Return-Path: 
 <user-return-47135-apmail-hbase-user-archive=hbase.apache.org@hbase.apache.org>
X-Original-To: apmail-hbase-user-archive@www.apache.org
Delivered-To: apmail-hbase-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 07DCD172E6
	for <apmail-hbase-user-archive@www.apache.org>;
 Thu, 12 Feb 2015 01:09:08 +0000 (UTC)
Received: (qmail 53028 invoked by uid 500); 12 Feb 2015 01:09:05 -0000
Delivered-To: apmail-hbase-user-archive@hbase.apache.org
Received: (qmail 52950 invoked by uid 500); 12 Feb 2015 01:09:05 -0000
Mailing-List: contact user-help@hbase.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@hbase.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@hbase.apache.org>
List-Post: <mailto:user@hbase.apache.org>
List-Id: <user.hbase.apache.org>
Reply-To: user@hbase.apache.org
Delivered-To: mailing list user@hbase.apache.org
Received: (qmail 52938 invoked by uid 99); 12 Feb 2015 01:09:05 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Feb 2015 01:09:05 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of olorinbant@gmail.com
 designates 209.85.214.172 as permitted sender)
Received: from [209.85.214.172] (HELO mail-ob0-f172.google.com)
 (209.85.214.172)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Feb 2015 01:09:01 +0000
Received: by mail-ob0-f172.google.com with SMTP id nt9so7041247obb.3
        for <user@hbase.apache.org>; Wed, 11 Feb 2015 17:08:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type;
        bh=DarDk7KAZxrD/uUXO9PblxpUhv1dm9zf5/plrboZwbU=;
        b=N8eddOk8+g1G51i02eQxHmoNcQ/gwmFFhSjBF/0eUgruAfNPzKaoxq5Dqd+70lhkUE
         PQTb/lLD+rj+1Vn4rPo7190vY9CfIElJKLQjefm1sClkBR3jlRJJLpyJ36vfrdIGBrdY
         3+cwC9Q04VNtxGeYvsxOmgVZqNQCJ6CcI5Ja7E/oOTsWf+W6lMIGz1M35cJ/bihmOuOB
         TL67JPK+mB8I2n+gHTH2ov9jg/6qqaXfSbQ+SfF7E/ey1EvlxDrNyaj96g1BYsY3sGHd
         0UgxFz+faZQ50sbjLxnJfkGKrE4XFbLvtURarrpFuxC0nUliT7OfA1KuvEw8EHGHBaES
         Nq6A==
X-Received: by 10.202.18.72 with SMTP id 69mr849181ois.61.1423703320842; Wed,
 11 Feb 2015 17:08:40 -0800 (PST)
MIME-Version: 1.0
Received: by 10.202.3.67 with HTTP; Wed, 11 Feb 2015 17:08:10 -0800 (PST)
In-Reply-To: <A1BE947B-1840-4FB2-92B4-2C7C048C96C4@gores.net>
References: <8E3AF692-E934-46CF-97E4-8869E7DECC0D@gores.net>
 <CA+DCeTELOaviO-YY7KwEjKC1swF530sev+=x6+-5O0Yb2orCzQ@mail.gmail.com>
 <A1BE947B-1840-4FB2-92B4-2C7C048C96C4@gores.net>
From: Mikhail Antonov <olorinbant@gmail.com>
Date: Wed, 11 Feb 2015 17:08:10 -0800
Message-ID: 
 <CAHxLZBXED8SYTEOeJgqZBpkXCfcBjDGj8CEswfU1Cc5oUOpnow@mail.gmail.com>
Subject: Re: Connecting to HBase with Kerberos
To: "user@hbase.apache.org" <user@hbase.apache.org>
Content-Type: text/plain; charset=UTF-8
X-Virus-Checked: Checked by ClamAV on apache.org

Does your java app has JCE installed with unlimited encryption strength?

-Mikhail

On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <jiten@gores.net> wrote:
> Hi Dima,
>
> Thanks for the prompt response.
>
> Here's what we are doing and the error we are seeing:
>
> Code:
> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
> final Configuration hBaseConfig = HBaseConfiguration.create();
> hBaseConfig.setInt("timeout", 120000);
> hBaseConfig.set("hbase.zookeeper.quorum", "*************");
> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181");
> hBaseConfig.set("hadoop.security.authentication", "kerberos");
> hBaseConfig.set("hbase.security.authentication", "kerberos");
> hBaseConfig.set("hbase.master.kerberos.principal", "*****************");
> hBaseConfig.set("hbase.regionserver.kerberos.principal", "*******************");
> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab");
> hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab");
> UserGroupInformation.setConfiguration(hBaseConfig);
>
> UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name",
>                 "user.keytab");
>
>
>
> Error:
>
> Exception in thread "main" java.io.IOException: Login failure for <PRINCIPAL_NAME> from keytab
>         at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008)
>         at Kerberos.KerberosAuthentication.App.hbase(App.java:32)
>         at Kerberos.KerberosAuthentication.App.main(App.java:15)
> Caused by: javax.security.auth.login.LoginException: null (68)
>         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763)
>         at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:606)
>         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
>         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
>         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
>         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
>         at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
>         at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997)
>         ... 2 more
> Caused by: KrbException: null (68)
>         at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
>         at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
>         at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
>         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735)
>         ... 15 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
>         at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
>         at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
>         at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
>         at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
> Sent from my iPhone
>
>> On Feb 11, 2015, at 10:56 AM, Dima Spivak <dspivak@cloudera.com> wrote:
>>
>> Hey Jiten,
>>
>> Have you followed the steps outlined in
>> http://hbase.apache.org/book.html#hbase.secure.configuration ? What issues
>> are you seeing?
>>
>> -Dima
>>
>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <jiten@gores.net> wrote:
>>>
>>> We are having difficulties connecting with our Java application to our
>>> Kerberized HBase cluster. We are using a keytab file to authenticate.
>>>
>>> Has anyone successfully connected this way? If you have and can help,
>>> please let me know. I can share details about the issue.
>>>
>>> Best Regards,
>>> Jiten
>>>
>>> Sent from my iPhone



-- 
Thanks,
Michael Antonov