hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mikhail Antonov <olorinb...@gmail.com>
Subject Re: Connecting to HBase with Kerberos
Date Thu, 12 Feb 2015 05:30:05 GMT
Does error remain the same after changes in jaas config?

On Wed, Feb 11, 2015 at 7:56 PM, Jiten Gore <jiten@gores.net> wrote:
> The keytabs have been working for us when we use HBase shell as well as when we run pig
scripts.
>
> Although our Java program is still unable to connect.
>
> Sent from my iPhone
>
>> On Feb 11, 2015, at 7:47 PM, Mikhail Antonov <olorinbant@gmail.com> wrote:
>>
>> I don't have any secured cluster handy to check and don't remember. I
>> supposed if you master and regionservers are starting fine and able to
>> login from keytabs than you're fine, otherwise you'll need to
>> configure jaas files for them.
>>
>> So does it work for you now? For your java program?
>>
>> -Mikhail
>>
>>> On Wed, Feb 11, 2015 at 7:40 PM, Jiten Gore <jiten@gores.net> wrote:
>>> This looks promising!
>>>
>>> On the host machine at /etc/hbase/conf, we have a jaas.conf file.
>>>
>>> It had useKeyTab = false
>>> We have changed it to:
>>> Client {
>>>  com.sun.security.auth.module.Krb5LoginModule required
>>>  useKeyTab=true
>>> keyTab=/home/<username>/username.keytab
>>>  useTicketCache=true;
>>> };
>>>
>>> Do we also need to add the other jaas files as shown here?
>>> https://ambari.apache.org/1.2.5/installing-hadoop-using-ambari/content/ambari-kerb-2-3-2-2.html
>>>
>>>
>>>
>>> Sent from my iPhone
>>>
>>>> On Feb 11, 2015, at 7:05 PM, Mikhail Antonov <olorinbant@gmail.com>
wrote:
>>>>
>>>> at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856)
>>>> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)
>>>>
>>>> Krb5LoginModule falls back to asking user for password when it's
>>>> either not configured to use keytabs, or can't find/read one. Do you
>>>> have JAAS conf file setup? You'd need to set useKeyTab=true and
>>>> keyTab=<path> there.
>>>>
>>>> -Mikhail
>>>>
>>>>> On Wed, Feb 11, 2015 at 6:50 PM, Jiten Gore <jiten@gores.net> wrote:
>>>>> Currently, running from a windows computer from within Eclipse. So permissions
should not be an issue.
>>>>>
>>>>> Just set the property:
>>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
>>>>>
>>>>> And got this output:
>>>>> Java config name: null
>>>>> Native config name: C:\Windows\krb5.ini
>>>>> getRealmFromDNS: trying <realm>
>>>>> getRealmFromDNS: trying <realm>
>>>>> Java config name: null
>>>>> Native config name: C:\Windows\krb5.ini
>>>>>>>> KdcAccessibility: reset
>>>>>>>> KdcAccessibility: reset
>>>>>>>> KeyTabInputStream, readName(): <REALM>
>>>>>>>> KeyTabInputStream, readName(): <username>
>>>>>>>> KeyTab: load() entry length: 53; type: 23
>>>>>>>> KeyTabInputStream, readName(): <REALM>
>>>>>>>> KeyTabInputStream, readName(): <username>
>>>>>>>> KeyTab: load() entry length: 69; type: 18
>>>>>>>> KeyTabInputStream, readName(): <REALM>
>>>>>>>> KeyTabInputStream, readName(): <username>
>>>>>>>> KeyTab: load() entry length: 53; type: 17
>>>>> Ordering keys wrt default_tkt_enctypes list
>>>>> Using builtin default etypes for default_tkt_enctypes
>>>>> default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>>>> Exception in thread "main" java.io.IOException: Login failure for <username>/<hostname>@<REALM>
from keytab <path_to_keytab_file>
>>>>> at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008)
>>>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:44)
>>>>> at Kerberos.KerberosAuthentication.App.main(App.java:17)
