AnsweredAssumed Answered

Mapr-drill cannot authenticate using PLAIN mechanism

Question asked by reedv on Jan 9, 2018
Latest reply on Jan 12, 2018 by maprcommunity

Having PLAIN authentication error when trying to run queries or access drill-explorer.

Have installed mapr 6.0 using the installer script and have drill installed and running on all nodes:

[mapr@mapr001 ~]$ clush -ab 'jps'
---------------
mapr001
---------------
...
160245 Drillbit
...
73244 CLDB
---------------
mapr002
---------------
...
121401 Drillbit
...
---------------
mapr003
---------------
134738 Drillbit
...
.
.
.

as well as already have the query service set up (not sure what this does, just looking at the docs (did not follow this particular instruction since the output already looked like how the docs showed they were supposed to)):

[mapr@mapr001 ~]$ maprcli cluster queryservice getconfig
storageplugin zookeeper                                                                        znode  clusterid                         enabled
dfs           mapr001.cluster.local:5181,mapr002.cluster.local:5181,mapr003.cluster.local:5181 /drill uceramapr.cluster.local-drillbits true

This is the last instruction in the mapr docs for installing drill.

 

At this point, I try to inspect some log files with drill explorer using the apache drill docs and get connection errors saying:

ERROR [08S01] [MapR][Drill] (30)  Handshake failure occurred while trying to connect to local=172.18.4.101:31010. Server message: [30018]Handshake Failed due to an error on the server. [Server message was: (28c8b842-d472-43bd-93c1-55f0b15bf5d0) Invalid user credentials: The server doesn't allow client without encryption support. Please upgrade your client or talk to your system administrator.]

Yet, in drill explorer connection dialog, I am choosing plain authentication and mapr 6.0 uses the latest version of drill (1.11):

[mapr@mapr001 ~]$ yum info mapr-drill
Installed Packages
Name        : mapr-drill
Arch        : noarch
Version     : 1.11.0.201711161142
... 
Repo        : installed
...

Checking the drill web UI, the enabled storage plugins are cp and dfs (following the "connecting drill to datasources" docs). Have also installed the libjpam.so file in a directory /opt/pam (as per the documentation for setting up plain authentication). 

 

I also can't connect to drill via sqlline:

[mapr@mapr002 ingest_scripts]$ /opt/mapr/drill/drill-1.11.0/bin/sqlline

OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
apache drill 1.11.0-mapr
"what ever the mind of man can conceive and believe, drill can query"

sqlline> !connect jdbc:drill:zk=mapr001:5181,mapr002:5181,mapr003:5181
Enter username for jdbc:drill:zk=mapr001:5181,mapr002:5181,mapr003:5181: mapr
Enter password for jdbc:drill:zk=mapr001:5181,mapr002:5181,mapr003:5181: ***********
Error: Failure in connecting to Drill: org.apache.drill.exec.rpc.NonTransientRpcException: javax.security.sasl.SaslException: Authentication failed. [Details: Encryption: enabled , MaxWrappedSize: 65536 , WrapSizeLimit: 0, Error Cannot initiate authentication using PLAIN mechanism. Insufficient credentials or selected mechanism doesn't support configured security layers?] [Caused by javax.security.sasl.SaslException: Cannot initiate authentication using PLAIN mechanism. Insufficient credentials or selected mechanism doesn't support configured security layers?] (state=,code=0)

Yet, can successfully query "SELECT * FROM sys.drillbits;" from within the drill web UI.

 

Ultimately, my drill conf files look like:

drill-env.sh:

....

#-------------------- my changes
# configuring for plain authentication
# see https://drill.apache.org/docs/configuring-plain-authentication/#installing-and-configuring-plain-authentication
export DRILLBIT_JAVA_OPTS="-Djava.library.path=/opt/pam"

 


# enable user impersonation
# see https://maprdocs.mapr.com/52/Drill/configure_user_impersonation.html#ConfiguringUserImpersonat_31359203-d3e64
MAPR_TICKETFILE_LOCATION=/opt/mapr/conf/mapruserticket
MAPR_IMPERSONATION_ENABLED=true

 

# enable mapr-hive user impersonation
# see https://maprdocs.mapr.com/52/Drill/hive_impersonation_step_1.html

# not using maprsasle_keytab since not using kerberos
export DRILL_JAVA_OPTS="$DRILL_JAVA_OPTS -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.sasl.client=false -Djava.library.path=/opt/pam/"
export DRILL_JAVA_OPTS="$DRILL_JAVA_OPTS -Dmapr_sec_enabled=true -Dhadoop.login=maprsasl -Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dmapr.library.flatclass"

 

drill-override.conf:

....

# base distributed install setup
# see https://drill.apache.org/docs/installing-drill-on-the-cluster/
drill.exec: {
  cluster-id: "mycluster-drillbits",
  zk.connect: "mapr001:5181,mapr002:5181,mapr003:5181"
}

 

# configuring for user impersonation
# see https://drill.apache.org/docs/configuring-user-impersonation/#configuring-impersonation-and-chaining
# also enables mapr-hive user impersonation, see https://maprdocs.mapr.com/52/Drill/hive_impersonation_step_2.html
drill.exec.impersonation: {
  enabled: true,
  max_chained_user_hops: 3
}

 

# configure for plain authentication
# see https://drill.apache.org/docs/configuring-plain-authentication/#installing-and-configuring-plain-authentication
drill.exec.security: {          
  auth.mechanisms : ["PLAIN", "MAPRSASL"],
}
drill.exec.security.user.auth {
  enabled: true,
  packages += "org.apache.drill.exec.rpc.user.security",
  impl: "pam",
  pam_profiles: [ "sudo", "login" ]
}

 

Does any one else have any idea what other steps must be taken to get drill and drill-explorer working? 

Thanks.

Outcomes