hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lanati, Matteo" <Matteo.Lan...@lrz.de>
Subject RE: HBase client with security
Date Thu, 29 Aug 2013 21:54:00 GMT
Hi Harsh,

thanks for the suggestion.
I added HADOOP_PREFIX so that the conf folder is in the path.
It still doesn't work, so I suppose Hadoop's core-site.xml is faulty (though I need a Kerberos
ticket to use Hadoop, so security is working).
In fact, when I try to list from HBase shell I get

13/08/29 23:47:43 ERROR security.UserGroupInformation: PriviledgedActionException as:lu95jib@HADOOP.LRZ.DE
cause:java.io.IOException: Failed to specify server's Kerberos principal name
13/08/29 23:47:43 INFO security.UserGroupInformation: Initiating logout for lu95jib@HADOOP.LRZ.DE
13/08/29 23:47:43 INFO security.UserGroupInformation: Initiating re-login for lu95jib@HADOOP.LRZ.DE


The file core-site.xml contains the following

    <name>fs.default.name</name>
    <value>hdfs://10.156.120.41:9000</value>
  </property>

  <property>
    <name>hadoop.security.authentication</name>
    <value>kerberos</value>
  </property>

  <property>
    <name>hadoop.security.authorization</name>
    <value>true</value>
  </property>

  <property>
    <name>hadoop.kerberos.kinit.command</name>
    <value>/usr/bin/kinit</value>
  </property>

What else should I need? Maybe a reference to the keytab contained in  hbase/conf/zk-jaas.conf?

Bye,

Matteo


Matteo Lanati
Distributed Resources Group
Leibniz-Rechenzentrum (LRZ)
Boltzmannstrasse 1
85748 Garching b. München (Germany)
Phone: +49 89 35831 8724

________________________________________
From: Harsh J [harsh@cloudera.com]
Sent: 29 August 2013 15:53
To: user@hbase.apache.org
Subject: Re: HBase client with security

Two things come to mind:

1. Is HADOOP_CONF_DIR also on HBase's classpath? If it or
HADOOP_PREFIX/HADOOP_HOME is defined, it usually is. But re-check via
"hbase classpath"
2. Assuming (1) is good, does your core-site.xml have kerberos
authentication settings for hadoop as well?

On Thu, Aug 29, 2013 at 6:58 PM, Lanati, Matteo <Matteo.Lanati@lrz.de> wrote:
> Hi all,
>
> I set up Hadoop (1.2.0), Zookeeper (3.4.5) and HBase (0.94.8-security) with security.
> HBase works if I launch the shell from the node running the master, but I'd like to use
it from an external machine.
> I prepared one, copying the Hadoop and HBase installation folders and adapting the path
(indeed I can use the same client to run MR jobs and interact with HDFS).
> Regarding HBase client configuration:
>
> - hbase-site.xml specifies
>
>  <property>
>    <name>hbase.security.authentication</name>
>    <value>kerberos</value>
>  </property>
>  <property>
>    <name>hbase.rpc.engine</name>
>    <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
>  </property>
>  <property>
>    <name>hbase.zookeeper.quorum</name>
>    <value>master.hadoop.local,host49.hadoop.local</value>
>  </property>
>
> where the zookeeper hosts are reachable and can be solved via DNS. I had to specify them
otherwise the shell complains about "org.apache.zookeeper.KeeperException$ConnectionLossException:
KeeperErrorCode = ConnectionLoss for /hbase/hbaseid"
>
> - I have a keytab for the principal I want to use (<user running hbase/my client hostname@MYREALM>),
correctly addressed by the file hbase/conf/zk-jaas.conf. In hbase-env.sh, the variable HBASE_OPTS
points to zk-jaas.conf.
>
> Nonetheless, when I issue a command from a HBase shell on the client machine, I got an
error in the HBase master log
>
> 2013-08-29 10:11:30,890 WARN org.apache.hadoop.ipc.HBaseServer: IPC Server listener on
60000: readAndProcess threw exception org.apache.hadoop.security.AccessControlException: Authentication
is required. Count of bytes read: 0
> org.apache.hadoop.security.AccessControlException: Authentication is required
>         at org.apache.hadoop.hbase.ipc.SecureServer$SecureConnection.readAndProcess(SecureServer.java:435)
>         at org.apache.hadoop.hbase.ipc.HBaseServer$Listener.doRead(HBaseServer.java:748)
>         at org.apache.hadoop.hbase.ipc.HBaseServer$Listener$Reader.doRunLoop(HBaseServer.java:539)
>         at org.apache.hadoop.hbase.ipc.HBaseServer$Listener$Reader.run(HBaseServer.java:514)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
>         at java.lang.Thread.run(Unknown Source)
>
> It looks like there's a mismatch between the client and the master regarding the authentication
mechanism. Note that from the same client machine I can launch and use a Zookeeper shell.
> What am I missing in the client configuration? Does /etc/krb5.conf play any role into
this?
> Thanks,
>
> Matteo
>
>
> Matteo Lanati
> Distributed Resources Group
> Leibniz-Rechenzentrum (LRZ)
> Boltzmannstrasse 1
> 85748   Garching b. München     (Germany)
> Phone: +49 89 35831 8724
>
>



--
Harsh J
Mime
View raw message