hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <els...@apache.org>
Subject Re: Help with HBase + Kerberos +Jaas
Date Thu, 17 Nov 2016 19:17:34 GMT
Hi Hugo,

The JAAS configuration is actually only used by ZooKeeper -- not for 
HBase itself. You would need to perform the login by yourself using JAAS 
or invoke the correct UserGroupInformation API yourself.

The "Client" keyword is a hint here as to what was happening. This 
"term" is unique to the application which implements the JAAS-based 
login. "Client" is unique to ZooKeeper. It would be an "improvement" to 
have some "HBaseClient" keyword that would automatically perform login 
via JAAS in HBase :)

LMK if that isn't clear.

- Josh

Hugo Labra wrote:
> Hello,
>
> I am having a problem to connect to a Secure HBase cluster when using
> the JAAS config, I enabled Kerberos using the cloudera wizard.
>
> My program is trying to create some tables and write to them, the
> problem is that if I set the flag
> -Djava.security.auth.login.config=jaas.conf the JAAS config and the
> keytab, and then run kinit it suceeds, but if I do not do kinit before
> then it doesn't works... Am I understanding things incorrectly?
> Shouldn't the jaas configuration get the kerberos ticket transparently
> without the need of kinit?
>
> This is my JAAS config:
>
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> useTicketCache=false
> keyTab="/scratch/kerberos/hbase.keytab"
> principal="hbase/myhost.example.com@EXAMPLE.COM";
> };
>
>
> If I do exactly the same but without kinit first the I get the following
> exception:
> Caused by: java.lang.RuntimeException: SASL authentication failed. The
> most likely cause is missing or invalid credentials. Consider 'kinit'.
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$1.run(RpcClientImpl.java:673)
>
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:415)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
>
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleSaslConnectionFailure(RpcClientImpl.java:631)
>
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:739)
>
> ... 17 more
> Caused by: javax.security.sasl.SaslException: GSS initiate failed
> [Caused by GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos tgt)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
>
> at
> org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:179)
>
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:605)
>
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$600(RpcClientImpl.java:154)
>
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:731)
>
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:728)
>
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:415)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
>
> at
> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:728)
>
> ... 17 more
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos tgt)
> at
> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
>
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
>
> at
> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
>
> at
> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
>
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
>
> ... 26 more
>
>
> Shouldn't the JAAS get the ticket without the need of kinit?
>
> I appreciate any help :)
>
> Kind regards,
> Hugo Labra
>

Mime
View raw message