Uploaded image for project: 'Phoenix'
  1. Phoenix
  2. PHOENIX-2817

Phoenix-Spark plugin doesn't work in secured env

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.4.0, 4.7.0
    • Fix Version/s: 4.8.0
    • Labels:
      None

      Description

      When phoenix spark plugin is used with secured setup any attempt to perform operation with PhoenixRDD cause an exception :

      Caused by: java.io.IOException: Login failure for 2181 from keytab /hbase: javax.security.auth.login.LoginException: Unable to obtain password from user
      
      	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:962)
      	at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:275)
      	at org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.java:386)
      	at org.apache.hadoop.hbase.security.User.login(User.java:253)
      	at org.apache.phoenix.query.ConnectionQueryServicesImpl.openConnection(ConnectionQueryServicesImpl.java:282)
      	... 107 more
      Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
      
      	at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)
      	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)
      	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:497)
      	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
      	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
      	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
      	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
      	at java.security.AccessController.doPrivileged(Native Method)
      	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      	at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
      	at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:953)
      	... 111 more
      

      The reason is the how zkUrl is handled in PhoenixRDD:

      config.set(HConstants.ZOOKEEPER_QUORUM, url )
      

      At the same time the ConnectionUtil.getInputConnection expects to see all parameters (quorum address, port, znodeParent) in different Configuration properties. As the result it gets default values for port and znodeParent and adds it to the provided url, so the PhoenixEmbededDriver.create receives something like that:

      jdbc:phoenix:quorum:2181:/hbase-secure:2181:/hbase
      

      and consider 2 fields as kerberos principal and keytab.

        Attachments

        1. PHOENIX-2817-3.patch
          7 kB
          Sergey Soldatov
        2. PHOENIX-2817-2.patch
          7 kB
          Sergey Soldatov
        3. PHOENIX-2817-1.patch
          3 kB
          Sergey Soldatov

          Activity

            People

            • Assignee:
              sergey.soldatov Sergey Soldatov
              Reporter:
              sergey.soldatov Sergey Soldatov
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: