hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jiten Gore <ji...@gores.net>
Subject Re: Connecting to HBase with Kerberos
Date Thu, 12 Feb 2015 02:31:01 GMT
We were using username@realm. Changed it to username/host@realm.

The new error log is below:

Exception in thread "main" java.io.IOException: Login failure for <username>/<hostname>@<realm>
from keytab <path_to_keytab_file_on_local_fs>
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008)
at Kerberos.KerberosAuthentication.App.hbase(App.java:43)
at Kerberos.KerberosAuthentication.App.main(App.java:17)
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997)
... 2 more

Sent from my iPhone

> On Feb 11, 2015, at 6:14 PM, Mikhail Antonov <olorinbant@gmail.com> wrote:
> 
> And when you just run 'kinit -k -t ...' with this keytab and
> principal, it all works?
> 
> Did you try to pass it as username/hostname@realm? The part after @
> should be realm.
> 
> -Mikhail
> 
>> On Wed, Feb 11, 2015 at 6:10 PM, Jiten Gore <jiten@gores.net> wrote:
>> The principal name is of the form <userName>@<host name>
>> 
>> And yes, the log is complete.
>> 
>> Thanks,
>> Jiten
>> 
>> Sent from my iPhone
>> 
>>> On Feb 11, 2015, at 5:58 PM, Mikhail Antonov <olorinbant@gmail.com> wrote:
>>> 
>>> Just checking.. is that full log? Does the principal name have the
>>> _HOST portion in it?
>>> 
>>>> On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <jiten@gores.net> wrote:
>>>> Thanks Mikhail. Yes it has been so installed.
>>>> 
>>>> We downloaded the JCE unlimited encryption jar files and replaced the existing
jre jar files. Is there any thing else that we need to do?
>>>> 
>>>> Sent from my iPhone
>>>> 
>>>>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov <olorinbant@gmail.com>
wrote:
>>>>> 
>>>>> Does your java app has JCE installed with unlimited encryption strength?
>>>>> 
>>>>> -Mikhail
>>>>> 
>>>>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <jiten@gores.net>
wrote:
>>>>>> Hi Dima,
>>>>>> 
>>>>>> Thanks for the prompt response.
>>>>>> 
>>>>>> Here's what we are doing and the error we are seeing:
>>>>>> 
>>>>>> Code:
>>>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
>>>>>> final Configuration hBaseConfig = HBaseConfiguration.create();
>>>>>> hBaseConfig.setInt("timeout", 120000);
>>>>>> hBaseConfig.set("hbase.zookeeper.quorum", "*************");
>>>>>> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181");
>>>>>> hBaseConfig.set("hadoop.security.authentication", "kerberos");
>>>>>> hBaseConfig.set("hbase.security.authentication", "kerberos");
>>>>>> hBaseConfig.set("hbase.master.kerberos.principal", "*****************");
>>>>>> hBaseConfig.set("hbase.regionserver.kerberos.principal", "*******************");
>>>>>> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab");
>>>>>> hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab");
>>>>>> UserGroupInformation.setConfiguration(hBaseConfig);
>>>>>> 
>>>>>> UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name",
>>>>>>              "user.keytab");
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Error:
>>>>>> 
>>>>>> Exception in thread "main" java.io.IOException: Login failure for
<PRINCIPAL_NAME> from keytab
>>>>>>      at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008)
>>>>>>      at Kerberos.KerberosAuthentication.App.hbase(App.java:32)
>>>>>>      at Kerberos.KerberosAuthentication.App.main(App.java:15)
>>>>>> Caused by: javax.security.auth.login.LoginException: null (68)
>>>>>>      at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763)
>>>>>>      at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
>>>>>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>>      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>>>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>>>      at java.lang.reflect.Method.invoke(Method.java:606)
>>>>>>      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
>>>>>>      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
>>>>>>      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
>>>>>>      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
>>>>>>      at java.security.AccessController.doPrivileged(Native Method)
>>>>>>      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
>>>>>>      at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
>>>>>>      at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997)
>>>>>>      ... 2 more
>>>>>> Caused by: KrbException: null (68)
>>>>>>      at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
>>>>>>      at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
>>>>>>      at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
>>>>>>      at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735)
>>>>>>      ... 15 more
>>>>>> Caused by: KrbException: Identifier doesn't match expected value
(906)
>>>>>>      at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
>>>>>>      at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
>>>>>>      at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
>>>>>>      at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
>>>>>> Sent from my iPhone
>>>>>> 
>>>>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak <dspivak@cloudera.com>
wrote:
>>>>>>> 
>>>>>>> Hey Jiten,
>>>>>>> 
>>>>>>> Have you followed the steps outlined in
>>>>>>> http://hbase.apache.org/book.html#hbase.secure.configuration
? What issues
>>>>>>> are you seeing?
>>>>>>> 
>>>>>>> -Dima
>>>>>>> 
>>>>>>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <jiten@gores.net>
wrote:
>>>>>>>> 
>>>>>>>> We are having difficulties connecting with our Java application
to our
>>>>>>>> Kerberized HBase cluster. We are using a keytab file to authenticate.
>>>>>>>> 
>>>>>>>> Has anyone successfully connected this way? If you have and
can help,
>>>>>>>> please let me know. I can share details about the issue.
>>>>>>>> 
>>>>>>>> Best Regards,
>>>>>>>> Jiten
>>>>>>>> 
>>>>>>>> Sent from my iPhone
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> Thanks,
>>>>> Michael Antonov
>>> 
>>> 
>>> 
>>> --
>>> Thanks,
>>> Michael Antonov
> 
> 
> 
> -- 
> Thanks,
> Michael Antonov
> 

Mime
View raw message