Reply
Expert Contributor
Posts: 93
Registered: ‎09-17-2014

Kerberos ticket error:No rules applied to hdfs@CDH5.XXX.XXX

Hi,

 

I want to execute simple word count example .I have made a java code with name MRV1_1.jar and given i/o file names but it gives me an error .

I am using CDH5.2 on RHEL 6.3.

Kerberos is enabled,i am impersonating hdfs on my username.

I did klist and kinit and it gave me following:-

 

[tsingh12@itsusmpl00512:/root]#
#-> kinit hdfs
Password for hdfs@CDH5.XXX.XXX:
[tsingh12@itsusmpl00512:/root]#

 

#-> klist
Ticket cache: FILE:/tmp/krb5cc_38157
Default principal: hdfs@CDH5.XXX.COM

Valid starting Expires Service principal
12/22/14 17:06:00 12/23/14 17:06:00 krbtgt/CDH5.XXX.COM@CDH5.XXX.COM
renew until 12/29/14 17:06:00
[tsingh12@itsusmpl00512:/root]#

 

But when i run a job it says invalid principal.

 

#-> hadoop jar MRV_1_1.jar /user/tsingh12/Count.txt /user/tsingh12/output/Count
Exception in thread "main" java.lang.RuntimeException: java.io.IOException: failure to login
at org.apache.hadoop.mapred.JobConf.getWorkingDirectory(JobConf.java:660)
at org.apache.hadoop.mapred.FileInputFormat.setInputPaths(FileInputFormat.java:436)
at com.jnj.runJob.WordCount.main(WordCount.java:44)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
Caused by: java.io.IOException: failure to login
at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:782)
at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:734)
at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:607)
at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2753)
at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2745)
at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2611)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:370)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:169)
at org.apache.hadoop.mapred.JobConf.getWorkingDirectory(JobConf.java:656)
... 7 more
Caused by: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name hdfs@CDH5.XXX.XXX
at org.apache.hadoop.security.User.<init>(User.java:50)
at org.apache.hadoop.security.User.<init>(User.java:43)
at org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:179)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:576)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:757)
at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:734)
at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:607)
at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2753)
at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2745)
at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2611)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:370)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:169)
at org.apache.hadoop.mapred.JobConf.getWorkingDirectory(JobConf.java:656)
at org.apache.hadoop.mapred.FileInputFormat.setInputPaths(FileInputFormat.java:436)
at com.jnj.runJob.WordCount.main(WordCount.java:44)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to hdfs@CDH5.XXX.XXX
at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
at org.apache.hadoop.security.User.<init>(User.java:48)
... 28 more

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:872)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:576)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:757)
... 15 more

 

Any suggestions what could be wrong?

Expert Contributor
Posts: 93
Registered: ‎09-17-2014

Re: Kerberos ticket error:No rules applied to hdfs@CDH5.XXX.XXX

apparently hdfs does not allow to run MR jobs but another user chdfs which is an admin user and has its own principal in kdc allows to run the same command after doing kinit chdfs and providing with the password after it prompts for the password .

 

What if i want to use my username to execute MR job by using chdfs impersonation rather than making my own principle?

 

If i do like that it gives me the same error as above saying no ticket found.

 

Am i doing correct or am i missing any step?

Expert Contributor
Posts: 113
Registered: ‎02-15-2016

Re: Kerberos ticket error:No rules applied to hdfs@CDH5.XXX.XXX

Hi,

i am getting the same problem . whatever you said is correct that you need a user in kdc to run a job .

my questions are  

1-   cant it be a LDAP user and authenticate with kerberos and get ticket or it should be a local kdc user ?

2- with LDAP i can login to cluster and create file but when i am doing same thing through an ETL tool ( job) its giving same error .Illigal principal.why two different behaviour ?