phoenix-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rafa <raf...@gmail.com>
Subject Re: Cannot connect phoenix client in kerberos cluster
Date Fri, 20 Oct 2017 08:30:58 GMT
Hi Mallieswari,

As far as I know you can configure queryServer to connect to a secured
cluster with a proper keytab and principal on its configuration. Once the
queryserver is started that way you can connect with a simple:

 python sqlline-thin.py http://hostname:8765

can you login correctly in the cluster with the used keytab? could you
regenerate the keytab?
have you started the queryserver with the keytab and the log confirms it
has authenticated correctly?

regards,
rafa

On Thu, Oct 19, 2017 at 7:55 AM, Mallieswari Dineshbabu <
dmallieswari@gmail.com> wrote:

> Hi Rafa,
>
> following are the checksum failed exception with additional logs gathered
> in query server side.
>
>         ... 19 more
> Caused by: java.security.GeneralSecurityException: Checksum failed
>         at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.
> decrypt(ArcFourCry
> pto.java:408)
>         at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(
> ArcFourHmac.jav
> a:91)
>         at sun.security.krb5.internal.crypto.ArcFourHmacEType.
> decrypt(ArcFourHma
> cEType.java:100)
>         ... 25 more
> 17/10/19 05:42:10 DEBUG server.AvaticaJsonHandler: HTTP request from
> 172.0.0.4 i
> s unauthenticated and authentication is required
> 17/10/19 05:42:10 DEBUG server.HttpConnection:
> org.apache.phoenix.shaded.org.ecl
> ipse.jetty.server.HttpConnection$SendCallback@5891b2c8[PROCESSING][i=
> ResponseInf
> o{HTTP/1.1 404 null,278,false},cb=org.apache.phoenix.shaded.org.eclipse.
> jetty.se
> rver.HttpChannel$CommitCallback@76bf3474] generate: NEED_HEADER
> (null,[p=0,l=278
> ,c=2048,r=278],true)@START
> 17/10/19 05:42:10 DEBUG server.HttpConnection:
> org.apache.phoenix.shaded.org.ecl
> ipse.jetty.server.HttpConnection$SendCallback@5891b2c8[PROCESSING][i=
> ResponseInf
> o{HTTP/1.1 404 null,278,false},cb=org.apache.phoenix.shaded.org.eclipse.
> jetty.se
> rver.HttpChannel$CommitCallback@76bf3474] generate: FLUSH
> ([p=0,l=210,c=8192,r=2
> 10],[p=0,l=278,c=2048,r=278],true)@COMPLETING
> 17/10/19 05:42:10 DEBUG io.WriteFlusher: write: WriteFlusher@3d86d805{IDLE}
> [Hea
> pByteBuffer@58e0ca22[p=0,l=210,c=8192,r=210]={<<<HTTP/1.1 404 Not
> ...z-SNAPSHOT)
> \r\n\r\n>>>erver: Jetty(9.2....\x00\x00\x00\x00\
> x00\x00\x00\x00\x00\x00\x00\x00\
> x00\x00\x00},HeapByteBuffer@30ce894[p=0,l=278,c=2048,r=
> 278]={<<<<html>\n<head>\n
> <me.../body>\n</html>\n>>>\x00\x00\x00\x00\x00\x00\x00\
> x00\x00\x00\x00\x00\x00\x
> 00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
> x00\x00\x00\x00\x00}]
> 17/10/19 05:42:10 DEBUG io.WriteFlusher: update WriteFlusher@3d86d805
> {WRITING}:I
> DLE-->WRITING
>
> Regards,
> Mallieswari D
>
> On Thu, Oct 12, 2017 at 11:00 AM, Mallieswari Dineshbabu <
> dmallieswari@gmail.com> wrote:
>
>> Hi Rafa,
>>
>> As per your concerns, I have updated the JCE policy and tested now
>> getting "Checksum Failed" Exception. Please find the error below.
>>
>>
>>
>> GSSException: Failure unspecified at GSS-API level (Mechanism level: *Checksum
>> fa*
>>
>> *iled*)
>>
>>         at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Cont
>> ext.java:
>>
>> 788)
>>
>>         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
>> Impl.java
>>
>> :342)
>>
>>         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
>> Impl.java
>>
>> :285)
>>
>>         at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(
>> SpNegoCon
>>
>> text.java:871)
>>
>>         at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(
>> SpNegoContext
>>
>> .java:544)
>>
