Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Kerberize cluster user not found Error while running yarn job

Kerberize cluster user not found Error while running yarn job

New Contributor

I have enabled kerberos for my cluster but retrieving user not found error while running yarn job.

The Cluster uses SSSD to authenticate against Active Directory for log in. but when I submit the job it removes the second of the user principal name for example. if my username is test@example.com it removes '@example.com' and yarn throws an error test user not found. however if I create this user locally on the cluster. my job works without any error.

does anyone know how can we instruct yarn to use UPN (user principal name) instead of username?

is it possible to pass username while submitting the job or any conf file where we can make such entries which always use test@example.com?

2 REPLIES 2

Re: Kerberize cluster user not found Error while running yarn job

Super Guru
@Vikas Kumar Paswan

Please check your auth to local rules. Here is a link that describes it. So you have created users ion Active directory with kerberos realm included. Right? Something you know better on how to setup your environment but I think you should not include Kerberos realm in your active directory user name.

https://hadoop.apache.org/docs/r2.5.2/hadoop-project-dist/hadoop-common/SecureMode.html#Mapping_from...

Re: Kerberize cluster user not found Error while running yarn job

New Contributor

@mqureshi,

Thank you so much for your response on this issue. the users who are created in an active directory with login name 'test' and domain is example.com. however, SSSD uses complete UPN to get user authenticated in this environment. so if test user logs in on machine name 'Namenode'. it gets the following login prompt.

test@example.com@Namenode$

I was hoping if there is a way to keep entire user UPN while running the yarn job. I have enabled debug log. it retrieves KTG and Kerberos client is test@example.com. but as soon as it submit the application. it throws an error that 'test' user not found.

do you know if there is any variable where we can add suffix even if yarn job removing it?