Kerberos authentication for Teradata Presto JDBC driver

[gopichand mummineni]

Hi, we're trying to setup kerberos authentication for Teradata Presto JDBC driver.

Here is our /etc/presto/config.properties

query.max-memory=36GB

http.server.authentication.krb5.service-name=HTTP

discovery.uri=http://testserver.company.com:8081

http-server.http.port=8081

http-server.https.keystore.path=/etc/presto/keystore.jks

node-scheduler.include-coordinator=false

http-server.https.keystore.key=presto

http.authentication.krb5.config=/etc/krb5.conf

http-server.https.enabled=true

http-server.https.port=8181

http.server.authentication.krb5.keytab=/etc/security/keytabs/presto.HTTP.keytab

http.server.authentication.enabled=true

query.max-memory-per-node=4GB

coordinator=true

discovery-server.enabled=true

And here is how our presto.HTTP.keytab looks like:

klist -kt /etc/security/keytabs/presto.HTTP.keytab

Keytab name: FILE:/etc/security/keytabs/presto.HTTP.keytab

KVNO Timestamp         Principal

---- ----------------- --------------------------------------------------------

   3 08/03/16 15:32:09 HTTP/testserver.company.com@HADOOP.COM

   3 08/03/16 15:32:09 HTTP/testserver.company.com@HADOOP.COM

   3 08/03/16 15:32:09 HTTP/testserver.company.com@HADOOP.COM

   3 08/03/16 15:32:09 HTTP/testserver.company.com@HADOOP.COM

And here is our JDBC connection string:

jdbc:presto://testserver.company.com:8181/hive;enableKerberos=true;SSLCertificate=/Users/myuser/dev/keystore.jks;SSLKeyStorePwd=presto;User=myus...@HADOOP.COM;LogPath=/Users/myuser/dev;LogLevel=6


And here is the error we see in presto driver log:

Aug 03 16:00:43.013 TRACE 137 com.teradata.presto.dataengine.PRQueryExecutor.execute(com.teradata.dsi.dataengine.utilities.ExecutionContexts@11e12d74, null): +++++ enter +++++

Aug 03 16:00:43.013 TRACE 137 com.teradata.presto.client.PrestoAPI.execute("SELECT * FROM "system"."information_schema"."tables" WHERE table_schema LIKE '' AND table_name LIKE 'default'"): +++++ enter +++++

Aug 03 16:00:43.013 TRACE 137 com.teradata.presto.client.PRClientUtil.POST("SELECT * FROM "system"."information_schema"."tables" WHERE table_schema LIKE '' AND table_name LIKE 'default'"): +++++ enter +++++

Aug 03 16:00:43.086 TRACE 137 com.teradata.presto.client.PRClientUtil.POST("Error Detected during POST operation"): +++++ enter +++++

Aug 03 16:00:43.087 ERROR 137 com.teradata.exceptions.ExceptionConverter.toSQLException: [Teradata][Presto](100073) Error fetching JSON content: No content to map due to end-of-input

 at [Source: ; line: 1, column: 1].

java.sql.SQLException: [Teradata][Presto](100073) Error fetching JSON content: No content to map due to end-of-input

 at [Source: ; line: 1, column: 1].

at com.teradata.presto.client.PRClientUtil.toJsonNode(Unknown Source)

at com.teradata.presto.client.PrestoAPI.execute(Unknown Source)

at com.teradata.presto.dataengine.PRResultSet.execute(Unknown Source)

at com.teradata.presto.dataengine.PRQueryExecutor.execute(Unknown Source)

at com.teradata.presto.dataengine.metadata.PRQueryMetadataSource.executeQuery(Unknown Source)

at com.teradata.presto.dataengine.metadata.PRTablesMetadataSource.<init>(Unknown Source)

at com.teradata.presto.dataengine.PRDataEngine.makeNewMetadataSource(Unknown Source)

at com.teradata.dsi.dataengine.impl.DSIDataEngine.makeNewMetadataResult(Unknown Source)

at com.teradata.dsi.dataengine.impl.DSIDataEngine.makeNewMetadataResult(Unknown Source)

at com.teradata.presto.core.PRConnection.doConnectionTest(Unknown Source)

at com.teradata.presto.core.PRConnection.connect(Unknown Source)

at com.teradata.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)

at com.teradata.jdbc.common.AbstractDriver.connect(Unknown Source)

at workbench.db.DbDriver.connect(DbDriver.java:456)

at workbench.db.ConnectionMgr.connect(ConnectionMgr.java:233)

at workbench.db.ConnectionMgr.getConnection(ConnectionMgr.java:163)

at workbench.gui.components.ConnectionSelector.doConnect(ConnectionSelector.java:233)

Caused by: com.teradata.support.exceptions.GeneralException: [Teradata][Presto](100073) Error fetching JSON content: No content to map due to end-of-input

 at [Source: ; line: 1, column: 1].

... 17 more

Please note that I am using SQL WorkBench on MacOS. I read some where in one of the forums that it is because the JDBC driver by default looks for kerberos client conf under /etc/krb5.conf on my Mac (Not sure why it would do that especially because we do kinit before we launch JDBC connection). I added that as well and still getting the same error.

Please advise.

[Rickman, Brian T]

This error just indicates that the JDBC driver failed to connect to Presto:

[Teradata][Presto](100073) Error fetching JSON content: No content to map due to end-of-input

 at [Source: ; line: 1, column: 1].

 

Is there anything in the Presto server log for that time?  If there isn’t anything, that would indicate an SSL or network config issue.  

 

Are you able to connect to Presto with Kerberos using the Presto CLI?  Trying that would help to narrow down the source of the problem (Kerberos config vs JDBC driver).

