Community Articles

Find and share helpful community-sourced technical articles.
Labels (2)
avatar
Expert Contributor

Problem:

While implementing Auto-Hdfs, following errors were thrown in Nimbus log:

Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: Authentication failed, URL: https://da0gdal202.match.corp:9393/kms/v1/?op=GETDELEGATIONTOKEN&doAs=gdsreader&renewer=hdfs-hdpprod..., status: 403, message: Forbidden
at org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:278)
at org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:77)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:132)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:212)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:132)
at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:216)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.doDelegationTokenOperation(DelegationTokenAuthenticator.java:298)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.getDelegationToken(DelegationTokenAuthenticator.java:170)
at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.getDelegationToken(DelegationTokenAuthenticatedURL.java:371)
at org.apache.hadoop.crypto.key.kms.KMSClientProvider$4.run(KMSClientProvider.java:1024)
at org.apache.hadoop.crypto.key.kms.KMSClientProvider$4.run(KMSClientProvider.java:1019)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)

Cause:

1. No symlink of Ranger KMS conf to core-site and hdfs-site

2. Missing 'kms.proxyuser.hdfs.groups' and 'hadoop.kms.proxyuser.hdfs.hosts' in Kms-site.xml

Solution:

1. Created symlink of ranger kms conf to core site and hdfs site

2. Added following properties in Kms-site.xml:

<property> 
<name>hadoop.kms.proxyuser.hdfs.groups</name> 
<value>*</value> 
</property> 

<property> 
<name>hadoop.kms.proxyuser.hdfs.hosts</name> 
<value>*</value> 
</property>
2,431 Views
Comments
avatar
Expert Contributor

Created symlink of ranger kms conf to core site and hdfs site is a vagues statement. Could you explain a little more... I know how to create a symlink, but I don't know what you mean by "Created symlink of ranger kms conf to core site and hdfs site"