Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Forbidden to connect to oozie in CDH 5.3.2

Forbidden to connect to oozie in CDH 5.3.2

Explorer

After upgrade from 5.3.1 to 5.3.2 it is not able to connect to oozie server using short host name (Kerberos is active)

$ oozie jobs -oozie http://catnn002:11000/oozie
Error: HTTP error code: 403 : Forbidden

 In version 5.3.1 the command was running with no problem

 

While requesting the same address with curl I got a HTML message  GSSException: No valid credentials provided

 

$ curl --negotiate -u : http://catnn002:11000/oozie/
<html><head><title>Apache Tomcat/6.0.41 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 403 - GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)</u></p><p><b>description</b> <u>Access to the specified resource has been forbidden.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/6.0.41</h3></body></html>

 

4 REPLIES 4

Re: Forbidden to connect to oozie in CDH 5.3.2

Master Guru
Can you post the output of klist prior to running the command? Do you have
a valid credential in place already (i.e. does 'hadoop fs -ls /' work?)

Also, does the command work just right in the present state if you use the
FQDN? Kerberos auth is based on FQDN (SPNs carry it) so using short names
may not be generally recommended.

Highlighted

Re: Forbidden to connect to oozie in CDH 5.3.2

Explorer

Yes of course, klist displays active principal

Ticket cache: FILE:/tmp/krb5cc_1100
Default principal: catalyst@CATALYST.REALM.COM

Valid starting     Expires            Service principal
03/25/15 09:00:01  03/26/15 09:00:01  krbtgt/CATALYST.REALM.COM@CATALYST.REALM.COM
        renew until 04/01/15 10:00:01

 hadoop fs -ls work as well

As I told, after minor upgrade from 5.3.1 to 5.3.2 the command was stopped to work.

 

Right now, I had succesfully executed command with full hostname

$ oozie jobs -oozie http://catnn002.hosts.net:11000/oozie
Job ID                                   App Name     Status    User      Group     Started                 Ended
------------------------------------------------------------------------------------------------------------------------------------
0000365-150324073158862-oozie-oozi-W .....

 

Even more, the problem is in all HTTP (or Tomcat) based services (for SolrCloud I had rised report as well)

Re: Forbidden to connect to oozie in CDH 5.3.2

New Contributor
Were you able to execute the command without the full hostname... if yes, what changes did you make

Re: Forbidden to connect to oozie in CDH 5.3.2

Expert Contributor

Hello @diganto,

 

I am not sure for the reasoning behind not to use full hostname. But just purely on logic and I don't have environment to test it. You may try to put an entry in /etc/hosts on the host from where you trigger the command and then try to just use the hostname.

Don't have an account?
Coming from Hortonworks? Activate your account here