Home Forums Security HDP 2.0 + Kerberos + 906 Issue

Tagged: ,

This topic contains 6 replies, has 3 voices, and was last updated by  Yi Zhang 2 months, 2 weeks ago.

  • Creator
    Topic
  • #53361

    senthil kumar
    Participant

    Hi All
    I am trying to connect to HDFS with Kerberos using Java Code.For me Kinit, Kilst and other HDFS commands too work well. But when i do a java code for the same, i am facing the below error.
    2014-05-09 15:54:52,304 ERROR [main] security.UserGroupInformation (UserGroupInformation.java:doAs(1494)) – PriviledgedActionException as:XXXXX (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
    2014-05-09 15:54:52,306 WARN [main] ipc.Client (Client.java:run(615)) – Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
    2014-05-09 15:54:52,306 ERROR [main] security.UserGroupInformation (UserGroupInformation.java:doAs(1494)) – PriviledgedActionException as:adcwq3b (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
    2014-05-09 15:54:52,312 ERROR [main] security.UserGroupInformation (UserGroupInformation.java:doAs(1494)) – PriviledgedActionException as:adcwq3b (auth:KERBEROS) cause:java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]; Host Details : local host is: “XXXXXXX/10.X.X.X/10.X.X.X”; destination host is: “fqdnOfNN”:8020;
    java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]; Host Details : local host is: “XXXXXXX/10.X.X.X”; destination host is: “fqdnOfNN”:8020;
    at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:764)
    ……….Caused by: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
    ……….Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
    ……….Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
    ……….Caused by: KrbException: Server not found in Kerberos database (7)
    ……….Caused by: KrbException: Identifier doesn’t match expected value (906)

    Some forum talk about the non existence of a ldap record in /etc/hosts. Please confirm me the same.

    Thanks

Viewing 6 replies - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

  • Author
    Replies
  • #53808

    Yi Zhang
    Moderator

    Hi Senthil,

    Looks like you would like this:

    https://issues.apache.org/jira/browse/HADOOP-10342

    Can you check your email and discuss this with us further.

    Thanks,
    Yi

    Collapse
    #53801

    senthil kumar
    Participant

    Andrew,
    Thanks for the info. Is this the right way to do it in production? Why not we do the authentication as like Jaas ? For example , i want to write the file using a webapp. This approach mandates me to install the kerberos and do k5start or kinit in all my appservers.
    Requirement has become very simple for us that we need to do the same without krb5 command line tools.
    Let me know.

    Thanks
    Senthil

    Collapse
    #53800

    Andrew Grande
    Participant

    Hi Senthill,

    Kerberos supports renewing the tickets natively, please check out the ‘kstart’ man pages: http://linux.die.net/man/1/k5start

    Let me know how it goes,
    Andrew

    Collapse
    #53658

    senthil kumar
    Participant

    Yi,
    Thanks for reply. We are looking to login without using ticketCache by using loginId and Password. Its to recreate a production ENV. We don’t want to run a cron job to refresh the ticket.

    Thanks
    Senthil

    Collapse
    #53656

    Yi Zhang
    Moderator

    Hi Senthil,

    HADOOP_USER_NAME is deprecated.

    I assume you are getting user kerberos credentials from ticket cache by UserGroupInformation to get login from ticket cache, can you try commented out some lines

    String userName = “xxx@xx.xxx”;
    char[] password = “xxxxx”.toCharArray();
    System.setProperty(“javax.security.auth.useSubjectCredsOnly”, “false”);
    System.setProperty(“HADOOP_USER_NAME”, “xxx”);

    Thanks,
    Yi

    Collapse
    #53362

    senthil kumar
    Participant

    Please find the sample snippet for the same.

    String userName = “xxx@xx.xxx”;
    char[] password = “xxxxx”.toCharArray();
    final String dir= “/USER/xxx/DIR1″;
    System.setProperty(“java.security.auth.login.config”, ClassLoader.getSystemResource(“kerberos_sample.conf”).toExternalForm());
    System.setProperty(“java.security.krb5.realm”, “xxxxxx”);
    System.setProperty(“java.security.krb5.kdc”, “xxxxxx”);
    System.setProperty(“javax.security.auth.useSubjectCredsOnly”, “false”);
    System.setProperty(“HADOOP_USER_NAME”, “xxx”);
    try {
    LoginContext lc = new LoginContext(“primaryLoginContext”, new UserNamePasswordCallbackHandler(userName, password));
    lc.login();
    UserGroupInformation ugi = UserGroupInformation.getLoginUser();
    ugi.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS);
    final Configuration conf = new Configuration();
    conf.set(“fs.default.name”, “xxxxxxxx”);
    conf.set(“hadoop.security.authentication”, “kerberos”);
    conf.set(“dfs.namenode.kerberos.principal”, “nn/xxx@xxxx”);
    ugi.setConfiguration(conf);
    ugi.doAs(new PrivilegedExceptionAction<Void>() {
    public Void run() throws Exception {
    FileSystem fs = FileSystem.get(conf);
    Path path = new Path(dir);
    if (fs.exists(path)) {
    System.out.println(“Dir ” + dir + ” already exists!”);
    return null;
    }
    fs.mkdirs(path);
    fs.close();
    return null;
    }
    });
    } catch (Exception le) {
    le.printStackTrace();
    }

    Thanks

    Collapse
Viewing 6 replies - 1 through 6 (of 6 total)