Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Kerberos Ticket issue when using cache type DIR

Labels:
avatar
author-rank swathi_desai6
New Contributor

Created ‎05-07-2019 03:27 PM

Hi All,

We came across a requirement to maintain kerberos ticket for 2 different realms on a single node, at the same time.

We found that Kerberos supports collection cache types, as on v1.12. We implemented DIR cache type, upon which we are able to generate and maintain tickets for 2 realms at the same time. Klist -A successfully lists both the tickets.

However, none of the Hadoop clients (hdfs,beeline) are able to find tickets from the DIR cache directory.

Below is the [libdefaults] cache name config from krb5.conf,

default_ccache_name = DIR:/tmp/tickets

Along with this, we are also setting KRB5CCNAME, KRB5RCACHEDIR, although it shouldn't matter when we already have the same setting in krb5.conf.

The hadoop clients throw the below error,

javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

Upon some investigation found that Java Kerberos implementation specifically looks for FILE: type cache, and hadoop is dependent on it.

However, I am interested to know if there is any workaround to force them to use collection cache types (DIR/API/KEYRING).

2,067 Views
1
3 REPLIES 3

avatar
ask_bill_brooks author-rank
Moderator

Created ‎05-07-2019 03:29 PM

This question was previously posted to the Solutions track. Upon further review, the moderators moved it to the Security track Tue May 7 08:28 PDT 2019.

Bill Brooks, Community Moderator
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
1,922 Views
0 Kudos

avatar
author-rank JCoyotzi
New Contributor

Created ‎01-10-2020 02:53 PM

I am facing the same issue.

Have a DIR type cache and none of the clients work neither beeline nor hdfs.

Using a FILE type and switching works fine. good enough for manual stuff but rather awkward if i wanted to automate anything

1,860 Views
0 Kudos

avatar
author-rank xofxof
New Contributor

Created ‎11-13-2022 01:14 PM

Hello everybody,

Sorry in advance, I I restart the conversation ...

How can "hdfs dfs" be able to use two kerberos realms and whose cache mode is set to DIR: and not FILE: (set by default) please ?

Thank you very much !

874 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements