Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-6457

Sqlline - infer Kerberos principal dynamically to be able to use individual keytabs across Drill nodes and still use ZooKeeper connection string for High Availability

    Details

      Description

      Sqlline requires explicit kerberos 'principal=' parameter in its JDBC connection string, eg: 

      zk=<list>;auth=kerberos;principal=mapr/<cluster_name>@REALM

      When Drill nodes are configured with individual keytabs containing the node's fqdn and configured like so:

      security: { auth.principal: mapr/_HOST@REALM }

      then the ZooKeeper connection string from sqlline does not work and results in GSS Kerberos error:

      Caused by: KrbException: Identifier doesn't match expected value

      due to the mismatch between the explicit sqlline kerberos principal and zookeeper's random drillbit's principal.

      For the connection to work in this case requires something more like:

      drillbits=$(hostname -f);auth=kerberos;principal=mapr/$(hostname -f)@REALM

      but this lacks the high availability of using the ZooKeeper connection string to connect to any available node

      Hence it would be good if there was a way for sqlline arguments to be able to either infer the correct kerberos principal to match the host that zookeeper tells it to connect to or else accept a more generic parameter such as:

      zk=<list>;auth=kerberos;principal=mapr/_HOST@REALM

      I've tested the above but it doesn't work showing that sqlline is not using a dynamic kerberos principal to match the host it is connecting to.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              harisekhon Hari Sekhon
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: