Support Questions

sunile_manjee · ‎07-25-2016

I am looking for an example PQS connection url which has kerberos params. My cluster is kerberized and the example on the apache phoenix site shows this as example:

jdbc:phoenix:thin:url=<scheme>://<server-hostname>:<port>[...]

The site documents the kerberos params. However I would like to see a working example. Any example appreciated.

Extra Info:

Configurations relating to server connecting to a secure cluster.
Property	Description	Default
hbase.security.authentication	When set to "kerberos", the server will attempt to log in before initiating Phoenix connections.	Specified hbase-default.xml
phoenix.queryserver.keytab.file	The key to look for keytab file.	unset
phoenix.queryserver.kerberos.principal	The kerberos principal to use when authenticating.	unset
phoenix.queryserver.dns.nameserver	The DNS hostname	default
phoenix.queryserver.dns.interface	The name of the network interface to query for DNS.	default

elserj · ‎08-01-2016

There are two sides here. The documentation that you listed and @ssoldatov confirmed are accurate for PQS to connect to HBase. The other side, which is likely missing as "official" Apache Phoenix documentation, is the thin-client configuration properties.

These properties are presently available at http://calcite.apache.org/avatica/docs/client_reference.html. The sqlline-thin.py script will automatically configure them for you, but you would have to provide them when using the thin JDBC driver directly. In practice, it would look something like the following when you have already performed a Kerberos login

jdbc:phoenix:thin:url=<scheme>://<server-hostname>:<port>;authentication=SPNEGO

Alternatively, you can provide a principal and keytab which the thin driver will use to login automatically:

jdbc:phoenix:thin:url=<scheme>://<server-hostname>:<port>;authentication=SPNEGO;principal=my_user;keytab=/home/my_user/my_user.keytab

View solution in original post

elserj · ‎11-03-2016

Hey Chris -- using localhost definitely won't work. You must use the FQDN in the URL you supply (which must match the FQDN in the principal which PQS is using. I'm not sure why you would be getting an HTTP/404 though. I'd take a look at the PQS logs to see if anything is there. Would be best to not piggy-back on this issue and ask a new question instead. Feel free to tag me there so I'm sure to see it.

christopher_bri · ‎11-03-2016

thanks will do.

BTW - last piggy-back! - I checked the log (/usr/hadoop/log/hbase/phoenix-hbase-server.log) its giving this,

2016-11-03 15:00:54,679 WARN org.apache.phoenix.shaded.org.eclipse.jetty.security.SpnegoLoginService:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
        at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)

elserj · ‎11-03-2016

Sadly, "Checksum failed" could be for numerous different reasons. You can try to set "-Dsun.security.spnego.debug=true" in PHOENIX_QUERYSERVER_OPTS in hbase-env.sh for lots of debug after a restart of PQS. This will require careful reading and observation (based on principals and hostnames) to figure out what went wrong though.

kaolian · ‎02-23-2017

Which O/S you are using for the KDC server? Is it same as the other cluster servers? If you also use Ranger encryption, there something else step you need to do. try kinit -V -k -t /etc/security/keytabs/spnego.service.keytab HTTP/YOUR_SERVER_DOMAIN@EXAMPLE.COM and hbase shell. if you scan the table like 'scan 'SYSTEM.CATALOG'. then try thin client once again.

bavisetti · ‎04-14-2023

hi @elserj ,

can you share hbase connection string with krb5 configurations?

thanks,

jyothsna

shiwang · ‎02-08-2017

I have a question regarding to this...

If I wanna connect to a https url, and I specify the truststore=** after the url, still it will show error

java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

What else am i missing?

elserj · ‎02-08-2017

There is no version of Avatica released which has the ability to specify the truststore.

sjanghel · ‎02-06-2018

Anyone has a working solution for this I tried pheonixdb but nothing suggested above works currently or I am not using the configs properly

elserj · ‎02-06-2018

To the best of my knowledge, python-phoenixdb (https://bitbucket.org/lalinsky/python-phoenixdb) does not have support for SPENGO which is implicitly required when a cluster has Kerberos authentication enabled. Please open your own question if you have more information to share.

Cloudera Community

Support Questions

Phoenix Query Server Connection URL example?