Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

HUE HBase Kerberos Authentication failed

Labels:
avatar
author-rank frank93
Super Collaborator

Created ‎04-27-2017 11:21 AM

Hi guys,

When I try access HBase in HUE I got the following error:

Api Error: Unable to authenticate <Response [401]>

And in Thrift Server log:

2017-04-19 10:40:47,312 ERROR [1884538648@qtp-1493988307-4] thrift.ThriftHttpServlet: Kerberos Authentication failed
org.apache.hadoop.hbase.thrift.HttpAuthenticationException: java.lang.reflect.UndeclaredThrowableException
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:139)
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet.doPost(ThriftHttpServlet.java:86)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:401)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:767)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.Server.handle(Server.java:326)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:945)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
        at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
        at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
Caused by: java.lang.reflect.UndeclaredThrowableException
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1742)
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:134)
        ... 16 more
Caused by: org.apache.hadoop.hbase.thrift.HttpAuthenticationException: Kerberos authentication failed:
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:190)
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:144)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
        ... 17 more
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:178)
        ... 21 more
Caused by: KrbException: Checksum failed
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:291)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:159)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
        ... 24 more
Caused by: java.security.GeneralSecurityException: Checksum failed
        at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
        at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
        at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
        ... 30 more

hbase-site.xml:

hbase.thrift.security.qop = auth
hbase.thrift.keytab.file = /etc/security/keytabs/hbase.service.keytab
hbase.thrift.kerberos.principal = hbase/_HOST@<myrealm>

Test Thrift server as "hbase" user:

[$]hbase org.apache.hadoop.hbase.thrift.HttpDoAsClient <myhost> 9090 hbase true

Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is hbase/<myhost>@<myrealm>
Commit Succeeded


Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is hbase/<myhost>@<myrealm>
Commit Succeeded


scanning tables...
Ticket is: Negotiate YIICcgYJKoZIhvcSAQICAQBuggJhMIICXaADAgEFoQMCAQ6iBwMFACAAAACjggFmYYIBYjCCAV6gAwIBBaEMGwpIQURPT1AuQ09NoiIwIKADAgEAoRkwFxsFaGJhc2UbDmhhZG9vcDEubG9jYWxko4IBIzCCAR+gAwIBEqEDAgEGooIBEQSCAQ0ZZ0Vi9KwMpyA65xvKOwm7bXFnTr4EXwWj7ikQ8U6HPh2RfHwO39T76vyBFzR0D3Oervgpr4jyKyT+o0NYylSKwDr4iPUpZPUeRzi5wWxgb4+bPDB/UwgYzZOMXtv4Ewx8KuSzafv8Nxc/3X32cOD2gXZ2l4DpVO4HcZDZ/7DOmQRAYzXclkIRuWfMyYxqnjx9ebqTph/18e1OrAeADnOYYORPtUHvKDydVVlEO5k0zp0LBdj68TOD40TzX+ED3K8yurXoU3UWuAg6/vGV+5s4T7J5R+7uMolhwjL4utxi95rCzbDgE6bVeOp92SiZUtGZKWcLze1F7SpFIvbSmkrFs94/Laey5+5c+yOY56SB3TCB2qADAgESooHSBIHPcgeIkkTSTYOxT7rZDtuXijHPf3h+j/p8lB6B07Saw4wwA82P6TPesozw0Tl/G4m/mabuyJgDHqHEyxu2/eG0tDD1V3eVs+x8y+EptcGI0wvCaSvK0S4Q8kZ30bRV7NFegtS1LlYbfbXD7zqrX1CByqr3s92DAzuc8CO6yRY18ZNs8aiP0BhVciVT2pwwTl86iA3ZJbW2JsGgnr1uif/0tqqI6yaZvoANVCAk/6LZXZm1LjJiS7BqCFRdWMIs2Ujl3NFzPnD446+s0r/rCxdn  found: ATLAS_ENTITY_AUDIT_EVENTS
  found: SESSIONS_SECONDARY
  found: atlas_titan
  found: demo_table