>>         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
>> Impl.java
>>
>> :342)
>>
>>         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContext
>> Impl.java
>>
>> :285)
>>
>>         at org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoL
>> oginServi
>>
>> ce.login(SpnegoLoginService.java:137)
>>
>>         at org.apache.phoenix.shaded.org.eclipse.jetty.security.authent
>> ication.L
>>
>> oginAuthenticator.login(LoginAuthenticator.java:61)
>>
>>         at org.apache.phoenix.shaded.org.eclipse.jetty.security.authent
>> ication.S
>>
>> pnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
>>
>>         at org.apache.phoenix.shaded.org.eclipse.jetty.security.Securit
>> yHandler.
>>
>> handle(SecurityHandler.java:512)
>>
>>         at org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.H
>> andlerLis
>>
>> t.handle(HandlerList.java:52)
>>
>>         at org.apache.phoenix.shaded.org.eclipse.jetty.server.handler.H
>> andlerWra
>>
>> pper.handle(HandlerWrapper.java:97)
>>
>>         at org.apache.phoenix.shaded.org.eclipse.jetty.server.Server.ha
>> ndle(Serv
>>
>> er.java:499)
>>
>>         at org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpChann
>> el.handle
>>
>> (HttpChannel.java:311)
>>
>>         at org.apache.phoenix.shaded.org.eclipse.jetty.server.HttpConne
>> ction.onF
>>
>> illable(HttpConnection.java:257)
>>
>>         at org.apache.phoenix.shaded.org.eclipse.jetty.io.AbstractConne
>> ction$2.r
>>
>> un(AbstractConnection.java:544)
>>
>>         at org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.Queu
>> edThreadP
>>
>> ool.runJob(QueuedThreadPool.java:635)
>>
>>         at org.apache.phoenix.shaded.org.eclipse.jetty.util.thread.Queu
>> edThreadP
>>
>> ool$3.run(QueuedThreadPool.java:555)
>>
>>         at java.lang.Thread.run(Thread.java:744)
>>
>> Caused by: KrbException: Checksum failed
>>
>>         at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(
>> ArcFourHma
>>
>> cEType.java:102)
>>
>>         at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(
>> ArcFourHma
>>
>> cEType.java:94)
>>
>>         at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:
>> 177)
>>
>>         at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
>>
>>         at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
>>
>>         at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecCon
>> textToken
>>
>> .java:108)
>>
>>         at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Cont
>> ext.java:
>>
>> 771)
>>
>>         ... 19 more
>>
>> Caused by: java.security.GeneralSecurityException: Checksum failed
>>
>>         at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(
>> ArcFourCry
>>
>> pto.java:408)
>>
>>         at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFou
>> rHmac.jav
>>
>> a:91)
>>
>>         at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(
>> ArcFourHma
>>
>> cEType.java:100)
>>
>>         ... 25 more
>>
>>
>>
>> Please help me to fix this .
>>
>>
>> Regards,
>>
>>
>> Mallieswari D
>>
>> On Wed, Oct 11, 2017 at 5:42 PM, rafa <rafa13@gmail.com> wrote:
>>
>>> Hi Mallieswari,
>>>
>>> The error:
>>>
>>> KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 is not
>>> supported/enabled
>>>
>>> points to JCE not installed or incorrectly installed in the JVM.
>>>
>>> What I have configured is : Phoenix query server connects itself to the
>>> secured cluster with a valid kerberos principal and keytab.
>>>
>>> The access to query server : sqlline-thin.py http://hostname:8765
>>>
>>> Regards,
>>> rafa
>>>
>>
>>
>>
>> --
>> Thanks and regards
>> D.Mallieswari
>>
>
>
>
> --
> Thanks and regards
> D.Mallieswari
>

Mime
View raw message