Support Questions
Find answers, ask questions, and share your expertise

Authenticate Phoenix JDBC connection using Ranger and AD

New Contributor

Hello.

Im having issues trying to connect to HBase using Phoenix and a JDBC connection to Phoenix. I'm planning on using Phoenix to send and receive data to the HBase database using spring boot to implement an API to interface with our HBase database. In order to do this i need to create a connection to the Phoenix server from my java project. I made a sample project to test making a connection to the Phoenix server and query for some data. The HBase database is secured using kerberos which meant that the location of the keytabs and the kerberos principle for HBase had to be supplied. I was successfully able to make a connection and retrieve data while running the project on the cluster, but whilst trying to run the project outside of the server, i was not successful. Ranger is used to manage different authentication methods for our cluster, and the machine that i am trying to run the project on unsuccessfully is included in rangers user list using active-directory. The user is also part of the HBase group for ranger also.

Im very new to Ranger, kerberos and Phoenix so it could be a very simple mistake that i am making. But my project is still throwing an exception for the user credentials not being found for the user. Bellow is the connection string i was using as well as the stack trace of the errors that are being displayed. Any help would be greatly appreciated. Thanks in advance.

jdbc:phoenix:[Zookeeper server address]:2181:[hbase znode]:[Kerberos Principle]:/etc/security/keytabs/hbase.headless.keytab

java.sql.SQLException: ERROR 103 (08004): Unable to establish connection.
java.sql.SQLException: ERROR 103 (08004): Unable to establish connection.
at org.apache.phoenix.exception.SQLExceptionCode$Factory$1.newException(
SQLExceptionCode.java:489)
at org.apache.phoenix.exception.SQLExceptionInfo.buildException(SQLExcep
tionInfo.java:150)
at org.apache.phoenix.jdbc.PhoenixEmbeddedDriver$ConnectionInfo.normaliz
e(PhoenixEmbeddedDriver.java:396)
at org.apache.phoenix.jdbc.PhoenixDriver.getConnectionQueryServices(Phoe
nixDriver.java:238)
at org.apache.phoenix.jdbc.PhoenixEmbeddedDriver.createConnection(Phoeni
xEmbeddedDriver.java:150)
at org.apache.phoenix.jdbc.PhoenixDriver.connect(PhoenixDriver.java:221)

at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at PhoenixConnectionTest.main(PhoenixConnectionTest.java:21)
Caused by: java.io.IOException: Login failure for hbase-bil-hdp-app-01.prometric
.qc2@HADOOP.PROMETRIC.QC2 from keytab /etc/security/keytabs/hbase.headless.keyta
b: javax.security.auth.login.LoginException: Unable to obtain password from user


at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(U
serGroupInformation.java:962)
at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:246)
at org.apache.hadoop.hbase.security.User$SecureHadoopUser.login(User.jav
a:420)
at org.apache.hadoop.hbase.security.User.login(User.java:258)
at org.apache.phoenix.jdbc.PhoenixEmbeddedDriver$ConnectionInfo.normaliz
e(PhoenixEmbeddedDriver.java:387)
... 6 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain password f
rom user

at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown So
urce)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Un
known Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(U
serGroupInformation.java:953)
... 10 more

1 REPLY 1

Super Collaborator

If you are using your own kerberos principal, make sure that you've created a keytab for it. Otherwise, you must specify the principal that is listed in hbase.headless.keytab (you may check the list of them using klist -k -t /etc/security/keytabs/hbase.headless.keytab). Also make sure that the user is able to read keytab file.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.