Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Error with HDFS transparent encryption + kerberos enabled cluster

Highlighted

Error with HDFS transparent encryption + kerberos enabled cluster

Explorer

Hi I am getting following error while reading from encrypted zone file on hdfs. We have followed every step to configure transparent encryption + kerberos using hdp2.3 document.

Any idea what i could be missing here?

2016-05-02 14:27:20.852 <DTM-pool-2-thread-1> INFO: com.informatica.sdk.dtm.ExecutionException: [LDTM_0072] UNK_66008 File [/enczone_BDM/Dishes.tbl] could not be opened because of the following error: [java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.crypto.key.kms.KMSClientProvider.createConnection(KMSClientProvider.java:489) at org.apache.hadoop.crypto.key.kms.KMSClientProvider.decryptEncryptedKey(KMSClientProvider.java:776) at org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.decryptEncryptedKey(KeyProviderCryptoExtension.java:388) at org.apache.hadoop.hdfs.DFSClient.decryptEncryptedDataEncryptionKey(DFSClient.java:1395) at org.apache.hadoop.hdfs.DFSClient.createWrappedOutputStream(DFSClient.java:1497) at org.apache.hadoop.hdfs.DFSClient.createWrappedOutputStream(DFSClient.java:1482) at org.apache.hadoop.hdfs.DistributedFileSystem$7.doCall(DistributedFileSystem.java:451) at org.apache.hadoop.hdfs.DistributedFileSystem$7.doCall(DistributedFileSystem.java:444) at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81) at org.apache.hadoop.hdfs.DistributedFileSystem.create(DistributedFileSystem.java:444) at org.apache.hadoop.hdfs.DistributedFileSystem.create(DistributedFileSystem.java:387) at org.apache.hadoop.fs.FileSystem.create(FileSystem.java:909) at org.apache.hadoop.fs.FileSystem.create(FileSystem.java:890) Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:332) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:205) at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:128) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:215) at org.apache.hadoop.security.token] at

Basic reason for this error is login using keytab may not be happening for HTTP Service Principal User. But even that should be controlled via Hadoop code not from the application.

Can someone help to troubleshoot if it is configuration issue or could be bug from the application?

1 REPLY 1

Re: Error with HDFS transparent encryption + kerberos enabled cluster

@Vishal Shah

When you see the error that there are no valid credentials, it means that you do not have a kerberos ticket. You will need to run a "kinit" as the user you want to be in order to authenticate yourself.