Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

Phoenix connection in kerberos cluster failing

avatar
author-rank aliyesami
Super Collaborator

Created ‎06-18-2018 03:43 PM

i do have a Kerberos ticket but i get error connecting to Phoenix.

We are using Ranger, does the admin have to give privileges via Ranger?

[kn857sa@dotstohdaut202 conf]$ sqlline.py dotstohdamn201:2181:/hbase-secure
Setting property: [incremental, false]
Setting property: [isolation, TRANSACTION_READ_COMMITTED]
issuing: !connect jdbc:phoenix:dotstohdamn201:2181:/hbase-secure none none org.apache.phoenix.jdbc.PhoenixDriver
Connecting to jdbc:phoenix:dotstohdamn201:2181:/hbase-secure
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/hdp/2.6.2.0-205/phoenix/phoenix-4.7.0.2.6.2.0-205-client.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/hdp/2.6.2.0-205/hadoop/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
18/06/18 11:34:46 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
18/06/18 11:34:47 WARN shortcircuit.DomainSocketFactory: The short-circuit local reads feature cannot be used because libhadoop cannot be loaded.
18/06/18 11:34:47 WARN ipc.AbstractRpcClient: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
18/06/18 11:34:47 FATAL ipc.AbstractRpcClient: SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'.
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
        at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:179)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:611)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$600(RpcClientImpl.java:156)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:737)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:734)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)

ticket 

[kn857sa@dotstohdaut202 conf]$ klist
Ticket cache: FILE:/tmp/krb5cc_1696202362
Default principal: kn857sa@xxxxxxxx.US
Valid starting       Expires              Service principal
06/18/2018 10:53:54  06/18/2018 20:53:54  krbtgt/xxxxxxx@xxxxxx.US
        renew until 06/25/2018 10:53:54
06/18/2018 10:53:54  06/18/2018 20:53:54  krbtgt/xxxxxxx@xxxxxx.US
        renew until 06/25/2018 10:53:54
[kn857sa@dotstohdaut202 conf]$
9,955 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank vmurakami
Guru

Created ‎06-18-2018 06:25 PM

Hey @Sami Ahmad!
So answering your questions, usually when you use kinit -kt command you're passing a keytab file, and when you don't use it -kt (only kinit), you will use a password authentication.
In all of my jobs when I had a kerberized environment, usually the sysadmin gave a keytab file to my user or service. It's a common practice, since most of the components in Hadoop works pretty well with keytabs instead of passphrases for principals in KRB.
In your case, if you don't have a keytab, the best approach would be to ask for the sysadmin to generate a keytab for you.

View solution in original post

9,673 Views
0 Kudos
11 REPLIES 11

avatar
author-rank aliyesami
Super Collaborator

Created ‎06-18-2018 05:56 PM

if i do "kinit " does it use a keytab file . .if yes which one ?

3,015 Views
0 Kudos

avatar
author-rank vmurakami
Guru

Created ‎06-18-2018 06:25 PM

Hey @Sami Ahmad!
So answering your questions, usually when you use kinit -kt command you're passing a keytab file, and when you don't use it -kt (only kinit), you will use a password authentication.
In all of my jobs when I had a kerberized environment, usually the sysadmin gave a keytab file to my user or service. It's a common practice, since most of the components in Hadoop works pretty well with keytabs instead of passphrases for principals in KRB.
In your case, if you don't have a keytab, the best approach would be to ask for the sysadmin to generate a keytab for you.

9,674 Views
0 Kudos
Announcements
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
What's New @ Cloudera
Announcing Cloudera Streaming Analytics Operator for Kuberne...
View More Announcements