Kerberos now working in Phoenix

Author: cgivre

contrib/storage-phoenix/pom.xml

@@ -193,28 +193,102 @@
           <groupId>log4j</groupId>
           <artifactId>log4j</artifactId>
         </exclusion>
-      </exclusions>
-    </dependency>
-
-    <!-- Helpful for JAAS/Kerberos bits used by secured tests -->
-    <dependency>
-      <groupId>org.apache.hadoop</groupId>
-      <artifactId>hadoop-auth</artifactId>
-      <version>${hadoop.version}</version>
-      <scope>test</scope>
-      <exclusions>
+        <!-- Exclude old Kerby versions to avoid conflicts -->
         <exclusion>
-          <groupId>commons-logging</groupId>
-          <artifactId>commons-logging</artifactId>
+          <groupId>org.apache.kerby</groupId>
+          <artifactId>kerb-simplekdc</artifactId>
         </exclusion>
         <exclusion>
-          <groupId>log4j</groupId>
-          <artifactId>log4j</artifactId>
+          <groupId>org.apache.kerby</groupId>
+          <artifactId>kerb-client</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.apache.kerby</groupId>
+          <artifactId>kerb-common</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.apache.kerby</groupId>
+          <artifactId>kerb-core</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.apache.kerby</groupId>
+          <artifactId>kerb-crypto</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>org.apache.kerby</groupId>
+          <artifactId>kerb-util</artifactId>
         </exclusion>
       </exclusions>
     </dependency>
 
+    <!-- Explicitly add compatible Kerby dependencies for Hadoop 3.4.1 -->
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerb-simplekdc</artifactId>
+      <version>${kerby.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerb-client</artifactId>
+      <version>${kerby.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerb-common</artifactId>
+      <version>${kerby.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerb-core</artifactId>
+      <version>${kerby.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerb-crypto</artifactId>
+      <version>${kerby.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerb-util</artifactId>
+      <version>${kerby.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerby-config</artifactId>
+      <version>${kerby.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerby-asn1</artifactId>
+      <version>${kerby.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerby-pkix</artifactId>
+      <version>${kerby.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.kerby</groupId>
+      <artifactId>kerby-util</artifactId>
+      <version>${kerby.version}</version>
+      <scope>test</scope>
+    </dependency>
 
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk18on</artifactId>
+      <version>1.78.1</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>
@@ -230,8 +304,9 @@
             -Xms2048m -Xmx2048m
             --add-opens=java.base/java.lang=ALL-UNNAMED
             --add-opens=java.base/java.util=ALL-UNNAMED
-            -Dhbase.security.authentication=simple
-            -Dhadoop.security.authentication=simple
+            -Djava.net.preferIPv4Stack=true
+            -Dsun.security.krb5.debug=true
+            -Dsun.security.krb5.allowUdp=false
           </argLine>
         </configuration>
       </plugin>

contrib/storage-phoenix/src/test/java/org/apache/drill/exec/store/phoenix/secured/PhoenixEnvironment.java

@@ -37,6 +37,8 @@
 import org.apache.phoenix.query.ConfigurationFactory;
 import org.apache.phoenix.util.InstanceResolver;
 import org.apache.phoenix.util.PhoenixRuntime;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.File;
 import java.io.IOException;
@@ -46,6 +48,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 import java.util.UUID;
 
 import static org.apache.hadoop.hbase.HConstants.HBASE_DIR;
@@ -80,7 +83,7 @@ public class PhoenixEnvironment {
   static {
     try {
       // uncomment it for debugging purposes
-      // System.setProperty("sun.security.krb5.debug", "true");
+      System.setProperty("sun.security.krb5.debug", "true");
       LOCAL_HOST_REVERSE_DNS_LOOKUP_NAME = InetAddress.getByName("127.0.0.1").getCanonicalHostName();
       String userName = System.getProperty("user.name");
       LOGIN_USER = userName != null ? userName : "securecluster";
@@ -100,6 +103,7 @@ public class PhoenixEnvironment {
   private int numCreatedUsers;
 
   private final String phoenixUrl;
+  private static final Logger logger = LoggerFactory.getLogger(PhoenixEnvironment.class);
 
