Support Questions

Find answers, ask questions, and share your expertise

Phoenix Query Server Connection URL example?

avatar
Master Guru

I am looking for an example PQS connection url which has kerberos params. My cluster is kerberized and the example on the apache phoenix site shows this as example:

jdbc:phoenix:thin:url=<scheme>://<server-hostname>:<port>[...]

The site documents the kerberos params. However I would like to see a working example. Any example appreciated.

Extra Info:

Configurations relating to server connecting to a secure cluster.
PropertyDescriptionDefault
hbase.security.authenticationWhen set to "kerberos", the server will attempt to log in before initiating Phoenix connections.Specified hbase-default.xml
phoenix.queryserver.keytab.fileThe key to look for keytab file.unset
phoenix.queryserver.kerberos.principalThe kerberos principal to use when authenticating.unset
phoenix.queryserver.dns.nameserverThe DNS hostnamedefault
phoenix.queryserver.dns.interfaceThe name of the network interface to query for DNS.default
1 ACCEPTED SOLUTION

avatar
Super Guru

There are two sides here. The documentation that you listed and @ssoldatov confirmed are accurate for PQS to connect to HBase. The other side, which is likely missing as "official" Apache Phoenix documentation, is the thin-client configuration properties.

These properties are presently available at http://calcite.apache.org/avatica/docs/client_reference.html. The sqlline-thin.py script will automatically configure them for you, but you would have to provide them when using the thin JDBC driver directly. In practice, it would look something like the following when you have already performed a Kerberos login

jdbc:phoenix:thin:url=<scheme>://<server-hostname>:<port>;authentication=SPNEGO

Alternatively, you can provide a principal and keytab which the thin driver will use to login automatically:

jdbc:phoenix:thin:url=<scheme>://<server-hostname>:<port>;authentication=SPNEGO;principal=my_user;keytab=/home/my_user/my_user.keytab

View solution in original post

18 REPLIES 18

avatar
Super Guru

Hey Chris -- using localhost definitely won't work. You must use the FQDN in the URL you supply (which must match the FQDN in the principal which PQS is using. I'm not sure why you would be getting an HTTP/404 though. I'd take a look at the PQS logs to see if anything is there. Would be best to not piggy-back on this issue and ask a new question instead. Feel free to tag me there so I'm sure to see it.

avatar

thanks will do.

BTW - last piggy-back! - I checked the log (/usr/hadoop/log/hbase/phoenix-hbase-server.log) its giving this,

2016-11-03 15:00:54,679 WARN org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
        at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)



avatar
Super Guru

Sadly, "Checksum failed" could be for numerous different reasons. You can try to set "-Dsun.security.spnego.debug=true" in PHOENIX_QUERYSERVER_OPTS in hbase-env.sh for lots of debug after a restart of PQS. This will require careful reading and observation (based on principals and hostnames) to figure out what went wrong though.

avatar
New Contributor

Which O/S you are using for the KDC server? Is it same as the other cluster servers? If you also use Ranger encryption, there something else step you need to do. try kinit -V -k -t /etc/security/keytabs/spnego.service.keytab HTTP/YOUR_SERVER_DOMAIN@EXAMPLE.COM and hbase shell. if you scan the table like 'scan 'SYSTEM.CATALOG'. then try thin client once again.

avatar
Explorer

hi @elserj ,

can you share hbase connection string with krb5 configurations?

 

thanks,

jyothsna

avatar
Explorer

I have a question regarding to this...

If I wanna connect to a https url, and I specify the truststore=** after the url, still it will show error

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What else am i missing?

avatar
Super Guru

There is no version of Avatica released which has the ability to specify the truststore.

avatar
New Contributor

Anyone has a working solution for this I tried pheonixdb but nothing suggested above works currently or I am not using the configs properly

avatar
Super Guru

To the best of my knowledge, python-phoenixdb (https://bitbucket.org/lalinsky/python-phoenixdb) does not have support for SPENGO which is implicitly required when a cluster has Kerberos authentication enabled. Please open your own question if you have more information to share.