wildfly 10 datasource configuration for CDH Impala using Kerberos authentication failed
dida2 Jan 10, 2019 8:26 AMWe are using wildfly-10.1.0 and we do not know how to configure a datasource that connects (through jdbc driver ClouderaImpalaJDBC41_2.5.43) to a CDH 5.14 Impala using Kerberos authentication.
We tried this way:
in standalone.xml:
<datasource jta="false" jndi-name="java:jboss/datasources/OssaFaultDS" pool-name="OssaFaultDS">
<connection-url>jdbc:impala://XXXXXXX:21050/ossa?AuthMech=1;KrbRealm=AAA.BBB.CC;KrbHostFQDN=my-proxy;KrbServiceName=impala;LogLevel=6;LogPath=/tmp/
</connection-url>
<driver>impala</driver>
<pool>…</pool>
<security>
<security-domain>security-impala</security-domain>
</security>
<validation>
<check-valid-connection-sql>SELECT 1</check-valid-connection-sql>
<validate-on-match>false</validate-on-match>
<background-validation>true</background-validation>
<background-validation-millis>120000</background-validation-millis>
</validation>
<timeout>
<blocking-timeout-millis>300000</blocking-timeout-millis>
</timeout>
</datasource>
<drivers>
…
<driver name="impala" module="com.cloudera.impala">
<xa-datasource-class>com.cloudera.impala.jdbc41.DataSource</xa-datasource-class>
</driver>
</drivers>
…
<security-domain name="security-impala" cache-type="default">
<authentication>
<login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="keyTab" value="/opt/ossa/ossa.keytab"/>
<module-option name="principal" value="ossa@AAA.BBB.CC"/>
<module-option name="useTicketCache" value="false"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="isInitiator" value="true"/>
<module-option name="doNotPrompt" value="true"/>
</login-module>
</authentication>
</security-domain>
But this failed:
Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/OssaFaultDS
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:656)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:563)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:747)
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)
... 60 more
Caused by: javax.resource.ResourceException: IJ031004: No matching credentials in Subject
at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getConnectionProperties(BaseWrapperManagedConnectionFactory.java:1137)
at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:219)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1320)
at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:496)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:617)
at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:589)
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:590)
We do not know what is this No matching credentials in Subject error about.
Would anybody know if this is our connection-url and/or our security-domain configuration which is incorrect ?
Would anybody has an example of such data source configuration for impala kerberos ?
Thanks,
Regards