hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Valluri, Sathish" <sathish.vall...@emc.com>
Subject webhdfs kerberos not working with multiple users
Date Wed, 09 Jul 2014 14:14:27 GMT


We are facing issue with multiple crendentials present in the Kerberos
credential cache and when other users trying to connect curl fails and
throwing expecting only the user from the primary cache.

We have 2 different principals each attached to the same realm and when
trying to connect using the curl, it always loading the primary cache and
not searching for other credentials in the cache and failing.


klist -A output snippet showing 2 different credentials, 


Ticket cache: DIR::/etc/netwitness/wc_cache_dir/tktSQ8abu

Default principal:  <javascript:void(0);> gpadmin@EXAMPLE.COM


Valid starting     Expires            Service principal

07/09/14 18:31:12  07/10/14 18:22:55  krbtgt/ <javascript:void(0);>

            renew until 07/09/14 18:31:12


Ticket cache: DIR::/etc/netwitness/wc_cache_dir/tktEJgnPE

Default principal: hdfs/ <javascript:void(0);> pivhdsne.krbnet@EXAMPLE.COM


Valid starting     Expires            Service principal

07/09/14 18:30:54  07/10/14 18:22:38  krbtgt/ <javascript:void(0);>

            renew until 07/09/14 18:30:54


Here our cache has 2 users gpadmin and hdfs, when user tries to connect with
gpadmin user curl works fine and when user switches to hdfs curl fails with
error. Is there any way to provide the username parameter in the curl
negotiate, even though we are proving the users in the -u hdfs: it's not
considering the curl user and authentication fails.


curl -i --negotiate  -u hdfs: "

HTTP/1.1 401 

Date: Wed, 09 Jul 2014 13:19:56 GMT

Pragma: no-cache

Date: Wed, 09 Jul 2014 13:19:56 GMT

Pragma: no-cache

WWW-Authenticate: Negotiate

Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT

Content-Type: text/html;charset=ISO-8859-1

Cache-Control: must-revalidate,no-cache,no-store

Content-Length: 1358

Server: Jetty(7.6.10.v20130312)


HTTP/1.1 401 Unauthorized

Date: Wed, 09 Jul 2014 13:19:56 GMT

Pragma: no-cache

Cache-Control: no-cache

Date: Wed, 09 Jul 2014 13:19:56 GMT

Pragma: no-cache

Set-Cookie: hadoop.auth="u=gpadmin&p= <javascript:void(0);>

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Server: Jetty(7.6.10.v20130312)


ng.SecurityException","message":"Failed to obtain user group information:
java.io.IOException: Usernames not matched: name=hdfs != expected=gpadmin"}}


Can anyone suggest how to make curl library to scan kerberos directory cache
and load the proper principal for the particular user.

Are there any options required in the webhdfs front for support multiple
users with Kerberos.



Sathish Valluri

View raw message