https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227930#M189790 <P>Because of this below property in core-site.xml, it works for you</P><TABLE><TBODY><TR><TD>hadoop.security.auth_to_local</TD><TD>The mapping rules. For example:<P><CODE>RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ DEFAULT</CODE></P></TD><TD>The mapping from Kerberos principal names to local OS user names. <A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/create_mappings_betw_principals_and_unix_usernames.html">See Creating Mappings Between Principals and UNIX Usernames</A> for more information.</TD></TR></TBODY></TABLE> Fri, 07 Dec 2018 05:47:29 GMT rohnu 2018-12-07T05:47:29Z https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227923#M189783 <P>I have a kerberized cluster where in local realm trusts AD realm with MIT KDC setup.</P><P>AD Realm : EXAMPLE.COM</P><P>Local Realm: LOCALREALM.EXAMPLE.COM</P><P>Post doing kinit as user@EXAMPLE.COM , I'm able to perform all the regular tasks through command line like creating hbase tables, running mapreduce job etc.</P><P>But, when i'm trying to connect to hbase to perform a benchmarking through ycsb tool, it throws an exception as unable to login.</P><P>If i authenticate using the local realm such as user@LOCALREALM.EXAMPLE.COM, it works like a charm.</P><P>I have the rules added in auth to local to trust AD realm too : RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//</P><P>Do not understand if i'm missing anything else. can someone please help ?</P><P>Below is a part of the stack trace:</P><P><STRONG>Caused by: java.io.IOException: failure to login</STRONG></P><P>at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:782)</P><P>at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:734)</P><P>at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:607)</P><P>at org.apache.hadoop.hbase.security.User$SecureHadoopUser.&lt;init&gt;(User.java:285)</P><P>at org.apache.hadoop.hbase.security.User$SecureHadoopUser.&lt;init&gt;(User.java:281)</P><P>at org.apache.hadoop.hbase.security.User.getCurrent(User.java:185)</P><P>at org.apache.hadoop.hbase.security.UserProvider.getCurrent(UserProvider.java:88)</P><P>at org.apache.hadoop.hbase.client.ConnectionFactory.createConnection(ConnectionFactory.java:215)</P><P>at org.apache.hadoop.hbase.client.ConnectionFactory.createConnection(ConnectionFactory.java:119)</P><P>at com.yahoo.ycsb.db.HBaseClient10.init(HBaseClient10.java:149)</P><P>... 3 more</P><P><STRONG>Caused by: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name user@EXAMPLE.COM</STRONG></P><P>at org.apache.hadoop.security.User.&lt;init&gt;(User.java:50)</P><P>at org.apache.hadoop.security.User.&lt;init&gt;(User.java:43)</P><P>at org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:179)</P><P>at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)</P><P>at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)</P><P>at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)</P><P>at java.lang.reflect.Method.invoke(Method.java:498)</P><P>at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)</P><P>at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)</P><P>at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)</P><P>at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)</P><P>at java.security.AccessController.doPrivileged(Native Method)</P><P>at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)</P><P>at javax.security.auth.login.LoginContext.login(LoginContext.java:588)</P><P>at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:757)</P><P>at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:734)</P><P>at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:607)</P><P>at org.apache.hadoop.hbase.security.User$SecureHadoopUser.&lt;init&gt;(User.java:285)</P><P>at org.apache.hadoop.hbase.security.User$SecureHadoopUser.&lt;init&gt;(User.java:281)</P><P>at org.apache.hadoop.hbase.security.User.getCurrent(User.java:185)</P><P>at org.apache.hadoop.hbase.security.UserProvider.getCurrent(UserProvider.java:88)</P><P>at org.apache.hadoop.hbase.client.ConnectionFactory.createConnection(ConnectionFactory.java:215)</P><P>at org.apache.hadoop.hbase.client.ConnectionFactory.createConnection(ConnectionFactory.java:119)</P><P>at com.yahoo.ycsb.db.HBaseClient10.init(HBaseClient10.java:149)</P><P>at com.yahoo.ycsb.DBWrapper.init(DBWrapper.java:86)</P><P>at com.yahoo.ycsb.ClientThread.run(Client.java:424)</P><P>at java.lang.Thread.run(Thread.java:748)</P><P><STRONG>Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to user@EXAMPLE.COM</STRONG></P><P>at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)</P><P>at org.apache.hadoop.security.User.&lt;init&gt;(User.java:48)</P><P>... 26 more</P> Fri, 16 Sep 2022 13:53:05 GMT https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227923#M189783 narendra_klu9 2022-09-16T13:53:05Z https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227924#M189784 <A rel="user" href="https://community.cloudera.com/users/23253/narendraklu9.html" nodeid="23253">@Narendra Neerukonda</A><P>I am not familiar with the ycsb tool. This error coming from that tool. Does the ycsb tool have the relevant auth-to-local rules configured?