falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Seetharam Venkatesh <venkat...@innerzeal.com>
Subject Re: Falcon CLI throws exception when hadoop security enabled
Date Thu, 10 Jul 2014 20:56:42 GMT
I'm having a separate conversation with Claudia and have observed that the
keytab for SPNEGO does not have the HTTP principal. Its a setup issue.


On Thu, Jul 10, 2014 at 9:51 PM, Arpit Gupta <arpit@hortonworks.com> wrote:

> This is probably related to having the wrong principal configured for
> spnego principal.
>
> SPNEGO protocol states that if your hostname is abdc.com the spnego
> principal it will try to connect to is HTTP/abcd.com.
>
> I think the spnego principal that is configured in the falcon properties
> does not map to the above guidelines. Hence when the client tries to
> authenticate kdc it does not find the HTTP/abcd.com logged in as the
> falcon server logged in for the other user.
>
> --
> Arpit Gupta
> Hortonworks Inc.
> http://hortonworks.com/
>
> On Jul 10, 2014, at 9:02 AM, Seetharam Venkatesh <
> venkatesh@hortonworks.com> wrote:
>
> > Please send the configs and logs so I can see whats the issue. Very hard
> to
> > debug with information in the email.
> >
> >
> > On Thu, Jul 10, 2014 at 8:19 PM, Shwetha GS <shwetha.gs@inmobi.com>
> wrote:
> >
> >> The error is specific to Kerberos authentication, probably something
> >> related to setup.
> >>
> >> Venkatesh, can you check this?
> >>
> >> Sent from my iPhone
> >>
> >>> On Jul 10, 2014, at 7:36 PM, Claudia Nunez
> <cinunez@yahoo-inc.com.INVALID>
> >> wrote:
> >>>
> >>> I¹m having the same problem. What do you mean it should be executed as
> >> end
> >>> user? Why we don¹t see this error when using simple authentication?
> >>>
> >>> Thanks
> >>>
> >>> -Claudia
> >>>
> >>>> On 7/10/14, 12:35 AM, "Shwetha GS" <shwetha.gs@inmobi.com> wrote:
> >>>>
> >>>> cli command should be executed as end user
> >>>>
> >>>>
> >>>> On Thu, Jul 10, 2014 at 10:51 AM, Venkat R
> <veramacha@yahoo.com.invalid
> >>>
> >>>> wrote:
> >>>>
> >>>>> correction -- after kinit (using falcon user principal), when I
run
> the
> >>>>> command, I get "server not found exception". Looks like somthign
to
> do
> >>>>> with
> >>>>> Kerberos.
> >>>>>
> >>>>> What kerberos principal should I use when calling CLI command? --
> >>>>> end-user, HTTP or falcon user?
> >>>>>
> >>>>> Thanks
> >>>>> Venkat
> >>>>>
> >>>>>
> >>>>>
> >>>>> org.apache.falcon.client.FalconCLIException: Could not authenticate,
> >>>>> GSSException: No valid credentials provided (Mechanism level: Server
> >> not
> >>>>> found in Kerberos database (7) - UNKNOWN_SERVER)
> >>>>>       at
> >>>>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166)
> >>>>>       at
> >>>>> org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136)
> >>>>>       at org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169)
> >>>>>       at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125)
> >>>>> Caused by:
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> >>>>> GSSException: No valid credentials provided (Mechanism level: Server
> >> not
> >>>>> found in Kerberos database (7) - UNKNOWN_SERVER)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do
> >>>>> SpnegoSequence(KerberosAuthenticator.java:306)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.au
> >>>>> thenticate(KerberosAuthenticator.java:196)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.AuthenticatedURL.openCon
> >>>>> nection(AuthenticatedURL.java:232)
> >>>>>       at
> >>>>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164)
> >>>>>       ... 3 more
> >>>>> Caused by: GSSException: No valid credentials provided (Mechanism
> >> level:
> >>>>> Server not found in Kerberos database (7) - UNKNOWN_SERVER)
> >>>>>       at
> >>>>>
> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
> >>>>>       at
> >>>>>
> >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
> >>>>>       at
> >>>>>
> >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.
> >>>>> run(KerberosAuthenticator.java:285)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.
> >>>>> run(KerberosAuthenticator.java:261)
> >>>>>       at java.security.AccessController.doPrivileged(Native Method)
> >>>>>       at javax.security.auth.Subject.doAs(Subject.java:396)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do