I have configured 2 KDCs master/slave and one-way trust to AD

@EDIT

I am obtaining "Authorization header received from the client is empty." now. HBase Thrift log:

2017-04-27 12:32:49,220 ERROR [1560162680@qtp-1865201235-5] thrift.ThriftHttpServlet: Failed to perform authentication
2017-04-27 12:32:49,220 ERROR [1560162680@qtp-1865201235-5] thrift.ThriftHttpServlet: Kerberos Authentication failed
org.apache.hadoop.hbase.thrift.HttpAuthenticationException: java.lang.reflect.UndeclaredThrowableException
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:139)
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet.doPost(ThriftHttpServlet.java:86)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:401)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:767)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.Server.handle(Server.java:326)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:945)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
        at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
        at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
Caused by: java.lang.reflect.UndeclaredThrowableException
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1742)
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:134)
        ... 16 more
Caused by: org.apache.hadoop.hbase.thrift.HttpAuthenticationException: Authorization header received from the client is empty.
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet$HttpKerberosServerAction.getAuthHeader(ThriftHttpServlet.java:212)
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:176)
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:144)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
        ... 17 more
2017-04-27 12:32:49,229 ERROR [1560162680@qtp-1865201235-5] thrift.ThriftHttpServlet: Failed to perform authentication
2017-04-27 12:32:49,229 ERROR [1560162680@qtp-1865201235-5] thrift.ThriftHttpServlet: Kerberos Authentication failed
org.apache.hadoop.hbase.thrift.HttpAuthenticationException: java.lang.reflect.UndeclaredThrowableException
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:139)
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet.doPost(ThriftHttpServlet.java:86)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:401)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:767)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.Server.handle(Server.java:326)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:945)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
        at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
        at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
Caused by: java.lang.reflect.UndeclaredThrowableException
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1742)
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet.doKerberosAuth(ThriftHttpServlet.java:134)
        ... 16 more
Caused by: org.apache.hadoop.hbase.thrift.HttpAuthenticationException: Kerberos authentication failed:
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:190)
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:144)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1724)
        ... 17 more
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at org.apache.hadoop.hbase.thrift.ThriftHttpServlet$HttpKerberosServerAction.run(ThriftHttpServlet.java:178)
        ... 21 more
Caused by: KrbException: Checksum failed
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:291)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:159)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
        ... 24 more
Caused by: java.security.GeneralSecurityException: Checksum failed
        at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
        at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
        at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
        ... 30 more

and Hue error.log:

[27/Apr/2017 12:49:20 +0200] views        ERROR    failed to parse input as json
Traceback (most recent call last):
  File "/home/hue/hue/hue/apps/hbase/src/hbase/views.py", line 55, in safe_json_load
    return json.loads(re.sub(r'(?:\")([0-9]+)(?:\")', r'\1', str(raw)))
  File "/usr/lib64/python2.6/json/__init__.py", line 307, in loads
    return _default_decoder.decode(s)
  File "/usr/lib64/python2.6/json/decoder.py", line 319, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib64/python2.6/json/decoder.py", line 338, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
[27/Apr/2017 12:49:20 +0200] api          ERROR    failed to load the HBase clusters
Traceback (most recent call last):
  File "/home/hue/hue/hue/apps/hbase/src/hbase/api.py", line 64, in getClusters
    full_config = json.loads(conf.HBASE_CLUSTERS.get().replace("'", "\""))
  File "/usr/lib64/python2.6/json/__init__.py", line 307, in loads
    return _default_decoder.decode(s)
  File "/usr/lib64/python2.6/json/decoder.py", line 319, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib64/python2.6/json/decoder.py", line 338, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
[27/Apr/2017 12:49:20 +0200] views        ERROR    failed to parse input as json
Traceback (most recent call last):
  File "/home/hue/hue/hue/apps/hbase/src/hbase/views.py", line 55, in safe_json_load
    return json.loads(re.sub(r'(?:\")([0-9]+)(?:\")', r'\1', str(raw)))
  File "/usr/lib64/python2.6/json/__init__.py", line 307, in loads
    return _default_decoder.decode(s)
  File "/usr/lib64/python2.6/json/decoder.py", line 319, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib64/python2.6/json/decoder.py", line 338, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
[27/Apr/2017 12:49:20 +0200] views        ERROR    failed to parse input as json
Traceback (most recent call last):
  File "/home/hue/hue/hue/apps/hbase/src/hbase/views.py", line 55, in safe_json_load
    return json.loads(re.sub(r'(?:\")([0-9]+)(?:\")', r'\1', str(raw)))
  File "/usr/lib64/python2.6/json/__init__.py", line 307, in loads
    return _default_decoder.decode(s)
  File "/usr/lib64/python2.6/json/decoder.py", line 319, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib64/python2.6/json/decoder.py", line 338, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
[27/Apr/2017 12:49:20 +0200] api          ERROR    failed to load the HBase clusters
Traceback (most recent call last):
  File "/home/hue/hue/hue/apps/hbase/src/hbase/api.py", line 64, in getClusters
    full_config = json.loads(conf.HBASE_CLUSTERS.get().replace("'", "\""))
  File "/usr/lib64/python2.6/json/__init__.py", line 307, in loads
    return _default_decoder.decode(s)
  File "/usr/lib64/python2.6/json/decoder.py", line 319, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib64/python2.6/json/decoder.py", line 338, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded
[27/Apr/2017 12:49:20 +0200] kerberos_    ERROR    authenticate_server(): Authenticate header:
[27/Apr/2017 12:49:20 +0200] kerberos_    ERROR    authenticate_server(): authGSSClientStep() failed:
Traceback (most recent call last):
  File "/home/hue/hue/hue/build/env/lib/python2.6/site-packages/requests_kerberos-0.6.1-py2.6.egg/requests_kerberos/kerberos_.py", line 229, in authenticate_server
    _negotiate_value(response))
GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
[27/Apr/2017 12:49:20 +0200] kerberos_    ERROR    handle_mutual_auth(): Mutual authentication failed
[27/Apr/2017 12:49:20 +0200] thrift_util  ERROR    Thrift saw exception (this may be expected).
Traceback (most recent call last):
  File "/home/hue/hue/hue/desktop/core/src/desktop/lib/thrift_util.py", line 425, in wrapper
    ret = res(*args, **kwargs)
  File "/home/hue/hue/hue/apps/hbase/gen-py/hbased/Hbase.py", line 53, in decorate
    return func(*args, **kwargs)
  File "/home/hue/hue/hue/apps/hbase/gen-py/hbased/Hbase.py", line 832, in getTableNames
    self.send_getTableNames()
  File "/home/hue/hue/hue/apps/hbase/gen-py/hbased/Hbase.py", line 840, in send_getTableNames
    self._oprot.trans.flush()
  File "/home/hue/hue/hue/build/env/lib/python2.6/site-packages/thrift-0.9.1-py2.6-linux-x86_64.egg/thrift/transport/TTransport.py", line 170, in flush
    self.__trans.flush()
  File "/home/hue/hue/hue/desktop/core/src/desktop/lib/thrift_/http_client.py", line 84, in flush
    self._data = self._root.post('', data=data, headers=self._headers)
  File "/home/hue/hue/hue/desktop/core/src/desktop/lib/rest/resource.py", line 132, in post
    allow_redirects=allow_redirects, clear_cookies=clear_cookies)
  File "/home/hue/hue/hue/desktop/core/src/desktop/lib/rest/resource.py", line 81, in invoke
    clear_cookies=clear_cookies)
  File "/home/hue/hue/hue/desktop/core/src/desktop/lib/rest/http_client.py", line 173, in execute
    raise self._exc_class(ex)
RestException: Unable to authenticate <Response [401]>
10,377 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank frank93
Super Collaborator

Created ‎05-11-2017 09:59 AM

Finally solved. I changed hbase.thrift.kerberos.principal to "HTTP/_HOST@myrealm" and now it works. Thanks for help.