   private static Configuration conf() {
     Configuration configuration = HBaseConfiguration.create();
@@ -206,49 +210,97 @@ public PhoenixEnvironment(final Configuration confIn, int numberOfUsers, boolean
     ensureIsEmptyDirectory(tempDir);
     ensureIsEmptyDirectory(keytabDir);
     keytab = new File(keytabDir, "test.keytab");
+
     // Start a MiniKDC
-    kdc = util.setupMiniKdc(keytab);
-    // Create a service principal and spnego principal in one keytab
-    // NB. Due to some apparent limitations between HDFS and HBase in the same JVM, trying to
-    // use separate identies for HBase and HDFS results in a GSS initiate error. The quick
-    // solution is to just use a single "service" principal instead of "hbase" and "hdfs"
-    // (or "dn" and "nn") per usual.
-    kdc.createPrincipal(keytab, SPNEGO_PRINCIPAL, PQS_PRINCIPAL, SERVICE_PRINCIPAL);
-    // Start ZK by hand
+    File kdcWorkDir = new File(new File(getTempDir()), "kdc-" + System.currentTimeMillis());
+    ensureIsEmptyDirectory(kdcWorkDir);
+
+    Properties kdcConf = org.apache.hadoop.minikdc.MiniKdc.createConf();
+    kdcConf.setProperty(org.apache.hadoop.minikdc.MiniKdc.KDC_BIND_ADDRESS, "127.0.0.1");
+    kdcConf.setProperty("kdc.tcp.port", "0");
+    kdcConf.setProperty("kdc.allow_udp", "false");
+    kdcConf.setProperty("kdc.encryption.types", "aes128-cts-hmac-sha1-96");
+    kdcConf.setProperty("kdc.fast.enabled", "false");
+    kdcConf.setProperty("kdc.preauth.required", "true");
+    kdcConf.setProperty("kdc.allowable.clockskew", "300000"); // 5m
+    kdcConf.setProperty(org.apache.hadoop.minikdc.MiniKdc.DEBUG, "true");
+
+    kdc = new org.apache.hadoop.minikdc.MiniKdc(kdcConf, kdcWorkDir);
+    kdc.start();
+
+    // Write krb5.conf that disables referrals/canonicalization
+    File krb5File = new File(kdcWorkDir, "krb5.conf");
+    writeKrb5Conf(krb5File.toPath(), kdc.getRealm(), "127.0.0.1", kdc.getPort());
+    System.setProperty("java.security.krb5.conf", krb5File.getAbsolutePath());
+    System.setProperty("sun.security.krb5.allowUdp", "false");
+    System.setProperty("sun.security.krb5.disableReferrals", "true");
+    System.setProperty("java.net.preferIPv4Stack", "true");
+    System.setProperty("sun.security.krb5.debug", "true");
+    System.clearProperty("java.security.krb5.realm"); // avoid env overrides
+    System.clearProperty("java.security.krb5.kdc");
+
+    // Fresh keytab every run; create principals in one shot
+    if (keytab.exists() && !keytab.delete()) {
+      throw new IOException("Couldn't delete old keytab: " + keytab);
+    }
+    keytab.getParentFile().mkdirs();
+
+    // Use a conventional service principal to avoid canonicalization surprises
+    final String SERVICE_PRINCIPAL_LOCAL = "hbase/localhost";
+    final String SPNEGO_PRINCIPAL_LOCAL  = "HTTP/localhost";
+    final String PQS_PRINCIPAL_LOCAL     = "phoenixqs/localhost";
+
+    kdc.createPrincipal(
+        keytab,
+        SPNEGO_PRINCIPAL_LOCAL,
+        PQS_PRINCIPAL_LOCAL,
+        SERVICE_PRINCIPAL_LOCAL
+    );
+  // --- End explicit MiniKDC setup ---
+
+  // Start ZK by hand
     util.startMiniZKCluster();
 
     // Create a number of unprivileged users
     createUsers(numberOfUsers);
 
