Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Does hdfs user need to issue kinit?

Labels:
avatar
author-rank AnandMS
Contributor

Created ‎07-06-2017 02:05 AM

We have a few commands which use the HDFSFindtool and are being initiated from crontab of hdfs user. There is also another crontab entry to execute 'hdfs dfs -ls' from hdfs user's crontab entry. These are working without any issues. We do not issue a kinit command before running them from the crontab.

 

However recently, when we set up a shell script which issues 'hdfs dfs -du' command from hdfs user's crontab, it started throwing out the below GSS initiate failure error

 

"WARN security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]"

 

Does the hdfs user have to issue a kinit command before running the script? In that case, why are the other commands working fine without that?

 

 

3,676 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
mbigelow author-rank
Champion

Created ‎07-06-2017 09:29 AM

Presumably, Kerberos is enabled or you wouldn't be getting this error at all.

All users must have a valid ticket from a KDC. This typically means running kinit prior to running any commands or jobs. You can also get a ticket using a keytab file, which is just a store version of the users password.

The ticket is store in the ticket cache on the system. By default it is /tmp/krb5cc_<userid>. The client will check here first for a ticket. I would venture that some other process is getting a ticket and storing it in the ticket cache and the other processes are able to use it. This is likely since you are using the 'hdfs' account that the HDFS processes are running under.

I strongly encourage you to not operate in this fashion. Instead of using the 'hdfs' account update the Superuser Group setting in CM to include a group that you wish to have HDFS superuser access, which I assumed is why you are using 'hdfs' in the first place.

View solution in original post

3,650 Views
0 Kudos
1 REPLY 1

avatar
mbigelow author-rank
Champion

Created ‎07-06-2017 09:29 AM

Presumably, Kerberos is enabled or you wouldn't be getting this error at all.

All users must have a valid ticket from a KDC. This typically means running kinit prior to running any commands or jobs. You can also get a ticket using a keytab file, which is just a store version of the users password.

The ticket is store in the ticket cache on the system. By default it is /tmp/krb5cc_<userid>. The client will check here first for a ticket. I would venture that some other process is getting a ticket and storing it in the ticket cache and the other processes are able to use it. This is likely since you are using the 'hdfs' account that the HDFS processes are running under.

I strongly encourage you to not operate in this fashion. Instead of using the 'hdfs' account update the Superuser Group setting in CM to include a group that you wish to have HDFS superuser access, which I assumed is why you are using 'hdfs' in the first place.
3,651 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements