Created 09-19-2018 05:49 PM
Hi,
I have the following setup:
HDP 2.6.5
Kerberos 5 version 1.15.1
NIFI - 1.7.1
I am trying to create a simple NIFI process to read files from my filesystem (using GetFile) & then copy these to HDFS (using PutHDFS). Getfile works fine & i can see all files on the queue. The issue i am experiencing is with the PutHDFS processor. It fails with the following error:
PutHDFS[id=e72a065a-0165-1000-cdd3-ecf4ad00849f] HDFS Configuration error - Login failure for user: xxxx@xxxx.COM from keytab /home/xxxx@xxxx.com/xxxx.keytab javax.security.auth.login.LoginException: KDC has no support for encryption type (14): org.apache.hadoop.security.KerberosAuthException: Login failure for user: xxxx@xxxxx from keytab /home/xxxxx@xxxx.com/xxxxx.keytab javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
Processor PutHDFS i have populated the following properties:
Hadoop Configuration Resources : /etc/hadoop/conf/core-site.xml,/etc/hadoop/conf/hdfs-site.xml,/etc/hadoop/conf/yarn-site.xml,/etc/hadoop/conf/mapred-site.xml
Kerberos Principal: xxxx.xxxx.com
Kerberos Keytab: /home/xxxx@xxxx.com/xxxxx.keytab
I have successfully tested the keytab file by performing a kinit & can create a ticket. Also i have updated the nifi.properties file:
nifi.kerberos.krb5.file=/etc/krb5.conf
The encryption method chosen for my keytab file is: (aes256-cts-hmac-sha1-96)
Any help would be appreciated.
Created 09-19-2018 06:59 PM
Encryption type 14 is aes256-cts-hmac-sha384-192. As far as I know, this is not an encryption type we typically see in a Hadoop cluster. Maybe post your krb5.conf file so we can see if you have any value set for the enctype properties (default_tgs_enctypes, default_tkt_enctypes, permitted_enctypes).
Also, how was the keytab file created? Are you using Ambari?
Finally, is the unlimited key JCE policy installed in the relevant JVM on all hosts?
Created 09-20-2018 01:14 PM
Thanks for the reply. I'm not an Hadoop Admin, so hopefully my responses are at the level you expect.
I've checked the krd5.conf file and there are no entries with the enctype properties you mentioned. I can't post since there is some server specific information in the file.
I created the keytab file using "ktutil" and within my add_entry command i only stated the following encryption "aes256-cts", however this seemed to create the following; aes256-cts-hmac-sha1-96
When i tried with the following supported encryption types (source: https://web.mit.edu/kerberos/krb5-devel/doc/admin/enctypes.html)
i) aes256-cts-hmac-sha384-192
ii) aes128-cts-hmac-sha256-128
I was then not able to create a ticket with KINIT.
I noticed when using the above on NIFI it gave me a different error basically stating it could not login with these credentials. Which is expected i guess since i could not login using KINIT
In terms of your final question: is the unlimited JCE policy installed - i do not know, how can I check? We do not have a dedicated Admin so i am currently playing dual roles at the moment.