https://community.cloudera.com/t5/Support-Questions/distcp-secure-to-insecure-cluster/m-p/280116#M208682 <P>Hi,</P> <P>I have an issue with distcp authentication between a kerberos secured cluster (<STRONG>HDP2.6.1.0-129</STRONG>) and an unsecured cluster. (<STRONG>HDP3.0.1.0-187)</STRONG></P> <P>The <A href="https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.0.1/administration/content/distcp_data_copy_matrix_hdp1_hdp2_to_hdp2.html" target="_self">compatibility matrix</A> for the versions says they should interoperate</P> <P>I am running the following from the secure cluster:</P> <P>&nbsp;</P> <P><STRONG>hadoop distcp -D ipc.client.fallback-to-simple-auth-allowed=true swebhdfs://FQDN(secure cluster):50470/tmp/test.sh swebhdfs://FQDN(insecure cluster):50470/tmp/test.sh</STRONG></P> <P>&nbsp;</P> <P>Both ends have TLS enabled.I have a truststore configured and working.&nbsp;</P> <P>I can see packets outbound from the client and arriving at the server using tcpdump</P> <P>&nbsp;</P> <P>The error returned by the distcp command above is:</P> <TABLE border="1"> <TBODY> <TR> <TD>19/10/15 09:58:48 ERROR tools.DistCp: Exception encountered<BR />org.apache.hadoop.security.AccessControlException: <STRONG>Authentication required</STRONG><BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:460)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.access$200(WebHdfsFileSystem.java:114)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:750)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$100(WebHdfsFileSystem.java:592)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:622)<BR />at java.security.AccessController.doPrivileged(Native Method)<BR />at javax.security.auth.Subject.doAs(Subject.java:422)<BR />at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.run(WebHdfsFileSystem.java:618)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:1524)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:333)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getAuthParameters(WebHdfsFileSystem.java:557)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.toUrl(WebHdfsFileSystem.java:578)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractFsPathRunner.getUrl(WebHdfsFileSystem.java:852)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:745)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$100(WebHdfsFileSystem.java:592)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:622)<BR />at java.security.AccessController.doPrivileged(Native Method)<BR />at javax.security.auth.Subject.doAs(Subject.java:422)<BR />at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.run(WebHdfsFileSystem.java:618)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHdfsFileStatus(WebHdfsFileSystem.java:1004)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getFileStatus(WebHdfsFileSystem.java:1020)<BR />at org.apache.hadoop.fs.Globber.getFileStatus(Globber.java:57)<BR />at org.apache.hadoop.fs.Globber.glob(Globber.java:252)<BR />at org.apache.hadoop.fs.FileSystem.globStatus(FileSystem.java:1696)<BR />at org.apache.hadoop.tools.GlobbedCopyListing.doBuildListing(GlobbedCopyListing.java:77)<BR />at org.apache.hadoop.tools.CopyListing.buildListing(CopyListing.java:86)<BR />at org.apache.hadoop.tools.DistCp.createInputFileListing(DistCp.java:398)<BR />at org.apache.hadoop.tools.DistCp.createAndSubmitJob(DistCp.java:190)<BR />at org.apache.hadoop.tools.DistCp.execute(DistCp.java:155)<BR />at org.apache.hadoop.tools.DistCp.run(DistCp.java:128)<BR />at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)<BR />at org.apache.hadoop.tools.DistCp.main(DistCp.java:462)</TD> </TR> </TBODY> </TABLE> <P>The namenode log on the client shows successful authentication to kerberos.</P> <P>The server hdfs namenode log shows the following warning:</P> <TABLE border="1"> <TBODY> <TR> <TD>WARN namenode.FSNamesystem (FSNamesystem.java:getDelegationToken(5611)) - <STRONG>trying to get DT with no secret manager running</STRONG></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Has anyone come across this issue before?