phoenix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Mahonin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (PHOENIX-2817) Phoenix-Spark plugin doesn't work in secured env
Date Mon, 04 Apr 2016 23:46:25 GMT

    [ https://issues.apache.org/jira/browse/PHOENIX-2817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15225298#comment-15225298
] 

Josh Mahonin commented on PHOENIX-2817:
---------------------------------------

In PhoenixRDD.scala, you likely want to check if the Option returned by getZookeeperUrl 'isEmpty'
instead of '== null'.

{noformat}
if(ConfigurationUtil.getZookeeperURL(config).isEmpty) {
{noformat}

As well, I don't believe the 'concat()' function is null-safe. I tried this and got an NPE:
{noformat}
val foo: String = null
val bar: String = ""
def concat (str: String*) = str filter (_.nonEmpty) mkString ":"
concat(foo, bar)
{noformat}

An alternative would be to wrap each conf.get() in an Option (since Option(null) == None),
then flatten the list to remove the Nones, for something like this:

{noformat}
  def getZookeeperURL(conf: Configuration): Option[String] = {
      List(
        Option(conf.get(HConstants.ZOOKEEPER_QUORUM)),
        Option(conf.get(HConstants.ZOOKEEPER_CLIENT_PORT)),
        Option(conf.get(HConstants.ZOOKEEPER_ZNODE_PARENT))
      ).flatten match {
        case Nil => None
        case x: List[String] => Some(x.mkString(":"))
      }
  }
{noformat}

That's not necessarily ideal either, since someone could end up with a weird url like "2181:/hbase",
but it's probably an unlikely scenario. FWIW, I don't think you need to update the wording
in the exception to include all 3 parameters.

> Phoenix-Spark plugin doesn't work in secured env
> ------------------------------------------------
>
>                 Key: PHOENIX-2817
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-2817
>             Project: Phoenix
>          Issue Type: Bug
>    Affects Versions: 4.4.0, 4.7.0
>            Reporter: Sergey Soldatov
>            Assignee: Sergey Soldatov
>         Attachments: PHOENIX-2817-1.patch, PHOENIX-2817-2.patch
>
>
> When phoenix spark plugin is used with secured setup any attempt to perform operation
with PhoenixRDD cause an exception : 
> {noformat}
> Caused by: java.io.IOException: Login failure for 2181 from keytab /hbase: javax.security.auth.login.LoginException:
Unable to obtain password from user
> 	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:962)
> 	at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:275)
> 	at org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:386)
> 	at org.apache.hadoop.hbase.security.User.login(User.java:253)
> 	at org.apache.phoenix.query.ConnectionQueryServicesImpl.openConnection(ConnectionQueryServicesImpl.java:282)
> 	... 107 more
> Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
> 	at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)
> 	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)
> 	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:497)
> 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
> 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
> 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> 	at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
> 	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:953)
> 	... 111 more
> {noformat}
> The reason is the how zkUrl is handled in PhoenixRDD: 
> {noformat}
> config.set(HConstants.ZOOKEEPER_QUORUM, url )
> {noformat}
> At the same time the {{ConnectionUtil.getInputConnection}} expects to see all parameters
(quorum address, port, znodeParent) in different Configuration properties. As the result it
gets default values for port and znodeParent and adds it to the provided url, so the {{PhoenixEmbededDriver.create}}
receives something like that:
> {noformat}
> jdbc:phoenix:quorum:2181:/hbase-secure:2181:/hbase
> {noformat}
> and consider 2 fields as kerberos principal and keytab.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message