-    // Set configuration for HBase
-    HBaseKerberosUtils.setPrincipalForTesting(SERVICE_PRINCIPAL + "@" + kdc.getRealm());
+    // HBase ↔ Kerberos wiring: set creds BEFORE setSecuredConfiguration
+    final String servicePrincipal = "hbase/localhost@" + kdc.getRealm();
+
+    conf.set("hadoop.security.authentication", "kerberos");
+    conf.set("hbase.security.authentication", "kerberos");
+
+    conf.set("hbase.master.keytab.file", keytab.getAbsolutePath());
+    conf.set("hbase.regionserver.keytab.file", keytab.getAbsolutePath());
+    conf.set("hbase.master.kerberos.principal", servicePrincipal);
+    conf.set("hbase.regionserver.kerberos.principal", servicePrincipal);
+
+    // Make HBase copy its secured defaults *after* we have principals/keytab in conf
+    HBaseKerberosUtils.setPrincipalForTesting(servicePrincipal);
+    HBaseKerberosUtils.setKeytabFileForTesting(keytab.getAbsolutePath());
     HBaseKerberosUtils.setSecuredConfiguration(conf);
+
+    // HDFS side
     setHdfsSecuredConfiguration(conf);
+
+    // UGI must see kerberos
+    UserGroupInformation.setConfiguration(conf);
+
+    // Preflight: prove the keytab/KDC works *before* we start HBase
+    UserGroupInformation.loginUserFromKeytab(servicePrincipal, keytab.getAbsolutePath());
+    logger.info("UGI login OK for {}", servicePrincipal);
+
     UserGroupInformation.setConfiguration(conf);
+
     conf.setInt(HConstants.MASTER_PORT, 0);
     conf.setInt(HConstants.MASTER_INFO_PORT, 0);
     conf.setInt(HConstants.REGIONSERVER_PORT, 0);
     conf.setInt(HConstants.REGIONSERVER_INFO_PORT, 0);
 
-    conf.set("hadoop.security.authentication", "kerberos");
-    conf.set("hbase.security.authentication", "kerberos");
-
-    File serviceKeytab = getServiceKeytab(); // already generated by your MiniKdc setup
-    String servicePrincipal = HBaseKerberosUtils.getPrincipalForTesting();
-    if (serviceKeytab == null || servicePrincipal == null) {
-      throw new IllegalStateException("MiniKdc did not provide service keytab/principal");
-    }
-
-    conf.set("hbase.master.keytab.file", serviceKeytab.getAbsolutePath());
-    conf.set("hbase.regionserver.keytab.file", serviceKeytab.getAbsolutePath());
-    conf.set("hbase.master.kerberos.principal", servicePrincipal);
-    conf.set("hbase.regionserver.kerberos.principal", servicePrincipal);
-
     // Coprocessors, proxy user configs, etc. (whatever you already have)
     conf.setStrings(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY, AccessController.class.getName());
     conf.setStrings(CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY, AccessController.class.getName());
-    conf.setStrings(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY,
-        AccessController.class.getName(), TokenProvider.class.getName());
+    conf.setStrings(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY, AccessController.class.getName(), TokenProvider.class.getName());
 
     // Clear the cached singletons so we can inject our own.
     InstanceResolver.clearSingletons();
@@ -280,10 +332,47 @@ public Configuration getConfiguration(Configuration confToClone) {
     phoenixUrl = PhoenixRuntime.JDBC_PROTOCOL + ":localhost:" + getZookeeperPort();
   }
 
+  private static void writeKrb5Conf(java.nio.file.Path path, String realm, String host, int port) throws Exception {
+    String cfg =
+        "[libdefaults]\n" +
+            " default_realm = " + realm + "\n" +
+            " dns_lookup_kdc = false\n" +
+            " dns_lookup_realm = false\n" +
+            " dns_canonicalize_hostname = false\n" +
+            " rdns = false\n" +
+            " udp_preference_limit = 1\n" +
+            " default_tkt_enctypes = aes128-cts-hmac-sha1-96\n" +
+            " default_tgs_enctypes = aes128-cts-hmac-sha1-96\n" +
+            " permitted_enctypes   = aes128-cts-hmac-sha1-96\n" +
+            "\n" +
+            "[realms]\n" +
+            " " + realm + " = {\n" +
+            "   kdc = " + host + ":" + port + "\n" +
+            "   admin_server = " + host + ":" + port + "\n" +
+            " }\n";
+    java.nio.file.Files.createDirectories(path.getParent());
+    java.nio.file.Files.write(path, cfg.getBytes(java.nio.charset.StandardCharsets.UTF_8));
+  }
+
+
   public int getZookeeperPort() {
     return util.getConfiguration().getInt(HConstants.ZOOKEEPER_CLIENT_PORT, 2181);
   }
 
+  private static void createPrincipalIfAbsent(MiniKdc kdc, File keytab, String principal) throws Exception {
+    try {
+      kdc.createPrincipal(keytab, principal);
+    } catch (org.apache.kerby.kerberos.kerb.KrbException e) {
+      String msg = e.getMessage();
+      if (msg != null && msg.contains("already exists")) {
+        // Principal is already in the KDC; fine to proceed.
+        // (Keys were generated when it was first created.)
+        return;
+      }
+      throw e;
+    }
+  }
+
   public void stop() throws Exception {
     // Remove our custom ConfigurationFactory for future tests
     InstanceResolver.clearSingletons();