Details
-
Improvement
-
Status: Closed
-
Blocker
-
Resolution: Fixed
-
None
-
None
Description
stoty found that we aren't doing _HOST expansion for PQS. We naturally get this for the principal we use to talk to HBase (by virtue of using SecurityUtil/UGI to log in). However, for SPNEGO, we're using the Avatica API to do this, so it doesn't do this "Hadoop-ism" for us.
We can use SecurityUtil to do it ourselves and then pass the correct hostname into the Avatica HttpServer.Builder API.
The error you get when _HOST is set is pretty obtuse on the server-side, including to help the poor soul who ventures here with a similar error.
2019-07-17 08:48:03,383 WARN org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - DES3 CBC mode with SHA1-KD)
We identified the problem by seeing, in -Dsun.security.spnego.debug=true -Dsun.security.krb5.debug=true output, the following:
Looking for keys for: HTTP/_HOST@EXAMPLE.COM
At this point in the call, we should have had an expanded "instance" in the principal.
Attachments
Issue Links
- links to