Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Accessing hdfs from secure to non-secure cluster (hadoop 2.7 or below)

Labels (1)
Labels:
avatar
nvadivelu author-rank
Cloudera Employee

Created on ‎04-12-2017 12:51 PM

In non kerberized cluster the user name that we provide will be used to resolve group name. User to Group mapping will be done based on the value configured in the property hadoop.security.group.mapping.

In kerberized cluster we will be passing kerberos principal instead of user name, now HDFS has to resolve the principle to a user name in order to perform User to Group mapping. This resolution of user name from kerberos principal is done based on the value configured in hadoop.security.auth_to_local.

The value for hadoop.security.auth_to_local will be configured properly in a kerberized cluster.

When the client is running in a kerberized cluster and trying to access non kerberized HDFS, kerberos principal is sent as username. When the username (kerberos principal in this case) is received by a non-secure NameNode, it tries to getShortName from the principal, when that happens, NameNode will try to apply the rules configured in hadoop.security.auth_to_local property.

Since the cluster is non-secure, the property hadoop.security.auth_to_local is not configured, so NameNode will try to apply DEFAULT rule. While applying DEFAULT rule, the realm from kerberos principal (username) is compared with the realm configured in krb5.conf file of non-secure cluster (if krb5.conf file is not present, then the value of default realm is empty string).

If the realm present in principal doesn't match with default realm, and there is no other rule to match, [java.lang.IllegalArgumentException: Illegal principal name xxxxxxx@EXAMPLE.COM: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to xxxxxxx@EXAMPLE.COM] is thrown (this can be found in NameNode log)

This behavior is changed in HADOOP-12751 (hadoop 2.8), It doesn't throw NoMatchingRule exception anymore, instead NameNode logs "No auth_to_local rules applied to xxxxxxx@EXAMPLE.COM" and proceeds

In case of NoMatchingRule Exception in non-secure NameNode (when the username received is a kerberos principal), check krb5.conf file for default realm, if the file is not present, create a new file (default location is /etc/krb5.conf) and add the appropriate default realm in the file.

1,869 Views
webinar banner
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements
Version history
Last update:
‎04-12-2017 12:51 PM
Updated by:
Cloudera Employee
Contributors
meetups banner