Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

ADLS not accessible in HDInsight after domain joining

Solved Go to solution
Highlighted

ADLS not accessible in HDInsight after domain joining

Contributor

We are working with HDInsight Spark cluster with ADLS as its primary storage . Now, we need to join HDInsight cluster to a AD domain for user authentciation and make it enterprise ready.

Read that HDInsight only allows domain joining via Azure ADDS. Our onprem enterprise AD domain domainA.com is already in sync with Azure AD using Azure connect and ADDS was created in Azure for HDInsights with a custom domain- domainB.com , enabled password hash sync for Kerberos.

We were able to join the cluster to newly created ADDS domain domainB.com successfully and all hadoop services are running and in good health. We are able to login to cluster using onprem AD credentials in domainA.com as they are in sync with azure ad.

But the issue is, we are able to access hadoop services including HDFS,Hive,etc only when logged into cluster as users created in Azure ADDS domain domainB.com and same access is not available for users in enterprise AD domainA.com though they are synced to Azure AD.

So the issue is not due to ADLS store connectivity, because adls is accessible for users in azure AD / ADDS domain and not for enterprise AD users in different domain.

When tried to access ADLS using

hadoop fs -ls / or

hdfs dfs -ls adl:/// or

hadoop fs -ls adl://home or

hadoop fs -ls adl://datalakestorename.azuredatalake.net/ ,

the error thrown is as follows:

ERROR: secure.AbstractCredentialServiceCaller: Token does not exist in Tokenmanager(Response code 404) ls: Error fetching access token

Is this can happen due to difference in two domains- Azure ADDS and onprem AD. Do we need to configure anything like cross realm trust , in this PaaS manually to make it work. We are totally stuck with this issue.

Please help ASAP if anyone has encountered similar issues.

 

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ADLS not accessible in HDInsight after domain joining

Contributor

Issue was resolved. No need to configure cross-realm trust rather, try logging in to Ambari URL via browser or API using curl. This will generate a OAuth token for the user which will then be used for authentication to access ADLS. So Kerberos token for hadoop authentication and Oauth token needed for ADLS authentication. Thus each time , when you create HDInsight cluster, ensure you create token for the user to access ADLS from Ambari API.

3 REPLIES 3

Re: ADLS not accessible in HDInsight after domain joining

New Contributor

Hi

Did you get any answer for this?

i am facing the same issue.(ERROR: secure.AbstractCredentialServiceCaller: Token does not exist in Tokenmanager(Response code 404))

I think it would be helpful if you could reply the solution that you applied to solve this issue.

Thank you so much in Advance.

Re: ADLS not accessible in HDInsight after domain joining

New Contributor

You can try logging into Ambari under the users experiencing the issues, then retry ADLS access and see if this resolves the access issues.

Re: ADLS not accessible in HDInsight after domain joining

Contributor

Issue was resolved. No need to configure cross-realm trust rather, try logging in to Ambari URL via browser or API using curl. This will generate a OAuth token for the user which will then be used for authentication to access ADLS. So Kerberos token for hadoop authentication and Oauth token needed for ADLS authentication. Thus each time , when you create HDInsight cluster, ensure you create token for the user to access ADLS from Ambari API.