>>>>> Caused by: javax.security.auth.login.LoginException: Unable to obtain
password from user
>>>>>
>>>>> at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856)
>>>>> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)
>>>>> at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>> at java.lang.reflect.Method.invoke(Method.java:606)
>>>>> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
>>>>> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
>>>>> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
>>>>> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>> at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
>>>>> at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
>>>>> at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997)
>>>>> ... 2 more
>>>>> LSA: Found Ticket
>>>>> LSA: Made NewWeakGlobalRef
>>>>> LSA: Found PrincipalName
>>>>> LSA: Made NewWeakGlobalRef
>>>>> LSA: Found DerValue
>>>>> LSA: Made NewWeakGlobalRef
>>>>> LSA: Found EncryptionKey
>>>>> LSA: Made NewWeakGlobalRef
>>>>> LSA: Found TicketFlags
>>>>> LSA: Made NewWeakGlobalRef
>>>>> LSA: Found KerberosTime
>>>>> LSA: Made NewWeakGlobalRef
>>>>> LSA: Found String
>>>>> LSA: Made NewWeakGlobalRef
>>>>> LSA: Found DerValue constructor
>>>>> LSA: Found Ticket constructor
>>>>> LSA: Found PrincipalName constructor
>>>>> LSA: Found EncryptionKey constructor
>>>>> LSA: Found TicketFlags constructor
>>>>> LSA: Found KerberosTime constructor
>>>>> LSA: Finished OnLoad processing
>>>>>
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>>> On Feb 11, 2015, at 6:29 PM, Mikhail Antonov <olorinbant@gmail.com>
wrote:
>>>>>>
>>>>>> Interesting.
>>>>>>
>>>>>> Your java program runs under the same user, as shall for kinit?
>>>>>> Anything in /var/log/krb5kdc.log (with debug logging on)?
>>>>>>
>>>>>>> On Wed, Feb 11, 2015 at 6:17 PM, Jiten Gore <jiten@gores.net>
wrote:
>>>>>>> The host names in libdefaults and realms in krb5.conf exactly
match the host name used in the principal name.
>>>>>>>
>>>>>>> From command line, we are able to get the TGT using the following
command:
>>>>>>> kinit -k -t <keytab> -p <username>
>>>>>>>
>>>>>>> Sent from my iPhone
>>>>>>>
>>>>>>>> On Feb 11, 2015, at 6:01 PM, Mikhail Antonov <olorinbant@gmail.com>
wrote:
>>>>>>>>
>>>>>>>> Another thing to check are [libdefaults] and [realms] sections
in
>>>>>>>> krb5.conf, in case there's any typo or wrong case in there.
>>>>>>>>
>>>>>>>> You can get the TGT from the kinit command using this keytab,
right?
>>>>>>>>
>>>>>>>> -Mikhail
>>>>>>>>
>>>>>>>>> On Wed, Feb 11, 2015 at 5:58 PM, Mikhail Antonov <olorinbant@gmail.com>
wrote:
>>>>>>>>> Just checking.. is that full log? Does the principal
name have the
>>>>>>>>> _HOST portion in it?
>>>>>>>>>
>>>>>>>>>> On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <jiten@gores.net>
wrote:
>>>>>>>>>> Thanks Mikhail. Yes it has been so installed.
>>>>>>>>>>
>>>>>>>>>> We downloaded the JCE unlimited encryption jar files
and replaced the existing jre jar files. Is there any thing else that we need to do?
>>>>>>>>>>
>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>
>>>>>>>>>>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov
<olorinbant@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Does your java app has JCE installed with unlimited
encryption strength?
>>>>>>>>>>>
>>>>>>>>>>> -Mikhail
>>>>>>>>>>>
>>>>>>>>>>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore
<jiten@gores.net> wrote:
>>>>>>>>>>>> Hi Dima,
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks for the prompt response.