&nbsp;</P> Mon, 14 Oct 2019 23:28:04 GMT andrew_ryan1 2019-10-14T23:28:04Z https://community.cloudera.com/t5/Support-Questions/distcp-secure-to-insecure-cluster/m-p/280116#M208682 <P>Hi,</P> <P>I have an issue with distcp authentication between a kerberos secured cluster (<STRONG>HDP2.6.1.0-129</STRONG>) and an unsecured cluster. (<STRONG>HDP3.0.1.0-187)</STRONG></P> <P>The <A href="https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.0.1/administration/content/distcp_data_copy_matrix_hdp1_hdp2_to_hdp2.html" target="_self">compatibility matrix</A> for the versions says they should interoperate</P> <P>I am running the following from the secure cluster:</P> <P>&nbsp;</P> <P><STRONG>hadoop distcp -D ipc.client.fallback-to-simple-auth-allowed=true swebhdfs://FQDN(secure cluster):50470/tmp/test.sh swebhdfs://FQDN(insecure cluster):50470/tmp/test.sh</STRONG></P> <P>&nbsp;</P> <P>Both ends have TLS enabled.I have a truststore configured and working.&nbsp;</P> <P>I can see packets outbound from the client and arriving at the server using tcpdump</P> <P>&nbsp;</P> <P>The error returned by the distcp command above is:</P> <TABLE border="1"> <TBODY> <TR> <TD>19/10/15 09:58:48 ERROR tools.DistCp: Exception encountered<BR />org.apache.hadoop.security.AccessControlException: <STRONG>Authentication required</STRONG><BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:460)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.access$200(WebHdfsFileSystem.java:114)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:750)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$100(WebHdfsFileSystem.java:592)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:622)<BR />at java.security.AccessController.doPrivileged(Native Method)<BR />at javax.security.auth.Subject.doAs(Subject.java:422)<BR />at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.run(WebHdfsFileSystem.java:618)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:1524)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:333)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getAuthParameters(WebHdfsFileSystem.java:557)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.toUrl(WebHdfsFileSystem.java:578)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractFsPathRunner.getUrl(WebHdfsFileSystem.java:852)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:745)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$100(WebHdfsFileSystem.java:592)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:622)<BR />at java.security.AccessController.doPrivileged(Native Method)<BR />at javax.security.auth.Subject.doAs(Subject.java:422)<BR />at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.run(WebHdfsFileSystem.java:618)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHdfsFileStatus(WebHdfsFileSystem.java:1004)<BR />at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getFileStatus(WebHdfsFileSystem.java:1020)<BR />at org.apache.hadoop.fs.Globber.getFileStatus(Globber.java:57)<BR />at org.apache.hadoop.fs.Globber.glob(Globber.java:252)<BR />at org.apache.hadoop.fs.FileSystem.globStatus(FileSystem.java:1696)<BR />at org.apache.hadoop.tools.GlobbedCopyListing.doBuildListing(GlobbedCopyListing.java:77)<BR />at org.apache.hadoop.tools.CopyListing.buildListing(CopyListing.java:86)<BR />at org.apache.hadoop.tools.DistCp.createInputFileListing(DistCp.java:398)<BR />at org.apache.hadoop.tools.DistCp.createAndSubmitJob(DistCp.java:190)<BR />at org.apache.hadoop.tools.DistCp.execute(DistCp.java:155)<BR />at org.apache.hadoop.tools.DistCp.run(DistCp.java:128)<BR />at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)<BR />at org.apache.hadoop.tools.DistCp.main(DistCp.java:462)</TD> </TR> </TBODY> </TABLE> <P>The namenode log on the client shows successful authentication to kerberos.</P> <P>The server hdfs namenode log shows the following warning:</P> <TABLE border="1"> <TBODY> <TR> <TD>WARN namenode.FSNamesystem (FSNamesystem.java:getDelegationToken(5611)) - <STRONG>trying to get DT with no secret manager running</STRONG></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Has anyone come across this issue before?&nbsp;</P> Mon, 14 Oct 2019 23:28:04 GMT https://community.cloudera.com/t5/Support-Questions/distcp-secure-to-insecure-cluster/m-p/280116#M208682 andrew_ryan1 2019-10-14T23:28:04Z https://community.cloudera.com/t5/Support-Questions/distcp-secure-to-insecure-cluster/m-p/280277#M208771 <P>The problem was iptables on the data nodes. Once these were flushed the following command worked a treat.</P><P>&nbsp;</P><LI-CODE lang="c">hadoop distcp -D ipc.client.fallback-to-simple-auth-allowed=true hdfs://active_namenode:8020/tmp/test.txt swebhdfs://active_namenode:50470/tmp/test.txt</LI-CODE><P>Apologies for my confusion.&nbsp;</P> Wed, 16 Oct 2019 04:05:19 GMT https://community.cloudera.com/t5/Support-Questions/distcp-secure-to-insecure-cluster/m-p/280277#M208771 andrew_ryan1 2019-10-16T04:05:19Z