spark-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Wright <>
Subject Re: Questions on Kerberos usage with YARN and JDBC
Date Sun, 13 Dec 2015 15:21:32 GMT
Kerberos seems to be working otherwise ... for example, we're using it
successfully to control access to HDFS and it's linked to AD ... we're
using Ranger if that helps. I'm not a systems admin guy so this is really
not my area of expertise.


*Mike Wright*
Principal Architect, Software Engineering
S&P Capital IQ and SNL

434-951-7816 *p*
434-244-4466 *f*
540-470-0119 *m*

On Fri, Dec 11, 2015 at 4:36 PM, Todd Simmer <> wrote:

> hey Mike,
> Are these part of an Active Directory Domain? If so are they pointed at
> the AD domain controllers that hosts the Kerberos server? Windows AD create
> SRV records in DNS to help windows clients find the Kerberos server for
> their domain. If you look you can see if you have a kdc record in Windows
> DNS and what it's pointing at. Can you do a
> kinit *username *
> on that host? It should tell you if it can find the KDC.
> Let me know if that's helpful at all.
> Todd
> On Fri, Dec 11, 2015 at 1:50 PM, Mike Wright <> wrote:
>> As part of our implementation, we are utilizing a full "Kerberized"
>> cluster built on the Hortonworks suite. We're using Job Server as the front
>> end to initiate short-run jobs directly from our client-facing product
>> suite.
>> 1) We believe we have configured the job server to start with the
>> appropriate credentials, specifying a principal and keytab. We switch to
>> YARN-CLIENT mode and can see Job Server attempt to connect to the resource
>> manager, and the result is that whatever the principal name is, it "cannot
>> impersonate root."  We have been unable to solve this.
>> 2) We are primarily a Windows shop, hence our cluelessness here. That
>> said, we're using the JDBC driver version 4.2 and want to use JavaKerberos
>> authentication to connect to SQL Server. The queries performed by the job
>> are done in the driver, and hence would be running on the Job Server, which
>> we confirmed is running as the principal we have designated. However, when
>> attempting to connect with this option enabled I receive a "Unable to
>> obtain Principal Name for authentication" exception.
>> Reading this:
>> We have Kerberos working on the machine and thus have krb5.conf setup
>> correctly. However the section, "
>> ​​
>> Enabling the Domain Configuration File and the Login Module Configuration
>> File" seems to indicate we've missed a step somewhere.
>> Forgive my ignorance here ... I've been on Windows for 20 years and this
>> is all new to.
>> Thanks for any guidance you can provide.

View raw message