>>>>>>>>>>>>
>>>>>>>>>>>> Here's what we are doing and the error we
are seeing:
>>>>>>>>>>>>
>>>>>>>>>>>> Code:
>>>>>>>>>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly",
"false");
>>>>>>>>>>>> final Configuration hBaseConfig = HBaseConfiguration.create();
>>>>>>>>>>>> hBaseConfig.setInt("timeout", 120000);
>>>>>>>>>>>> hBaseConfig.set("hbase.zookeeper.quorum",
"*************");
>>>>>>>>>>>> hBaseConfig.set("hbase.zookeeper.property.clientPort",
"2181");
>>>>>>>>>>>> hBaseConfig.set("hadoop.security.authentication",
"kerberos");
>>>>>>>>>>>> hBaseConfig.set("hbase.security.authentication",
"kerberos");
>>>>>>>>>>>> hBaseConfig.set("hbase.master.kerberos.principal",
"*****************");
>>>>>>>>>>>> hBaseConfig.set("hbase.regionserver.kerberos.principal",
"*******************");
>>>>>>>>>>>> hBaseConfig.set("hbase.master.keytab.file",
"hbase.keytab");
>>>>>>>>>>>> hBaseConfig.set("hbase.regionserver.keytab.file",
"hbase.keytab");
>>>>>>>>>>>> UserGroupInformation.setConfiguration(hBaseConfig);
>>>>>>>>>>>>
>>>>>>>>>>>> UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name",
>>>>>>>>>>>>           "user.keytab");
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Error:
>>>>>>>>>>>>
>>>>>>>>>>>> Exception in thread "main" java.io.IOException:
Login failure for <PRINCIPAL_NAME> from keytab
>>>>>>>>>>>>   at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008)
>>>>>>>>>>>>   at Kerberos.KerberosAuthentication.App.hbase(App.java:32)
>>>>>>>>>>>>   at Kerberos.KerberosAuthentication.App.main(App.java:15)
>>>>>>>>>>>> Caused by: javax.security.auth.login.LoginException:
null (68)
>>>>>>>>>>>>   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763)
>>>>>>>>>>>>   at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
>>>>>>>>>>>>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
>>>>>>>>>>>>   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>>>>>>>>>>   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>>>>>>>>>   at java.lang.reflect.Method.invoke(Method.java:606)
>>>>>>>>>>>>   at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
>>>>>>>>>>>>   at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
>>>>>>>>>>>>   at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
>>>>>>>>>>>>   at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
>>>>>>>>>>>>   at java.security.AccessController.doPrivileged(Native
Method)
>>>>>>>>>>>>   at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
>>>>>>>>>>>>   at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
>>>>>>>>>>>>   at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997)
>>>>>>>>>>>>   ... 2 more
>>>>>>>>>>>> Caused by: KrbException: null (68)
>>>>>>>>>>>>   at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
>>>>>>>>>>>>   at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
>>>>>>>>>>>>   at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
>>>>>>>>>>>>   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735)
>>>>>>>>>>>>   ... 15 more
>>>>>>>>>>>> Caused by: KrbException: Identifier doesn't
match expected value (906)
>>>>>>>>>>>>   at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
>>>>>>>>>>>>   at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
>>>>>>>>>>>>   at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
>>>>>>>>>>>>   at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
>>>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>>>
>>>>>>>>>>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak
<dspivak@cloudera.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hey Jiten,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Have you followed the steps outlined
in
>>>>>>>>>>>>> http://hbase.apache.org/book.html#hbase.secure.configuration
? What issues
>>>>>>>>>>>>> are you seeing?
>>>>>>>>>>>>>
>>>>>>>>>>>>> -Dima
>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Wed, Feb 11, 2015 at 12:49 PM,
Jiten Gore <jiten@gores.net> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> We are having difficulties connecting
with our Java application to our
>>>>>>>>>>>>>> Kerberized HBase cluster. We are
using a keytab file to authenticate.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Has anyone successfully connected
this way? If you have and can help,
>>>>>>>>>>>>>> please let me know. I can share details
about the issue.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>>>> Jiten
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Michael Antonov
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Thanks,
>>>>>>>>> Michael Antonov
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Thanks,
>>>>>>>> Michael Antonov
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thanks,
>>>>>> Michael Antonov
>>>>
>>>>
>>>>
>>>> --
>>>> Thanks,
>>>> Michael Antonov
>>
>>
>>
>> --
>> Thanks,
>> Michael Antonov
>>



-- 
Thanks,
Michael Antonov

Mime
View raw message