View solution in original post

7,458 Views
0 Kudos
7 REPLIES 7

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎04-27-2017 11:21 AM

@Edgar Daeds

Caused by: java.security.GeneralSecurityException: Checksum failed
        at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)

Usually the above kind of error occurs when:

1. Either the password that you entered is wrong. So verify if the "kinit" is working fine from that host?

2. The keytab might be containing an older version of the keytab credentials in it and hence it cannot parse the information coming from the KDC, as it lacks the up to date credentials.

3. Kerberos is strict about hostnames so please check if you are using correct Hostnames/FQDN?

4. Are you using correct JDM (like JDP 😎 along with the "JCE extension package" ?

5. Can you please do a klist using "-kte" flags, Specially "e" to verify if it is using correct encryption

klist -kte /etc/security/keytabs/hbase.service.keytab
.
7,458 Views
0 Kudos

avatar
author-rank frank93
Super Collaborator

Created ‎04-27-2017 11:21 AM

@Jay SenSharma

Thank you for a quick answer. I can successfully connect to Thrift Server using shell command as "hbase" user:

[hbase@<myhost>]#hbase org.apache.hadoop.hbase.thrift.HttpDoAsClient <myhost> 9090 hbase true

So the "hbase" user is authenticated correctly. The problem is that HUE cannot access HBase Thrift. It seems like HUE is using different user than "hbase" to make connection. I am using HUE 3.11.

7,458 Views
0 Kudos

avatar
author-rank emaxwell author-rank
Guru

Created ‎04-27-2017 09:08 PM

@Edgar Daeds

Have you enabled HTTP auth (SPNEGO) for your cluster? If not, things like the Phoenix thin JDBC driver and Thrift servers will not be able to authenticate. Here's the docs on how to enable SPNEGO: http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_security/content/ch_enable_spnego_auth_fo...

7,458 Views
0 Kudos

avatar
author-rank frank93
Super Collaborator

Created ‎04-28-2017 09:59 AM

@emaxwell

Thank you for your answer. I have enabled HTTP auth (SPNEGO), but the same problem still exists.

I have one more question after enabling SPNEGO - what is the username syntax / password for JobHistory, Oozie, YARN and other web applications? I can not log in using any of my kerberos principals (HTTP 403), but I can successfully log in (not providing credentials) using local firefox with X11 forwarding.

7,458 Views
0 Kudos

avatar
author-rank frank93
Super Collaborator

Created ‎05-11-2017 09:59 AM

Finally solved. I changed hbase.thrift.kerberos.principal to "HTTP/_HOST@myrealm" and now it works. Thanks for help.

7,459 Views
0 Kudos

avatar
author-rank dmmontague
Contributor

Created ‎05-22-2017 01:19 AM

Hi Edgar,

I'm having the same problem you had previously but even after entering HTTP/_HOST@myrealm it's still not working in a kerberos environment. Below are my settings:

hbase.thrift.support.proxyuser=true

hbase.thrift.security.qop=auth

hbase.thrift.keytab.file=/etc/security/keytabs/hbase.service.key

hbase.thrift.kerberos.principal=HTTP/_HOST@myrealm

hbase.regionserver.thrift.http=true

7,458 Views
0 Kudos

avatar
author-rank dmmontague
Contributor

Created ‎05-22-2017 01:28 AM

These are the errors in thrift server logs:

Caused by: org.apache.thrift.transport.TTransportException: Invalid status 80 at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232) at org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:184) at org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125) at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41) at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216) ... 5 more

7,458 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements