falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arpit Gupta <ar...@hortonworks.com>
Subject Re: Falcon CLI throws exception when hadoop security enabled
Date Thu, 10 Jul 2014 16:21:21 GMT
This is probably related to having the wrong principal configured for spnego principal.

SPNEGO protocol states that if your hostname is abdc.com the spnego principal it will try
to connect to is HTTP/abcd.com. 

I think the spnego principal that is configured in the falcon properties does not map to the
above guidelines. Hence when the client tries to authenticate kdc it does not find the HTTP/abcd.com
logged in as the falcon server logged in for the other user.

--
Arpit Gupta
Hortonworks Inc.
http://hortonworks.com/

On Jul 10, 2014, at 9:02 AM, Seetharam Venkatesh <venkatesh@hortonworks.com> wrote:

> Please send the configs and logs so I can see whats the issue. Very hard to
> debug with information in the email.
> 
> 
> On Thu, Jul 10, 2014 at 8:19 PM, Shwetha GS <shwetha.gs@inmobi.com> wrote:
> 
>> The error is specific to Kerberos authentication, probably something
>> related to setup.
>> 
>> Venkatesh, can you check this?
>> 
>> Sent from my iPhone
>> 
>>> On Jul 10, 2014, at 7:36 PM, Claudia Nunez <cinunez@yahoo-inc.com.INVALID>
>> wrote:
>>> 
>>> I¹m having the same problem. What do you mean it should be executed as
>> end
>>> user? Why we don¹t see this error when using simple authentication?
>>> 
>>> Thanks
>>> 
>>> -Claudia
>>> 
>>>> On 7/10/14, 12:35 AM, "Shwetha GS" <shwetha.gs@inmobi.com> wrote:
>>>> 
>>>> cli command should be executed as end user
>>>> 
>>>> 
>>>> On Thu, Jul 10, 2014 at 10:51 AM, Venkat R <veramacha@yahoo.com.invalid
>>> 
>>>> wrote:
>>>> 
>>>>> correction -- after kinit (using falcon user principal), when I run the
>>>>> command, I get "server not found exception". Looks like somthign to do
>>>>> with
>>>>> Kerberos.
>>>>> 
>>>>> What kerberos principal should I use when calling CLI command? --
>>>>> end-user, HTTP or falcon user?
>>>>> 
>>>>> Thanks
>>>>> Venkat
>>>>> 
>>>>> 
>>>>> 
>>>>> org.apache.falcon.client.FalconCLIException: Could not authenticate,
>>>>> GSSException: No valid credentials provided (Mechanism level: Server
>> not
>>>>> found in Kerberos database (7) - UNKNOWN_SERVER)
>>>>>       at
>>>>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166)
>>>>>       at
>>>>> org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136)
>>>>>       at org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169)
>>>>>       at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125)
>>>>> Caused by:
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.AuthenticationException:
>>>>> GSSException: No valid credentials provided (Mechanism level: Server
>> not
>>>>> found in Kerberos database (7) - UNKNOWN_SERVER)
>>>>>       at
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do
>>>>> SpnegoSequence(KerberosAuthenticator.java:306)
>>>>>       at
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.au
>>>>> thenticate(KerberosAuthenticator.java:196)
>>>>>       at
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.AuthenticatedURL.openCon
>>>>> nection(AuthenticatedURL.java:232)
>>>>>       at
>>>>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164)
>>>>>       ... 3 more
>>>>> Caused by: GSSException: No valid credentials provided (Mechanism
>> level:
>>>>> Server not found in Kerberos database (7) - UNKNOWN_SERVER)
>>>>>       at
>>>>> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
>>>>>       at
>>>>> 
>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
>>>>>       at
>>>>> 
>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
>>>>>       at
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.
>>>>> run(KerberosAuthenticator.java:285)
>>>>>       at
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.
>>>>> run(KerberosAuthenticator.java:261)
>>>>>       at java.security.AccessController.doPrivileged(Native Method)
>>>>>       at javax.security.auth.Subject.doAs(Subject.java:396)
>>>>>       at
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do
>>>>> SpnegoSequence(KerberosAuthenticator.java:261)
>>>>>       ... 6 more
>>>>> Caused by: KrbException: Server not found in Kerberos database (7) -
>>>>> UNKNOWN_SERVER
>>>>>       at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64)
>>>>>       at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
>>>>>       at
>>>>> 
>>>>> 
>> sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.j
>>>>> ava:294)
>>>>>       at
>>>>> 
>>>>> 
>> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Credential
>>>>> sUtil.java:106)
>>>>>       at
>>>>> sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
>>>>>       at
>>>>> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
>>>>>       ... 13 more
>>>>> Caused by: KrbException: Identifier doesn't match expected value (906)
>>>>>       at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
>>>>>       at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
>>>>>       at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
>>>>>       at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
>>>>>       ... 18 more
>>>>> Error: Unable to initialize Falcon Client object
>>>>> 
>>>>> 
>>>>> On Wednesday, July 9, 2014 9:55 PM, Venkat R
>>>>> <veramacha@yahoo.com.INVALID>
>>>>> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> Hi All,
>>>>> 
>>>>> Running
>>>>> bin/falcon admin -status
>>>>> throws the following GSSException.
>>>>> I have enabled kerberos for service and
>>>>> SPNEGO (disabled SSL and bin/falcon-start -port 15000).
>>>>> I'm able to access the falcon URL via Firefox, but not via CLI.
>>>>> is there something i'm missing any parameter while calling CLI?
>>>>> 
>>>>> appreciate any help.
>>>>> Thanks
>>>>> 
>>>>> ---- startup.properties ----
>>>>> 
>>>>> 
>>>>> *.falcon.authentication.type=kerberos
>>>>> ##### Service Configuration
>>>>> *.falcon.service.authentication.kerberos.principal=dm/_
>>>>> HOST@GRID.EXAMPLE.COM
