falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claudia Nunez <cinu...@yahoo-inc.com.INVALID>
Subject Re: Falcon CLI throws exception when hadoop security enabled
Date Thu, 10 Jul 2014 14:06:15 GMT
I¹m having the same problem. What do you mean it should be executed as end
user? Why we don¹t see this error when using simple authentication?

Thanks

-Claudia

On 7/10/14, 12:35 AM, "Shwetha GS" <shwetha.gs@inmobi.com> wrote:

>cli command should be executed as end user
>
>
>On Thu, Jul 10, 2014 at 10:51 AM, Venkat R <veramacha@yahoo.com.invalid>
>wrote:
>
>> correction -- after kinit (using falcon user principal), when I run the
>> command, I get "server not found exception". Looks like somthign to do
>>with
>> Kerberos.
>>
>> What kerberos principal should I use when calling CLI command? --
>> end-user, HTTP or falcon user?
>>
>> Thanks
>> Venkat
>>
>>
>>
>> org.apache.falcon.client.FalconCLIException: Could not authenticate,
>> GSSException: No valid credentials provided (Mechanism level: Server not
>> found in Kerberos database (7) - UNKNOWN_SERVER)
>>         at
>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166)
>>         at
>> org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136)
>>         at org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169)
>>         at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125)
>> Caused by:
>> 
>>org.apache.hadoop.security.authentication.client.AuthenticationException:
>> GSSException: No valid credentials provided (Mechanism level: Server not
>> found in Kerberos database (7) - UNKNOWN_SERVER)
>>         at
>> 
>>org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do
>>SpnegoSequence(KerberosAuthenticator.java:306)
>>         at
>> 
>>org.apache.hadoop.security.authentication.client.KerberosAuthenticator.au
>>thenticate(KerberosAuthenticator.java:196)
>>         at
>> 
>>org.apache.hadoop.security.authentication.client.AuthenticatedURL.openCon
>>nection(AuthenticatedURL.java:232)
>>         at
>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164)
>>         ... 3 more
>> Caused by: GSSException: No valid credentials provided (Mechanism level:
>> Server not found in Kerberos database (7) - UNKNOWN_SERVER)
>>         at
>> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
>>         at
>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
>>         at
>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
>>         at
>> 
>>org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.
>>run(KerberosAuthenticator.java:285)
>>         at
>> 
>>org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.
>>run(KerberosAuthenticator.java:261)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at javax.security.auth.Subject.doAs(Subject.java:396)
>>         at
>> 
>>org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do
>>SpnegoSequence(KerberosAuthenticator.java:261)
>>         ... 6 more
>> Caused by: KrbException: Server not found in Kerberos database (7) -
>> UNKNOWN_SERVER
>>         at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64)
>>         at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
>>         at
>> 
>>sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.j
>>ava:294)
>>         at
>> 
>>sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Credential
>>sUtil.java:106)
>>         at
>> sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
>>         at
>> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
>>         ... 13 more
>> Caused by: KrbException: Identifier doesn't match expected value (906)
>>         at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
>>         at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
>>         at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
>>         at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
>>         ... 18 more
>> Error: Unable to initialize Falcon Client object
>>
>>
>> On Wednesday, July 9, 2014 9:55 PM, Venkat R
>><veramacha@yahoo.com.INVALID>
>> wrote:
>>
>>
>>
>> Hi All,
>>
>> Running
>> bin/falcon admin -status
>> throws the following GSSException.
>> I have enabled kerberos for service and
>>  SPNEGO (disabled SSL and bin/falcon-start -port 15000).
>> I'm able to access the falcon URL via Firefox, but not via CLI.
>> is there something i'm missing any parameter while calling CLI?
>>
>> appreciate any help.
>> Thanks
>>
>> ---- startup.properties ----
>>
>>
>> *.falcon.authentication.type=kerberos
>> ##### Service Configuration
>> *.falcon.service.authentication.kerberos.principal=dm/_
>> HOST@GRID.EXAMPLE.COM
>>
>> 
>>*.falcon.service.authentication.kerberos.keytab=/export/apps/hadoop/keyta
>>bs/dm.keytab
>> *.dfs.namenode.kerberos.principal=hdfs/_HOST@GRID.EXAMPLE.COM
>>
>> ##### SPNEGO Configuration
>> *.falcon.http.authentication.type=kerberos
>> *.falcon.http.authentication.kerberos.principal=HTTP/_
>> HOST@GRID.EXAMPLE.COM
>>
>> 
>>*.falcon.http.authentication.kerberos.keytab=/export/apps/hadoop/keytabs/
>>dm.keytab
>> *.falcon.http.authentication.token.validity=36000
>> *.falcon.http.authentication.signature.secret=falcon
>> *.falcon.http.authentication.simple.anonymous.allowed=true
>> *.falcon.http.authentication.kerberos.name.rules=DEFAULT
>> *.falcon.http.authentication.blacklisted.users=
>>
>> ######### Authentication
>>  Properties #########
>> falcon.enableTLS=false
>>
>>
>> ---- Exception --------------
>>
>>
>> FalconURL -> http://localhost:15000/
>> Property: falcon.url = http://localhost:15000/
>> org.apache.falcon.client.FalconCLIException: Could not authenticate,
>> GSSException: No valid credentials provided (Mechanism level: Failed to
>> find any
>>  Kerberos tgt)
>>         at
>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166)
>>         at
>> org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136)
>>         at
>>  org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169)
>>         at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125)
>> Caused by:
>> 
>>org.apache.hadoop.security.authentication.client.AuthenticationException:
>> GSSException: No valid credentials provided (Mechanism level: Failed to
>> find any Kerberos tgt)
>>         at
>> 
>>org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do
>>SpnegoSequence(KerberosAuthenticator.java:306)
>>         at
>> 
>>org.apache.hadoop.security.authentication.client.KerberosAuthenticator.au
>>thenticate(KerberosAuthenticator.java:196)
>>         at
>>
>>  
>>org.apache.hadoop.security.authentication.client.AuthenticatedURL.openCon
>>nection(AuthenticatedURL.java:232)
>>         at
>>  org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164)
>>         ... 3 more
>> Caused by: GSSException: No valid credentials provided (Mechanism level:
>> Failed to find any Kerberos tgt)
>>         at
>> 
>>sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.
>>java:130)
>>         at
>> 
>>sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFacto
>>ry.java:106)
>>         at
>> 
>>sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactor
>>y.java:172)
>>         at
>> 
>>sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:
>>209)
>>         at
>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
>>
>>    at
>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
>>         at
>> 
>>org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.
>>run(KerberosAuthenticator.java:285)
>>         at
>> 
>>org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.
>>run(KerberosAuthenticator.java:261)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at javax.security.auth.Subject.doAs(Subject.java:396)
>>         at
>> 
>>org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do
>>SpnegoSequence(KerberosAuthenticator.java:261)
>>         ... 6 more
>> Error: Unable to initialize Falcon Client object
>>
>
>-- 
>_____________________________________________________________
>The information contained in this communication is intended solely for
>the 
>use of the individual or entity to whom it is addressed and others
>authorized to receive it. It may contain confidential or legally
>privileged 
>information. If you are not the intended recipient you are hereby
>notified 
>that any disclosure, copying, distribution or taking any action in
>reliance 
>on the contents of this information is strictly prohibited and may be
>unlawful. If you have received this communication in error, please notify
>us immediately by responding to this email and then delete it from your
>system. The firm is neither liable for the proper and complete
>transmission 
>of the information contained in this communication nor for any delay in
>its 
>receipt.


Mime
View raw message