hadoop-mapreduce-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jingfei Hu <jingfei...@hotmail.com>
Subject RE: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
Date Tue, 27 Oct 2015 01:50:42 GMT
HI Gaurav, 

I would appreciate that if you can give me a little more steps to
troubleshoot where I am doing wrong. Thank you very much.

 

Jingfei

 

From: Jingfei Hu [mailto:jingfei_hu@hotmail.com] 
Sent: Thursday, October 22, 2015 11:20 PM
To: user@hadoop.apache.org
Subject: RE: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos credentails)

 

Hi Gaurav,

 

ON which machine I should install the Kerberos client libraries?

 

On which machine I execute the kinit command?

 

Can't users just provide a username and password whenever He/She needs
access a hdfs using webhdfs? In most cases, people have no or little
knowledge about the kinit command.  Is my understanding right?

 

Thanks,

Jingfei

  _____  

Date: Thu, 22 Oct 2015 17:33:14 +0530
Subject: Re: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos credentails)
From: gauravkumar37@gmail.com <mailto:gauravkumar37@gmail.com> 
To: user@hadoop.apache.org <mailto:user@hadoop.apache.org> 

Hi,

Assuming you have Kerberos client libraries installed on your machine and
that you have the correct configuration to point to the Kerberos KDC.

You'll need to first do a kinit to authenticate to the Kerberos KDC and then
when you do a curl you'll no longer see the error.

At any time you can check your active tokens by executing klist -e





Best Regards,
Gaurav Kumar
Big Data . Data Science . Photography . Music
+91 9953294125

 

On Thu, Oct 22, 2015 at 1:29 PM, Jingfei Hu <jingfei_hu@hotmail.com
<mailto:jingfei_hu@hotmail.com> > wrote:

Hi Anu,

Thanks for the reply. Here is what I am doing in my client machine. 

C:\Users\adms>curl -i --negotiate -u:
"http://xxx.cloudapp.net:50070/webhdfs/v1?op=gethomedirectory"

HTTP/1.1 401 Authentication required

Cache-Control: must-revalidate,no-cache,no-store

Date: Thu, 22 Oct 2015 07:38:52 GMT

Pragma: no-cache

Date: Thu, 22 Oct 2015 07:38:52 GMT

Pragma: no-cache

Content-Type: text/html; charset=iso-8859-1

WWW-Authenticate: Negotiate

Set-Cookie: hadoop.auth=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT;
HttpOnly

Content-Length: 1403

Server: Jetty(6.1.26.hwx)

 

HTTP/1.1 403 GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos credentails)

Cache-Control: must-revalidate,no-cache,no-store

Date: Thu, 22 Oct 2015 07:38:52 GMT

Pragma: no-cache

Date: Thu, 22 Oct 2015 07:38:52 GMT

Pragma: no-cache

Content-Type: text/html; charset=iso-8859-1

Set-Cookie: hadoop.auth=; Path=/; Expires=Thu, 01-Jan-1970 00:00:00 GMT;
HttpOnly

Content-Length: 1561

Server: Jetty(6.1.26.hwx)

 

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>

<title>Error 403 GSSException: No valid credentials provided (Mechanism
level: Failed to find any Kerberos credentails)</title>

</head>

<body><h2>HTTP ERROR 403</h2>

<p>Problem accessing /webhdfs/v1. Reason:

<pre>    GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos credentails)</pre></p><hr /><i><small>Powered
by
Jetty://</small></i><br/>

 

</body>

</html>

 

As for the command line shown in the url . Here is what I am trying on the
KDC machine.

kinit admin/admin

After entering the password, it exited without problems

curl -i --negotiate -u admin
http://sandbox.hortonworks.com:50070/webhdfs/v1?op=gethomedirectory and
enter the password for the subsequent prompt. 

It also returns ok. I can see the response's content is
{"Path":"/user/admin"}

However if I change the command line to be curl -i --negotiate -u admin
http://xxx.cloudapp.net:50070/webhdfs/v1?op=gethomedirectory, it failed with


 

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>

<title>Error 401 Authentication required</title>

</head>

<body><h2>HTTP ERROR 401</h2>

<p>Problem accessing /webhdfs/v1. Reason:

<pre>    Authentication required</pre></p><hr /><i><small>Powered
by
Jetty://</small></i><br/>

</body>

</html>

 

Any ideas?

 

Thanks,

Jingfei

From: Anu Engineer [mailto:aengineer@hortonworks.com
<mailto:aengineer@hortonworks.com> ] 
Sent: Thursday, October 22, 2015 12:16 PM
To: user@hadoop.apache.org <mailto:user@hadoop.apache.org> 
Subject: Re: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos credentails)

 

Did you try out with curl and it did not work at all ?.  It is slightly
easier to debug with command line than a browser like IE.

 

https://hadoop.apache.org/docs/r2.6.0/hadoop-auth/Examples.html

 

Please try getting a ticket and try to connect the cluster using it and if
does not work, could you please post your traces. 

This will allow us rule out the issue that you might not have a valid
kerberos ticket in the first place.

 

 

Thanks

Anu

 

 

From: Jingfei Hu
Reply-To: "user@hadoop.apache.org <mailto:user@hadoop.apache.org> "
Date: Wednesday, October 21, 2015 at 7:30 PM
To: "user@hadoop.apache.org <mailto:user@hadoop.apache.org> "
Subject: RE: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos credentails)

 

The links Anu provides seems to be no much helpful for my problem. I would
give more context here.

 

I am using HDP on Azure. Its version is 2.3. After several attempts, I'm
finally able to enable Kerberos for my HDP deployment. Now I am trying to
use webhdfs to access hdfs files in IE.

http://xxx.cloudapp.net:50070/webhdfs/v1?op=gethomedirectory.

Then IE pops up a windows to ask for user name and password. Then I enter
the admin principal in KDC domain style (admin/admin@DOMAIN.com
<mailto:admin/admin@DOMAIN.com> ) along with the correct password. However
it gives me
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos credentials)

Before enabling Kerberos, I can access this without entering anything
because its security is off.

Now how am i gonna do to make it work with Kerberos enabled?

 

Jingfei

 

From: Anu Engineer [mailto:aengineer@hortonworks.com] 
Sent: Wednesday, October 21, 2015 11:42 PM
To: user@hadoop.apache.org <mailto:user@hadoop.apache.org> 
Subject: Re: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos credentails)

 

This usually means that you don't have valid Kerberos credentials.

 

Please look at the authentication section at this URL
https://hadoop.apache.org/docs/r1.0.4/webhdfs.html or here is another
example. 

http://www.cloudera.com/content/www/en-us/documentation/archive/cdh/4-x/4-3-
2/CDH4-Security-Guide/cdh4sg_topic_7_2.html

 

Thanks

Anu

 

 

From: Jingfei Hu
Reply-To: "user@hadoop.apache.org <mailto:user@hadoop.apache.org> "
Date: Tuesday, October 20, 2015 at 10:45 PM
To: "user@hadoop.apache.org <mailto:user@hadoop.apache.org> "
Subject: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos credentails)

 

Hi team,

Is there anyone who knows what this exception means? What should I do to fix
this?  I am trying to access

 

http://xxx.cloudapp.net:50070/webhdfs/v1/?op=liststatus

 

I just enabled the Kerberos for the HDFS deployment.

 

Thanks,

Jingfei

 


Mime
View raw message