> >>>>> SpnegoSequence(KerberosAuthenticator.java:261)
> >>>>>       ... 6 more
> >>>>> Caused by: KrbException: Server not found in Kerberos database (7)
-
> >>>>> UNKNOWN_SERVER
> >>>>>       at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64)
> >>>>>       at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.j
> >>>>> ava:294)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Credential
> >>>>> sUtil.java:106)
> >>>>>       at
> >>>>>
> sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
> >>>>>       at
> >>>>>
> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
> >>>>>       ... 13 more
> >>>>> Caused by: KrbException: Identifier doesn't match expected value
> (906)
> >>>>>       at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
> >>>>>       at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
> >>>>>       at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
> >>>>>       at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
> >>>>>       ... 18 more
> >>>>> Error: Unable to initialize Falcon Client object
> >>>>>
> >>>>>
> >>>>> On Wednesday, July 9, 2014 9:55 PM, Venkat R
> >>>>> <veramacha@yahoo.com.INVALID>
> >>>>> wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>> Hi All,
> >>>>>
> >>>>> Running
> >>>>> bin/falcon admin -status
> >>>>> throws the following GSSException.
> >>>>> I have enabled kerberos for service and
> >>>>> SPNEGO (disabled SSL and bin/falcon-start -port 15000).
> >>>>> I'm able to access the falcon URL via Firefox, but not via CLI.
> >>>>> is there something i'm missing any parameter while calling CLI?
> >>>>>
> >>>>> appreciate any help.
> >>>>> Thanks
> >>>>>
> >>>>> ---- startup.properties ----
> >>>>>
> >>>>>
> >>>>> *.falcon.authentication.type=kerberos
> >>>>> ##### Service Configuration
> >>>>> *.falcon.service.authentication.kerberos.principal=dm/_
> >>>>> HOST@GRID.EXAMPLE.COM
> >>>>>
> >>>>>
> >>>>>
> >>
> *.falcon.service.authentication.kerberos.keytab=/export/apps/hadoop/keyta
> >>>>> bs/dm.keytab
> >>>>> *.dfs.namenode.kerberos.principal=hdfs/_HOST@GRID.EXAMPLE.COM
> >>>>>
> >>>>> ##### SPNEGO Configuration
> >>>>> *.falcon.http.authentication.type=kerberos
> >>>>> *.falcon.http.authentication.kerberos.principal=HTTP/_
> >>>>> HOST@GRID.EXAMPLE.COM
> >>>>>
> >>>>>
> >>>>>
> >>
> *.falcon.http.authentication.kerberos.keytab=/export/apps/hadoop/keytabs/
> >>>>> dm.keytab
> >>>>> *.falcon.http.authentication.token.validity=36000
> >>>>> *.falcon.http.authentication.signature.secret=falcon
> >>>>> *.falcon.http.authentication.simple.anonymous.allowed=true
> >>>>> *.falcon.http.authentication.kerberos.name.rules=DEFAULT
> >>>>> *.falcon.http.authentication.blacklisted.users=
> >>>>>
> >>>>> ######### Authentication
> >>>>> Properties #########
> >>>>> falcon.enableTLS=false
> >>>>>
> >>>>>
> >>>>> ---- Exception --------------
> >>>>>
> >>>>>
> >>>>> FalconURL -> http://localhost:15000/
> >>>>> Property: falcon.url = http://localhost:15000/
> >>>>> org.apache.falcon.client.FalconCLIException: Could not authenticate,
> >>>>> GSSException: No valid credentials provided (Mechanism level: Failed
> to
> >>>>> find any
> >>>>> Kerberos tgt)
> >>>>>       at
> >>>>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166)
> >>>>>       at
> >>>>> org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136)
> >>>>>       at
> >>>>> org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169)
> >>>>>       at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125)
> >>>>> Caused by:
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.AuthenticationException:
> >>>>> GSSException: No valid credentials provided (Mechanism level: Failed
> to
> >>>>> find any Kerberos tgt)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do
> >>>>> SpnegoSequence(KerberosAuthenticator.java:306)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.au
> >>>>> thenticate(KerberosAuthenticator.java:196)
> >>>>>       at
> >>>>>
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.AuthenticatedURL.openCon
> >>>>> nection(AuthenticatedURL.java:232)
> >>>>>       at
> >>>>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164)
> >>>>>       ... 3 more
> >>>>> Caused by: GSSException: No valid credentials provided (Mechanism
> >> level:
> >>>>> Failed to find any Kerberos tgt)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.
