Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Phoenix connection in kerberos cluster failing

avatar
author-rank aliyesami
Super Collaborator

Created ‎06-18-2018 03:43 PM

i do have a Kerberos ticket but i get error connecting to Phoenix.

We are using Ranger, does the admin have to give privileges via Ranger?

[kn857sa@dotstohdaut202 conf]$ sqlline.py dotstohdamn201:2181:/hbase-secure
Setting property: [incremental, false]
Setting property: [isolation, TRANSACTION_READ_COMMITTED]
issuing: !connect jdbc:phoenix:dotstohdamn201:2181:/hbase-secure none none org.apache.phoenix.jdbc.PhoenixDriver
Connecting to jdbc:phoenix:dotstohdamn201:2181:/hbase-secure
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/hdp/2.6.2.0-205/phoenix/phoenix-4.7.0.2.6.2.0-205-client.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/hdp/2.6.2.0-205/hadoop/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
18/06/18 11:34:46 WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable
18/06/18 11:34:47 WARN shortcircuit.DomainSocketFactory: The short-circuit local reads feature cannot be used because libhadoop cannot be loaded.
18/06/18 11:34:47 WARN ipc.AbstractRpcClient: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
18/06/18 11:34:47 FATAL ipc.AbstractRpcClient: SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'.
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
        at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:179)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:611)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$600(RpcClientImpl.java:156)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:737)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:734)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)

ticket 

[kn857sa@dotstohdaut202 conf]$ klist
Ticket cache: FILE:/tmp/krb5cc_1696202362
Default principal: kn857sa@xxxxxxxx.US
Valid starting       Expires              Service principal
06/18/2018 10:53:54  06/18/2018 20:53:54  krbtgt/xxxxxxx@xxxxxx.US
        renew until 06/25/2018 10:53:54
06/18/2018 10:53:54  06/18/2018 20:53:54  krbtgt/xxxxxxx@xxxxxx.US
        renew until 06/25/2018 10:53:54
[kn857sa@dotstohdaut202 conf]$
6,963 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank vmurakami
Guru

Created ‎06-18-2018 06:25 PM

Hey @Sami Ahmad!
So answering your questions, usually when you use kinit -kt command you're passing a keytab file, and when you don't use it -kt (only kinit), you will use a password authentication.
In all of my jobs when I had a kerberized environment, usually the sysadmin gave a keytab file to my user or service. It's a common practice, since most of the components in Hadoop works pretty well with keytabs instead of passphrases for principals in KRB.
In your case, if you don't have a keytab, the best approach would be to ask for the sysadmin to generate a keytab for you.

View solution in original post

6,681 Views
0 Kudos
11 REPLIES 11

avatar
author-rank aliyesami
Super Collaborator

Created ‎06-18-2018 05:56 PM

if i do "kinit " does it use a keytab file . .if yes which one ?

2,379 Views
0 Kudos

avatar
author-rank vmurakami
Guru

Created ‎06-18-2018 06:25 PM

Hey @Sami Ahmad!
So answering your questions, usually when you use kinit -kt command you're passing a keytab file, and when you don't use it -kt (only kinit), you will use a password authentication.
In all of my jobs when I had a kerberized environment, usually the sysadmin gave a keytab file to my user or service. It's a common practice, since most of the components in Hadoop works pretty well with keytabs instead of passphrases for principals in KRB.
In your case, if you don't have a keytab, the best approach would be to ask for the sysadmin to generate a keytab for you.

6,682 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements