1 Reply Latest reply on Jan 10, 2019 8:26 AM by Did A

    wildfly 10 datasource configuration for CDH Impala using Kerberos authentication failed

    Did A Newbie

      We are using wildfly-10.1.0 and we do not know how to configure a datasource that connects (through jdbc driver ClouderaImpalaJDBC41_2.5.43) to a CDH 5.14 Impala using Kerberos authentication.

       

      We tried this way:

        in standalone.xml:

       

      <datasource jta="false" jndi-name="java:jboss/datasources/OssaFaultDS" pool-name="OssaFaultDS">

          <connection-url>jdbc:impala://XXXXXXX:21050/ossa?AuthMech=1;KrbRealm=AAA.BBB.CC;KrbHostFQDN=my-proxy;KrbServiceName=impala;LogLevel=6;LogPath=/tmp/

          </connection-url>

         <driver>impala</driver>

         <pool>…</pool>

         <security>

            <security-domain>security-impala</security-domain>

         </security>

         <validation>

            <check-valid-connection-sql>SELECT 1</check-valid-connection-sql>

            <validate-on-match>false</validate-on-match>

            <background-validation>true</background-validation>

            <background-validation-millis>120000</background-validation-millis>

         </validation>

         <timeout>

            <blocking-timeout-millis>300000</blocking-timeout-millis>

         </timeout>

      </datasource>

       

      <drivers>

         <driver name="impala" module="com.cloudera.impala">

            <xa-datasource-class>com.cloudera.impala.jdbc41.DataSource</xa-datasource-class>

         </driver>

      </drivers>

      <security-domain name="security-impala" cache-type="default">

         <authentication>

           <login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation">

             <module-option name="storeKey" value="true"/>

             <module-option name="useKeyTab" value="true"/>

             <module-option name="keyTab" value="/opt/ossa/ossa.keytab"/> 

             <module-option name="principal" value="ossa@AAA.BBB.CC"/>

             <module-option name="useTicketCache" value="false"/>

             <module-option name="debug" value="true"/>

             <module-option name="refreshKrb5Config" value="true"/>

             <module-option name="isInitiator" value="true"/>

             <module-option name="doNotPrompt" value="true"/> 

           </login-module>

         </authentication>

      </security-domain>

       

      But this failed:

      Caused by: javax.resource.ResourceException: IJ000453: Unable to get managed connection for java:jboss/datasources/OssaFaultDS

                      at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:656)

                      at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:563)

                      at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:747)

                      at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)

                      ... 60 more            

      Caused by: javax.resource.ResourceException: IJ031004: No matching credentials in Subject

                      at org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getConnectionProperties(BaseWrapperManagedConnectionFactory.java:1137)

                      at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:219)

                      at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1320)

                      at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:496)

                      at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:617)

                      at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:589)

                      at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:590)

       

      We do not know what is this No matching credentials in Subject error about.

      Would anybody know if this is our connection-url and/or our security-domain configuration which is incorrect ?

      Would anybody has an example of such data source configuration for impala kerberos ?

       

      Thanks,

      Regards