Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Kerberos ticket error:No rules applied to hdfs@CDH5.XXX.XXX

Kerberos ticket error:No rules applied to hdfs@CDH5.XXX.XXX

Expert Contributor

Hi,

 

I want to execute simple word count example .I have made a java code with name MRV1_1.jar and given i/o file names but it gives me an error .

I am using CDH5.2 on RHEL 6.3.

Kerberos is enabled,i am impersonating hdfs on my username.

I did klist and kinit and it gave me following:-

 

[tsingh12@itsusmpl00512:/root]#
#-> kinit hdfs
Password for hdfs@CDH5.XXX.XXX:
[tsingh12@itsusmpl00512:/root]#

 

#-> klist
Ticket cache: FILE:/tmp/krb5cc_38157
Default principal: hdfs@CDH5.XXX.COM

Valid starting Expires Service principal
12/22/14 17:06:00 12/23/14 17:06:00 krbtgt/CDH5.XXX.COM@CDH5.XXX.COM
renew until 12/29/14 17:06:00
[tsingh12@itsusmpl00512:/root]#

 

But when i run a job it says invalid principal.

 

#-> hadoop jar MRV_1_1.jar /user/tsingh12/Count.txt /user/tsingh12/output/Count
Exception in thread "main" java.lang.RuntimeException: java.io.IOException: failure to login
at org.apache.hadoop.mapred.JobConf.getWorkingDirectory(JobConf.java:660)
at org.apache.hadoop.mapred.FileInputFormat.setInputPaths(FileInputFormat.java:436)
at com.jnj.runJob.WordCount.main(WordCount.java:44)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
Caused by: java.io.IOException: failure to login
at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:782)
at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:734)
at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:607)
at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2753)
at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2745)
at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2611)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:370)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:169)
at org.apache.hadoop.mapred.JobConf.getWorkingDirectory(JobConf.java:656)
... 7 more
Caused by: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name hdfs@CDH5.XXX.XXX
at org.apache.hadoop.security.User.<init>(User.java:50)
at org.apache.hadoop.security.User.<init>(User.java:43)
at org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:179)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:576)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:757)
at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:734)
at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:607)
at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2753)
at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2745)
at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2611)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:370)
at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:169)
at org.apache.hadoop.mapred.JobConf.getWorkingDirectory(JobConf.java:656)
at org.apache.hadoop.mapred.FileInputFormat.setInputPaths(FileInputFormat.java:436)
at com.jnj.runJob.WordCount.main(WordCount.java:44)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to hdfs@CDH5.XXX.XXX
at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
at org.apache.hadoop.security.User.<init>(User.java:48)
... 28 more

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:872)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:576)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:757)
... 15 more

 

Any suggestions what could be wrong?

2 REPLIES 2

Re: Kerberos ticket error:No rules applied to hdfs@CDH5.XXX.XXX

Expert Contributor

apparently hdfs does not allow to run MR jobs but another user chdfs which is an admin user and has its own principal in kdc allows to run the same command after doing kinit chdfs and providing with the password after it prompts for the password .

 

What if i want to use my username to execute MR job by using chdfs impersonation rather than making my own principle?

 

If i do like that it gives me the same error as above saying no ticket found.

 

Am i doing correct or am i missing any step?

Re: Kerberos ticket error:No rules applied to hdfs@CDH5.XXX.XXX

Rising Star

Hi,

i am getting the same problem . whatever you said is correct that you need a user in kdc to run a job .

my questions are  

1-   cant it be a LDAP user and authenticate with kerberos and get ticket or it should be a local kdc user ?

2- with LDAP i can login to cluster and create file but when i am doing same thing through an ETL tool ( job) its giving same error .Illigal principal.why two different behaviour ?

 

 

Don't have an account?
Coming from Hortonworks? Activate your account here