Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can not run hdfs command with user "hdfs" ?

Can not run hdfs command with user "hdfs" ?

Expert Contributor

I switch to user hdfs, and run command: hadoop fs -ls /

But still get the following error:

16/03/16 06:50:30 WARN ipc.Client: Exception encountered while connecting to the server :
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:413)
at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:558)
at org.apache.hadoop.ipc.Client$Connection.access$1800(Client.java:373)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:727)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:723)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:722)
at org.apache.hadoop.ipc.Client$Connection.access$2800(Client.java:373)
at org.apache.hadoop.ipc.Client.getConnection(Client.java:1493)
at org.apache.hadoop.ipc.Client.call(Client.java:1397)
at org.apache.hadoop.ipc.Client.call(Client.java:1358)
at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:229)
at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source)

Actually I see I have the ticket, here's the output of klist

Ticket cache: FILE:/tmp/krb5cc_507
Default principal: hdfs-Sandbox@EXAMPLE.COM
Valid starting     Expires            Service principal
03/16/16 04:57:20  03/17/16 04:57:20  krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 03/16/16 04:57:20
03/16/16 04:57:20  03/17/16 04:57:20  HTTP/sandbox.hortonworks.com@
renew until 03/16/16 04:57:20
03/16/16 04:57:20  03/17/16 04:57:20  HTTP/sandbox.hortonworks.com@EXAMPLE.COM
renew until 03/16/16 04:57:20
3 REPLIES 3

Re: Can not run hdfs command with user "hdfs" ?

@jzhang

Try this as hdfs user

kdestroy

klist -kte /etc/security/keytabs/hdfs.headless.keytab

/usr/bin/kinit -k -t /etc/security/keytabs/hdfs.headless.keytab hdfs/sandbox.hortonworks.com@EXAMPLE.COM

Re: Can not run hdfs command with user "hdfs" ?

Expert Contributor

Got the following error:

kinit: Keytab contains no suitable keys for hdfs/sandbox.hortonworks.com@EXAMPLE.COM while getting initial credentials

Highlighted

Re: Can not run hdfs command with user "hdfs" ?

Headless keytabs dont have a hostname.

Try

klist -k /etc/security/keytabs/hdfs.headless.keytab

This will show you what principals are available in this keytab file. I think for the sandbox the principal is hdfs-sandbox@EXAMPLE.COM

Copy the principal name and do

kinit -kt /etc/security/keytabs/hdfs.headless.keytab <principal name including realm>

Afterwards do klist and see whether you have a new ticket.

Also check the Namenode log and make sure there are no GSS exceptions in there. What Sandbox, JDK and HDP version is this?

Don't have an account?
Coming from Hortonworks? Activate your account here