You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "Sorabh Hamirwasia (JIRA)" <ji...@apache.org> on 2019/01/23 06:27:00 UTC
[jira] [Commented] (DRILL-6827) Apache Drill 1.14 on a kerberized
Cloudera cluster (CDH 5.14).
[ https://issues.apache.org/jira/browse/DRILL-6827?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16749564#comment-16749564 ]
Sorabh Hamirwasia commented on DRILL-6827:
------------------------------------------
Your configurations is incorrect. Please refer to documentation here for WebServer configuration:
https://drill.apache.org/docs/configuring-drill-to-use-spnego-for-http-authentication/
Also I am seeing that you have both ssl and sasl encryption enabled which is an overkill.
{code:java}
user.encryption.sasl.enabled: true, user.encryption.sasl.max_wrapped_size: 65536 }
,
security.user.encryption.ssl:
{ enabled: true, keyPassword: "XXXXX", handshakeTimeout: 10000, provider: "JDK" }
,
ssl:
{ keyStorePath: "XXXXX", keyStorePassword: "XXXXX", trustStorePath: "XXXXX", trustStorePassword: "XXXXX" }
{code}
> Apache Drill 1.14 on a kerberized Cloudera cluster (CDH 5.14).
> --------------------------------------------------------------
>
> Key: DRILL-6827
> URL: https://issues.apache.org/jira/browse/DRILL-6827
> Project: Apache Drill
> Issue Type: Bug
> Components: Security
> Affects Versions: 1.14.0
> Environment: * Apache Drill 1.14
> * Cloudera CDH 5.14
> Reporter: Ibrahim Safieddine
> Priority: Critical
>
> Hello,
>
> I'am using apache Drill 1.14 on a kerberized Cloudera cluster (CDH 5.14).
>
> When I activate kerberos authentification, drill server refuse to start with error:
> {color:#ff0000}_org.apache.drill.exec.exception.DrillbitStartupException: Authentication is enabled for WebServer but none of the security mechanism was configured properly. Please verify the configurations and try again._{color}
>
> I can see in the logs that the kerberos authentification is ok:
> [main] INFO o.a.d.exec.server.BootStrapContext - Process user name: 'root' and logged in successfully as 'tata/xx.yy.zz@XX.YY'
>
> Can you help me please?
>
> Based on the Apache Drill documentation, there is my conf/drill-override.conf:
>
> drill.exec: {
> cluster-id: "drillbits1",
> zk.connect: "xx.yy.zz:2181",
> service_name: "service1",
> impersonation: {
> enabled: true,
> max_chained_user_hops: 3
> },
> security: {
> user.auth.enabled:true,
> auth.mechanisms:["KERBEROS"],
> auth.principal:"tata/xx.yy.zz@XX.YY",
> auth.keytab:"keytab1.keytab",
> drill.exec.security.auth.auth_to_local:hive,
> auth.realm: "XX.YY",
> user.encryption.sasl.enabled: true,
> user.encryption.sasl.max_wrapped_size: 65536
> },
> security.user.encryption.ssl: {
> enabled: true,
> keyPassword: "XXXXX",
> handshakeTimeout: 10000,
> provider: "JDK"
> },
> ssl: {
> keyStorePath: "XXXXX",
> keyStorePassword: "XXXXX",
> trustStorePath: "XXXXX",
> trustStorePassword: "XXXXX"
> },
> http: {
> enabled: true,
> auth.enabled: false,
> auth.mechanisms: ["KERBEROS"],
> ssl_enabled: true,
> port: 8047
> session_max_idle_secs: 3600, # Default value 1hr
> cors: {
> enabled: false,
> allowedOrigins: ["null"],
> allowedMethods: ["GET", "POST", "HEAD", "OPTIONS"],
> allowedHeaders: ["X-Requested-With", "Content-Type", "Accept", "Origin"],
> credentials: true
> }
> }
> }
> Thank you
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)