server requires authentication using [kerberos, plain]. Insufficient
credentials? [Caused by javax.security.sasl.SaslException: Server requires authentication
using [kerberos, plain]. Insufficient credentials?]
>         at org.apache.drill.exec.rpc.user.UserClient.connect(UserClient.java:157)
>         at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:432)
>         at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:379)
>         at org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:157)
>         ... 18 more
> Caused by: javax.security.sasl.SaslException: Authentication failed: Server requires
authentication using [kerberos, plain]. Insufficient credentials? [Caused by javax.security.sasl.SaslException:
Server requires authentication using [kerberos, plain]. Insufficient credentials?]
>         at org.apache.drill.exec.rpc.user.UserClient$3.mapException(UserClient.java:204)
>         at org.apache.drill.exec.rpc.user.UserClient$3.mapException(UserClient.java:197)
>         at com.google.common.util.concurrent.AbstractCheckedFuture.checkedGet(AbstractCheckedFuture.java:85)
>         at org.apache.drill.exec.rpc.user.UserClient.connect(UserClient.java:155)
>         ... 21 more
> Caused by: javax.security.sasl.SaslException: Server requires authentication using [kerberos,
plain]. Insufficient credentials?
>         at org.apache.drill.exec.rpc.user.UserClient.getAuthenticatorFactory(UserClient.java:285)
>         at org.apache.drill.exec.rpc.user.UserClient.authenticate(UserClient.java:216)
>         ... 22 more
> apache drill 1.10.0
> "this isn't your grandfather's sql"
> {code}
> Same error when running below command:
> {code}
> sqlline --maxWidth=10000 -u "jdbc:drill:drillbit=host1.fqdn;auth=kerberos;principal=drill/ladhdp@LAB.COM"
> {code}
> "Drill" user has has valid keytab/ticket.
> The Drill UI is working fine with local authentication.
> drill-override.conf file:
> {code}
> drill.exec: {
>   cluster-id: "drillbits1",
>   zk.connect: "host1.fqdn:2181,host2.fqdn:2181,host3.fqdn:2181",
>   security: {
>           user.auth.enabled: true,
>           user.auth.impl: "pam",
>           user.auth.pam_profiles: [ "sudo", "login" ],
>           packages += "org.apache.drill.exec.rpc.user.security",
>           auth.mechanisms: ["KERBEROS","PLAIN"],
>           auth.principal: "drill/labhdp@LAB.COM",
>           auth.keytab: "/opt/drill/.keytab/drill.keytab"
>         }
> }
> {code}
> {code}
> cat drill-env.sh | egrep -v '^#|^$'
> export DRILLBIT_JAVA_OPTS="-Djava.library.path=/opt/pam/JPam-1.1/"
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message