Return-Path: 
 <dev-return-28180-apmail-phoenix-dev-archive=phoenix.apache.org@phoenix.apache.org>
X-Original-To: apmail-phoenix-dev-archive@minotaur.apache.org
Delivered-To: apmail-phoenix-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 5932D19705
	for <apmail-phoenix-dev-archive@minotaur.apache.org>;
 Tue,  5 Apr 2016 10:19:29 +0000 (UTC)
Received: (qmail 56044 invoked by uid 500); 5 Apr 2016 10:19:29 -0000
Delivered-To: apmail-phoenix-dev-archive@phoenix.apache.org
Received: (qmail 55985 invoked by uid 500); 5 Apr 2016 10:19:29 -0000
Mailing-List: contact dev-help@phoenix.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@phoenix.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@phoenix.apache.org>
List-Post: <mailto:dev@phoenix.apache.org>
List-Id: <dev.phoenix.apache.org>
Reply-To: dev@phoenix.apache.org
Delivered-To: mailing list dev@phoenix.apache.org
Received: (qmail 55974 invoked by uid 99); 5 Apr 2016 10:19:29 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO
 spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Apr 2016 10:19:29 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org)
 with ESMTP id BE7AAC0227
	for <dev@phoenix.apache.org>; Tue,  5 Apr 2016 10:19:28 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -3.221
X-Spam-Level: 
X-Spam-Status: No, score=-3.221 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1,
	RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
	RP_MATCHES_RCVD=-0.001] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new,
 port 10024)
	with ESMTP id serCgIH_gX4g for <dev@phoenix.apache.org>;
	Tue,  5 Apr 2016 10:19:27 +0000 (UTC)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with SMTP
 id 7F1D45F252
	for <dev@phoenix.incubator.apache.org>; Tue,  5 Apr 2016 10:19:26 +0000 (UTC)
Received: (qmail 55948 invoked by uid 99); 5 Apr 2016 10:19:25 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Apr 2016 10:19:25 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 706AB2C14F6
	for <dev@phoenix.incubator.apache.org>; Tue,  5 Apr 2016 10:19:25 +0000 (UTC)
Date: Tue, 5 Apr 2016 10:19:25 +0000 (UTC)
From: "Ankit Singhal (JIRA)" <jira@apache.org>
To: dev@phoenix.incubator.apache.org
Message-ID: <JIRA.12955440.1459553651000.136851.1459851565457@Atlassian.JIRA>
In-Reply-To: <JIRA.12955440.1459553651000@Atlassian.JIRA>
References: <JIRA.12955440.1459553651000@Atlassian.JIRA>
 <JIRA.12955440.1459553651867@arcas>
Subject: [jira] [Commented] (PHOENIX-2817) Phoenix-Spark plugin doesn't work
 in secured env
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/PHOENIX-2817?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15226031#comment-15226031 ] 

Ankit Singhal commented on PHOENIX-2817:
----------------------------------------

bq. We can, but the match/cases will be still there
do we really need match case and concat after {code} new PhoenixEmbeddedDriver.ConnectionInfo(zkQuorum, port, znodeParent).toString(){code}

bq. As for kerberos stuff I'm not sure. principal/keytab pair is specific for the particular machine/session. It's fine when we use it in jdbc driver because we know that all communication with HBase will be done on this machine, but for MR/Yarn jobs that would not work

I think MR framework serializes the client configuration and made it available in all M/R context. And bulkload tool(FormatToBytesWritableMapper#setup) in phoenix use it to open connection. But anyways ,your patch can still work if hbase-site.xml is in class path of client machine as it will be included in configuration before sending to other nodes.






> Phoenix-Spark plugin doesn't work in secured env
> ------------------------------------------------
>
>                 Key: PHOENIX-2817
>                 URL: https://issues.apache.org/jira/browse/PHOENIX-2817
>             Project: Phoenix
>          Issue Type: Bug
>    Affects Versions: 4.4.0, 4.7.0
>            Reporter: Sergey Soldatov
>            Assignee: Sergey Soldatov
>         Attachments: PHOENIX-2817-1.patch, PHOENIX-2817-2.patch, PHOENIX-2817-3.patch
>
>
> When phoenix spark plugin is used with secured setup any attempt to perform operation with PhoenixRDD cause an exception : 
> {noformat}
> Caused by: java.io.IOException: Login failure for 2181 from keytab /hbase: javax.security.auth.login.LoginException: Unable to obtain password from user
> 	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:962)
> 	at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:275)
> 	at org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:386)
> 	at org.apache.hadoop.hbase.security.User.login(User.java:253)
> 	at org.apache.phoenix.query.ConnectionQueryServicesImpl.openConnection(ConnectionQueryServicesImpl.java:282)
> 	... 107 more
> Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
> 	at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)
> 	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)
> 	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:497)
> 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
> 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
> 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> 	at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
> 	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:953)
> 	... 111 more
> {noformat}
> The reason is the how zkUrl is handled in PhoenixRDD: 
> {noformat}
> config.set(HConstants.ZOOKEEPER_QUORUM, url )
> {noformat}
> At the same time the {{ConnectionUtil.getInputConnection}} expects to see all parameters (quorum address, port, znodeParent) in different Configuration properties. As the result it gets default values for port and znodeParent and adds it to the provided url, so the {{PhoenixEmbededDriver.create}} receives something like that:
> {noformat}
> jdbc:phoenix:quorum:2181:/hbase-secure:2181:/hbase
> {noformat}
> and consider 2 fields as kerberos principal and keytab.  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)