>>>>> 
>>>>> 
>>>>> 
>> *.falcon.service.authentication.kerberos.keytab=/export/apps/hadoop/keyta
>>>>> bs/dm.keytab
>>>>> *.dfs.namenode.kerberos.principal=hdfs/_HOST@GRID.EXAMPLE.COM
>>>>> 
>>>>> ##### SPNEGO Configuration
>>>>> *.falcon.http.authentication.type=kerberos
>>>>> *.falcon.http.authentication.kerberos.principal=HTTP/_
>>>>> HOST@GRID.EXAMPLE.COM
>>>>> 
>>>>> 
>>>>> 
>> *.falcon.http.authentication.kerberos.keytab=/export/apps/hadoop/keytabs/
>>>>> dm.keytab
>>>>> *.falcon.http.authentication.token.validity=36000
>>>>> *.falcon.http.authentication.signature.secret=falcon
>>>>> *.falcon.http.authentication.simple.anonymous.allowed=true
>>>>> *.falcon.http.authentication.kerberos.name.rules=DEFAULT
>>>>> *.falcon.http.authentication.blacklisted.users=
>>>>> 
>>>>> ######### Authentication
>>>>> Properties #########
>>>>> falcon.enableTLS=false
>>>>> 
>>>>> 
>>>>> ---- Exception --------------
>>>>> 
>>>>> 
>>>>> FalconURL -> http://localhost:15000/
>>>>> Property: falcon.url = http://localhost:15000/
>>>>> org.apache.falcon.client.FalconCLIException: Could not authenticate,
>>>>> GSSException: No valid credentials provided (Mechanism level: Failed
to
>>>>> find any
>>>>> Kerberos tgt)
>>>>>       at
>>>>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166)
>>>>>       at
>>>>> org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136)
>>>>>       at
>>>>> org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169)
>>>>>       at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125)
>>>>> Caused by:
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.AuthenticationException:
>>>>> GSSException: No valid credentials provided (Mechanism level: Failed
to
>>>>> find any Kerberos tgt)
>>>>>       at
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do
>>>>> SpnegoSequence(KerberosAuthenticator.java:306)
>>>>>       at
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.au
>>>>> thenticate(KerberosAuthenticator.java:196)
>>>>>       at
>>>>> 
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.AuthenticatedURL.openCon
>>>>> nection(AuthenticatedURL.java:232)
>>>>>       at
>>>>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164)
>>>>>       ... 3 more
>>>>> Caused by: GSSException: No valid credentials provided (Mechanism
>> level:
>>>>> Failed to find any Kerberos tgt)
>>>>>       at
>>>>> 
>>>>> 
>> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.
>>>>> java:130)
>>>>>       at
>>>>> 
>>>>> 
>> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFacto
>>>>> ry.java:106)
>>>>>       at
>>>>> 
>>>>> 
>> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactor
>>>>> y.java:172)
>>>>>       at
>>>>> 
>>>>> 
>> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:
>>>>> 209)
>>>>>       at
>>>>> 
>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
>>>>> 
>>>>>  at
>>>>> 
>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
>>>>>       at
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.
>>>>> run(KerberosAuthenticator.java:285)
>>>>>       at
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.
>>>>> run(KerberosAuthenticator.java:261)
>>>>>       at java.security.AccessController.doPrivileged(Native Method)
>>>>>       at javax.security.auth.Subject.doAs(Subject.java:396)
>>>>>       at
>>>>> 
>>>>> 
>> org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do
>>>>> SpnegoSequence(KerberosAuthenticator.java:261)
>>>>>       ... 6 more
>>>>> Error: Unable to initialize Falcon Client object
>>>> 
>>>> --
>>>> _____________________________________________________________
>>>> The information contained in this communication is intended solely for
>>>> the
>>>> use of the individual or entity to whom it is addressed and others
>>>> authorized to receive it. It may contain confidential or legally
>>>> privileged
>>>> information. If you are not the intended recipient you are hereby
>>>> notified
>>>> that any disclosure, copying, distribution or taking any action in
>>>> reliance
>>>> on the contents of this information is strictly prohibited and may be
>>>> unlawful. If you have received this communication in error, please
>> notify
>>>> us immediately by responding to this email and then delete it from your
>>>> system. The firm is neither liable for the proper and complete
>>>> transmission
>>>> of the information contained in this communication nor for any delay in
>>>> its
>>>> receipt.
>>> 
>> 
>> --
>> _____________________________________________________________
>> The information contained in this communication is intended solely for the
>> use of the individual or entity to whom it is addressed and others
>> authorized to receive it. It may contain confidential or legally privileged
>> information. If you are not the intended recipient you are hereby notified
>> that any disclosure, copying, distribution or taking any action in reliance
>> on the contents of this information is strictly prohibited and may be
>> unlawful. If you have received this communication in error, please notify
>> us immediately by responding to this email and then delete it from your
>> system. The firm is neither liable for the proper and complete transmission
>> of the information contained in this communication nor for any delay in its
>> receipt.
>> 
> 
> 
> 
> -- 
> Regards,
> Venkatesh
> Hortonworks, Inc.
> 
> -- 
> CONFIDENTIALITY NOTICE
> NOTICE: This message is intended for the use of the individual or entity to 
> which it is addressed and may contain information that is confidential, 
> privileged and exempt from disclosure under applicable law. If the reader 
> of this message is not the intended recipient, you are hereby notified that 
> any printing, copying, dissemination, distribution, disclosure or 
> forwarding of this communication is strictly prohibited. If you have 
> received this communication in error, please contact the sender immediately 
> and delete it from your system. Thank You.


-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message