> >>>>> java:130)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFacto
> >>>>> ry.java:106)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactor
> >>>>> y.java:172)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:
> >>>>> 209)
> >>>>>       at
> >>>>>
> >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
> >>>>>
> >>>>>  at
> >>>>>
> >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.
> >>>>> run(KerberosAuthenticator.java:285)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.
> >>>>> run(KerberosAuthenticator.java:261)
> >>>>>       at java.security.AccessController.doPrivileged(Native Method)
> >>>>>       at javax.security.auth.Subject.doAs(Subject.java:396)
> >>>>>       at
> >>>>>
> >>>>>
> >>
> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do
> >>>>> SpnegoSequence(KerberosAuthenticator.java:261)
> >>>>>       ... 6 more
> >>>>> Error: Unable to initialize Falcon Client object
> >>>>
> >>>> --
> >>>> _____________________________________________________________
> >>>> The information contained in this communication is intended solely for
> >>>> the
> >>>> use of the individual or entity to whom it is addressed and others
> >>>> authorized to receive it. It may contain confidential or legally
> >>>> privileged
> >>>> information. If you are not the intended recipient you are hereby
> >>>> notified
> >>>> that any disclosure, copying, distribution or taking any action in
> >>>> reliance
> >>>> on the contents of this information is strictly prohibited and may be
> >>>> unlawful. If you have received this communication in error, please
> >> notify
> >>>> us immediately by responding to this email and then delete it from
> your
> >>>> system. The firm is neither liable for the proper and complete
> >>>> transmission
> >>>> of the information contained in this communication nor for any delay
> in
> >>>> its
> >>>> receipt.
> >>>
> >>
> >> --
> >> _____________________________________________________________
> >> The information contained in this communication is intended solely for
> the
> >> use of the individual or entity to whom it is addressed and others
> >> authorized to receive it. It may contain confidential or legally
> privileged
> >> information. If you are not the intended recipient you are hereby
> notified
> >> that any disclosure, copying, distribution or taking any action in
> reliance
> >> on the contents of this information is strictly prohibited and may be
> >> unlawful. If you have received this communication in error, please
> notify
> >> us immediately by responding to this email and then delete it from your
> >> system. The firm is neither liable for the proper and complete
> transmission
> >> of the information contained in this communication nor for any delay in
> its
> >> receipt.
> >>
> >
> >
> >
> > --
> > Regards,
> > Venkatesh
> > Hortonworks, Inc.
> >
> > --
> > CONFIDENTIALITY NOTICE
> > NOTICE: This message is intended for the use of the individual or entity
> to
> > which it is addressed and may contain information that is confidential,
> > privileged and exempt from disclosure under applicable law. If the reader
> > of this message is not the intended recipient, you are hereby notified
> that
> > any printing, copying, dissemination, distribution, disclosure or
> > forwarding of this communication is strictly prohibited. If you have
> > received this communication in error, please contact the sender
> immediately
> > and delete it from your system. Thank You.
>
>
> --
> CONFIDENTIALITY NOTICE
> NOTICE: This message is intended for the use of the individual or entity to
> which it is addressed and may contain information that is confidential,
> privileged and exempt from disclosure under applicable law. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any printing, copying, dissemination, distribution, disclosure or
> forwarding of this communication is strictly prohibited. If you have
> received this communication in error, please contact the sender immediately
> and delete it from your system. Thank You.
>



-- 
Regards,
Venkatesh

“Perfection (in design) is achieved not when there is nothing more to add,
but rather when there is nothing more to take away.”
- Antoine de Saint-Exupéry

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message