Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Authentication failed in implementing AutoHDFS

Labels (2)
avatar
author-rank dbains author-rank
Expert Contributor

Created on ‎06-29-2017 07:31 AM

Problem:

While implementing Auto-Hdfs, following errors were thrown in Nimbus log:

Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: https://da0gdal202.match.corp:9393/kms/v1/?op=GETDELEGATIONTOKEN&doAs=gdsreader&renewer=hdfs-hdpprod..., status: 403, message: Forbidden
at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:278)
at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:77)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:132)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:212)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:132)
at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.doDelegationTokenOperation(DelegationTokenAuthenticator.java:298)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.getDelegationToken(DelegationTokenAuthenticator.java:170)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.getDelegationToken(DelegationTokenAuthenticatedURL.java:371)
at org.apache.hadoop.crypto.key.kms.KMSClientProvider$4.run(KMSClientProvider.java:1024)
at org.apache.hadoop.crypto.key.kms.KMSClientProvider$4.run(KMSClientProvider.java:1019)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)

Cause:

1. No symlink of Ranger KMS conf to core-site and hdfs-site

2. Missing 'kms.proxyuser.hdfs.groups' and 'hadoop.kms.proxyuser.hdfs.hosts' in Kms-site.xml

Solution:

1. Created symlink of ranger kms conf to core site and hdfs site

2. Added following properties in Kms-site.xml:

<property> 
<name>hadoop.kms.proxyuser.hdfs.groups</name> 
<value>*</value> 
</property> 

<property> 
<name>hadoop.kms.proxyuser.hdfs.hosts</name> 
<value>*</value> 
</property>
2,430 Views
Comments

Re: Authentication failed in implementing AutoHDFS

avatar
author-rank matt_andruff
Expert Contributor

Created on ‎01-31-2018 07:13 PM

Created symlink of ranger kms conf to core site and hdfs site is a vagues statement. Could you explain a little more... I know how to create a symlink, but I don't know what you mean by "Created symlink of ranger kms conf to core site and hdfs site"

Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎06-29-2017 07:31 AM
Updated by:
Expert Contributor Expert Contributor
Contributors