Hello !
Sorry I was out during few months.
No need to have a cross-realm trust setup because it's just a single one direction.
Solution and it's now running :
[realms]
romulus = {
admin_server = <...>
kdc = <...>
}
remus = {
admin_server = <...>
kdc = <...>
}
[domain_realm]
<IP Name Node 1 romulus cluster> = romulus
<IP Name Node 2 romulus cluster> = romulus
<IP Name Node 1 remus cluster> = remus
<IP Name Node 2 remus cluster> = remus
Let me explain :
Nifi needs a default realm. the default realm is not used to communicate with project Hadoop cluster kerberised (romus and remulus).
To help Nifi you must maps the name node hostnames to Kerberos realms in the section domain_realm.
In this case, Nifi will try to use the default realm and the realm of the main kerberos defined in the HDFS processor of the project and will failed.
It was a little bit tricky 😉
Thanks for your anwser !
Waiting for several days to have an another Hadoop Cluster, it's now provided.
After some configuration and check, it's working with some trouble.
Let me explain my issue.
I have two Hadoop kerberized cluster : romulus and remus.
For each one, kerberos configuration wad added in the krb5.conf
Find an extract of this configuration :
[libdefaults]
default_realm = romulus
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 168h 0m 0s
renew_lifetime = 90d
forwardable = true
udp_preference_limit = 0
...
[realms]
romulus = {
admin_server = <...>
kdc = <...>
}
remus = {
admin_server = <...>
kdc = <...>
}
If I use the kinit client , it's working fine.
I configure two GetHDFS processor, each one with the core-site.xml and hdfs-site.xml for Hadoop Configuration Resources, the keytab and the principal associated.
Case one : default_realm is romulus and I start the GetHDFS processor romulus.
=> Ok nice, I get the hdfs file (you can see the flowfile in the queue)
Case two: default_realm is still romulus and I start the GetHDFS processor remus
=> KO :
Failed on local exception: java.io.IOException: Couldn't set up IO streams: java.lang.IllegalArgumentException: Server has invalid Kerberos principal: nn/<ip namenode active>@<ROMULUS>, expecting: nn/<ip namenode active>@<REMUS>
Nifi trying to connect using the default realm romulus :
Server has invalid Kerberos principal: nn/<ip namenode active>@<ROMULUS>
And with the correct realm remus :
expecting: nn/<ip namenode active>@<REMUS>
To sum up : Nifi working well with the default realm but have an issue with the other realms.
Is there a configuation I missed ?
Thanks
For sur !
For your information because I haven't written : if I switch the default realm under krb5.conf from romulus to remus, romulus not working and remus is ok. it's like Nifi, when the default realm it's not the same as the principal realm is lost and try to use an another realm.
Further more, remus and romulus are not the true name and I need to change path, server name, ip and other objets to share with you 😉
Remus :
Romulus :
Hello !
Sorry I was out during few months.
No need to have a cross-realm trust setup because it's just a single one direction.
Solution and it's now running :
[realms]
romulus = {
admin_server = <...>
kdc = <...>
}
remus = {
admin_server = <...>
kdc = <...>
}
[domain_realm]
<IP Name Node 1 romulus cluster> = romulus
<IP Name Node 2 romulus cluster> = romulus
<IP Name Node 1 remus cluster> = remus
<IP Name Node 2 remus cluster> = remus
Let me explain :
Nifi needs a default realm. the default realm is not used to communicate with project Hadoop cluster kerberised (romus and remulus).
To help Nifi you must maps the name node hostnames to Kerberos realms in the section domain_realm.
In this case, Nifi will try to use the default realm and the realm of the main kerberos defined in the HDFS processor of the project and will failed.
It was a little bit tricky 😉