</P> Sat, 10 Nov 2018 00:36:59 GMT https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227924#M189784 rlevas 2018-11-10T00:36:59Z https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227925#M189785 <P>ycsb is a standalone tool. We need to pass the hbase-site.xml and we can run the tests (benchmarking tool for databases)</P><P>I'm trying to figure out if any specific auth-to-local rules are required to be configured in ambari. Since i'm triggering it with my user id after authenticating with AD realm (AD realm added to auth-to-local rules), not able to understand why i still have the error. </P><P>As far as i'm understanding, the error is not originating from the tool as i'm able to use/run ycsb benchmarking if i authenticate using the local realm (i added my user principal to the local MIT kdc and authenticated using that----getting a ticket as user@LOCALREALM.EXAMPLE.COM instead of user@EXAMPLE.COM).</P><P>when using kinit as user@EXAMPLE.COM and running, i'm getting below responses as in the above stack trace:</P><P><STRONG>Caused by: java.io.IOException: failure to login</STRONG></P><P><STRONG>Caused by: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name <A href="mailto:user@EXAMPLE.COM">user@EXAMPLE.COM</A></STRONG></P><P><STRONG>Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to <A href="mailto:user@EXAMPLE.COM">user@EXAMPLE.COM</A></STRONG></P> Sun, 11 Nov 2018 04:34:45 GMT https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227925#M189785 narendra_klu9 2018-11-11T04:34:45Z https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227926#M189786 <P>It seems like hbase-site.xml does not contain auth-to-local rules and that Hbase may take those rules from the core-site.xml file. That said, Ambari will add the needed rules to the core-site.xml file - hadoop.security.auth_to_local - if it known about the additional realm(s). This is done by added EXAMPLE.COM to the Additional Realms field in the Kerberos administration view - as discussed in <A href="https://community.hortonworks.com/questions/227267/unable-to-authenticate-as-username-to-cluster-afte.html" target="_blank">https://community.hortonworks.com/questions/227267/unable-to-authenticate-as-username-to-cluster-afte.html</A>. </P><P>Playing with this more, I am able to generate the error you are getting if the auth-to-local rules are not set up properly in core-site.xml. You can test your's my running the following command (not via ycsb):</P><PRE>hadoop kerbname &lt;principal name&gt; </PRE><P>Or by running </P><PRE>hadoop org.apache.hadoop.security.HadoopKerberosName &lt;principal name&gt; </PRE><P>For example:</P><PRE>[root@c7401 ~]# hadoop org.apache.hadoop.security.HadoopKerberosName user@UNKNOWN.DOM 18/11/11 14:36:19 INFO util.KerberosName: No auth_to_local rules applied to user@UNKNOWN.DOM Name: user@UNKNOWN.DOM to user@UNKNOWN.DOM</PRE><P>Since I do not have the full stack track or all of the information, I cannot comment on whether the ycsb tool or Hbase is generating that error. If it is Hbase, itself, then the <I>hadoop kerbname</I> command (on the relevant host) should show the same error when passing "user@EXAMPLE.COM" to it - assuming Hbase really does use core-site.xml to load the auth-to-local rules. However, if that command does not show the "no auth_to_local_ rules" message, then I would have to assume the error is coming from the ycsb tool and the appropriate core-site.xml file is needed.</P> Sun, 11 Nov 2018 22:48:59 GMT https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227926#M189786 rlevas 2018-11-11T22:48:59Z https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227927#M189787 <P>Got it. </P><P>It started working fine once i passed the core-site.xml properly to the tool. Seems it wasn't able to pick up the rules as it didn't read the core-site.xml file or something. </P><P>Thank you <A rel="user" href="https://community.cloudera.com/users/322/rlevas.html" nodeid="322">@Robert Levas</A> for helping out.</P> Mon, 12 Nov 2018 15:04:20 GMT https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227927#M189787 narendra_klu9 2018-11-12T15:04:20Z https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227928#M189788 <P>Awesome! I am glad that I could help out. </P> Mon, 12 Nov 2018 20:58:41 GMT https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227928#M189788 rlevas 2018-11-12T20:58:41Z https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227929#M189789 <P>Because of below parameter in core-site.xml which works for you</P><TABLE><TBODY><TR><TD>hadoop.security.auth_to_local</TD><TD><BR /></TD><TD>The mapping from Kerberos principal names to local OS user names. <A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/create_mappings_betw_principals_and_unix_usernames.html">See Creating Mappings Between Principals and UNIX Usernames</A> for more information.</TD></TR></TBODY></TABLE> Fri, 07 Dec 2018 04:43:08 GMT https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227929#M189789 rohnu 2018-12-07T04:43:08Z https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227930#M189790 <P>Because of this below property in core-site.xml, it works for you</P><TABLE><TBODY><TR><TD>hadoop.security.auth_to_local</TD><TD>The mapping rules. For example:<P><CODE>RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](hm@.*EXAMPLE.COM)s/.*/hbase/ RULE:[2:$1@$0](rs@.*EXAMPLE.COM)s/.*/hbase/ DEFAULT</CODE></P></TD><TD>The mapping from Kerberos principal names to local OS user names. <A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/create_mappings_betw_principals_and_unix_usernames.html">See Creating Mappings Between Principals and UNIX Usernames</A> for more information.</TD></TR></TBODY></TABLE> Fri, 07 Dec 2018 05:47:29 GMT https://community.cloudera.com/t5/Support-Questions/After-enabling-kerberos-using-hbase-through-java-using-ycsb/m-p/227930#M189790 rohnu 2018-12-07T05:47:29Z