   3 08/03/16 15:32:09 HTTP/testserver....@HADOOP.COM

   3 08/03/16 15:32:09 HTTP/testserver.company.com@HADOOP.COM

   3 08/03/16 15:32:09 HTTP/testserver.company.com@HADOOP.COM

   3 08/03/16 15:32:09 HTTP/testserver.company.com@HADOOP.COM

And here is our JDBC connection string:

 

jdbc:presto://testserver.company.com:8181/hive;enableKerberos=true;SSLCertificate=/Users/myuser/dev/keystore.jks;SSLKeyStorePwd=presto;User=myu...@HADOOP.COM;LogPath=/Users/myuser/dev;LogLevel=6

 

--
You received this message because you are subscribed to the Google Groups "Presto" group.
To unsubscribe from this group and stop receiving emails from it, send an email to presto-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[gopichand mummineni]

Hi Brian, Thanks much for responding.

 Yes, the CLI works just fine without any issues only when running directly on the presto coordinator server itself. But it doesn't work when running from my laptop.

Presto CLI that worked on the server:

[myuser@testserver ~]$ /usr/lib/presto/bin/presto-cli --server https://testserver.company.com:8181 --enable-authentication --krb5-principalmyu...@HADOOP.COM --krb5-keytab-path /etc/security/keytabs/myuser.headless.keytab --krb5-remote-service-name HTTP --keystore-path /etc/presto/keystore.jks --keystore-password presto --catalog hive --schema default --debug

Presto CLI that didn't work when run on my laptop:

./presto --server https://testserver.compnay.com:8181 --enable-authentication --krb5-principal myu...@HADOOP.COM --krb5-remote-service-name HTTP --keystore-path ~/dev/keystore.jks --keystore-password presto --catalog hive --schema default --debug

presto:default> select MAX(update_time) from test_db.test_table;

Error running command: Error reading response from server

java.lang.RuntimeException: Error reading response from server

at io.airlift.http.client.FullJsonResponseHandler.readResponseBytes(FullJsonResponseHandler.java:75)

at io.airlift.http.client.FullJsonResponseHandler.handle(FullJsonResponseHandler.java:61)

at io.airlift.http.client.FullJsonResponseHandler.handle(FullJsonResponseHandler.java:35)

at io.airlift.http.client.jetty.JettyHttpClient.execute(JettyHttpClient.java:345)

at com.facebook.presto.client.StatementClient.<init>(StatementClient.java:110)

at com.facebook.presto.cli.QueryRunner.startInternalQuery(QueryRunner.java:82)

at com.facebook.presto.cli.QueryRunner.startQuery(QueryRunner.java:77)

at com.facebook.presto.cli.Console.process(Console.java:287)

at com.facebook.presto.cli.Console.runConsole(Console.java:228)

at com.facebook.presto.cli.Console.run(Console.java:133)

at com.facebook.presto.cli.Presto.main(Presto.java:32)

Caused by: java.io.IOException: java.lang.RuntimeException: Failed to establish LoginContext for request https://testserver.company.com:8181/v1/statement

at org.eclipse.jetty.client.util.InputStreamResponseListener$Input.toIOException(InputStreamResponseListener.java:326)

at org.eclipse.jetty.client.util.InputStreamResponseListener$Input.read(InputStreamResponseListener.java:292)

at com.google.common.io.CountingInputStream.read(CountingInputStream.java:62)

at java.io.FilterInputStream.read(FilterInputStream.java:107)

at com.google.common.io.ByteStreams.copy(ByteStreams.java:70)

at com.google.common.io.ByteStreams.toByteArray(ByteStreams.java:115)

at io.airlift.http.client.FullJsonResponseHandler.readResponseBytes(FullJsonResponseHandler.java:72)

... 10 more

Caused by: java.lang.RuntimeException: Failed to establish LoginContext for request https://testserver.company.com:8181/v1/statement

at io.airlift.http.client.spnego.SpnegoAuthentication$1.apply(SpnegoAuthentication.java:135)

at org.eclipse.jetty.client.AuthenticationProtocolHandler$AuthenticationListener.onComplete(AuthenticationProtocolHandler.java:152)

at org.eclipse.jetty.client.ResponseNotifier.notifyComplete(ResponseNotifier.java:193)

at org.eclipse.jetty.client.ResponseNotifier.notifyComplete(ResponseNotifier.java:185)

at org.eclipse.jetty.client.HttpReceiver.terminateResponse(HttpReceiver.java:454)

at org.eclipse.jetty.client.HttpReceiver.responseSuccess(HttpReceiver.java:401)

at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.messageComplete(HttpReceiverOverHTTP.java:268)

at org.eclipse.jetty.http.HttpParser.parseHeaders(HttpParser.java:1024)

at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1257)

at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.parse(HttpReceiverOverHTTP.java:158)

at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:119)

at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:69)

at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:90)

at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:114)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)

at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:186)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95)

at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)

at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceAndRun(ExecuteProduceConsume.java:246)

at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:156)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:654)

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:572)

at java.lang.Thread.run(Thread.java:745)

Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

at io.airlift.http.client.spnego.SpnegoAuthentication.getSession(SpnegoAuthentication.java:197)

at io.airlift.http.client.spnego.SpnegoAuthentication.access$200(SpnegoAuthentication.java:46)

at io.airlift.http.client.spnego.SpnegoAuthentication$1.apply(SpnegoAuthentication.java:108)

... 24 more

presto:default>

jdbc:presto://testserver.company.com:8181/hive;enableKerberos=true;SSLCertificate=/Users/myuser/dev/keystore.jks;SSLKeyStorePwd=presto;User=myus...@HADOOP.COM;LogPath=/Users/myuser/dev;LogLevel=6