Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

hbase kerberos authentication error with java

hbase kerberos authentication error with java

New Contributor

this problem bother me long time, please help me!

hbase cluster with kerberos works well.

my java code for anthentication as below

    static {
        System.setProperty("java.security.krb5.conf",DeviceChannelHbaseClient.class.getResource("/krb5.conf").getPath());
        
        UserGroupInformation.setConfiguration(HBASE_CONF);
       
        try {
        	
        	   URL keyTabUrl = DeviceChannelHbaseClient.class.getResource("/hbase-rw.keytab");
         	  if (keyTabUrl != null) {
         		  UserGroupInformation.loginUserFromKeytab("hbase-rw/hz@HZ.NETEASE.COM", DeviceChannelHbaseClient.class.getResource("/hbase-rw.keytab").getPath());
         	  }

        } catch (IOException e) {

              e.printStackTrace();

        }
    }

at the starting, everythings works,  but after a few days,  an exception accurs:

[WARN ]16:49:48,007, [Class]RpcClientImpl, Exception encountered while connecting to the server : java.lang.IllegalStateException: This ticket is
 no longer valid
[WARN ]16:49:48,007, [Class]UserGroupInformation, PriviledgedActionException as:hbase-rw/hz@HZ.CLOUD.COM (auth:KERBEROS) cause:java.io.IOExcept
ion: java.lang.IllegalStateException: This ticket is no longer valid
[WARN ]16:49:50,131, [Class]RpcClientImpl, Exception encountered while connecting to the server : java.lang.IllegalStateException: This ticket is
 no longer valid
[WARN ]16:49:50,131, [Class]UserGroupInformation, PriviledgedActionException as:hbase-rw/hz@HZ.CLOUD.COM (auth:KERBEROS) cause:java.io.IOExcept
ion: java.lang.IllegalStateException: This ticket is no longer valid
[WARN ]16:49:52,154, [Class]UserGroupInformation, PriviledgedActionException as:hbase-rw/hz@HZ.CLOUD.COM (auth:KERBEROS) cause:javax.security.s
asl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
[WARN ]16:49:52,154, [Class]RpcClientImpl, Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate
 failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
[FATAL]16:49:52,165, [Class]RpcClientImpl, SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'.
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find an
y Kerberos tgt)]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
        at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:181)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:618)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$700(RpcClientImpl.java:163)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:744)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:741)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1920)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:741)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.writeRequest(RpcClientImpl.java:907)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.tracedWriteRequest(RpcClientImpl.java:874)
        at org.apache.hadoop.hbase.ipc.RpcClientImpl.call(RpcClientImpl.java:1243)
        at org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:227)
        at org.apache.hadoop.hbase.ipc.AbstractRpcClient$BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:336)
        at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingStub.get(ClientProtos.java:34070)
        at org.apache.hadoop.hbase.protobuf.ProtobufUtil.getRowOrBefore(ProtobufUtil.java:1594)
        at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation.locateRegionInMeta(ConnectionManager.java:1398)
        at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation.locateRegion(ConnectionManager.java:1199)
        at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation.relocateRegion(ConnectionManager.java:1166)
        at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation.relocateRegion(ConnectionManager.java:1150)
        at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation.getRegionLocation(ConnectionManager.java:971)
        at org.apache.hadoop.hbase.client.HRegionLocator.getRegionLocation(HRegionLocator.java:83)
        at org.apache.hadoop.hbase.client.RegionServerCallable.prepare(RegionServerCallable.java:79)
        at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:134)
        at org.apache.hadoop.hbase.client.HTable.get(HTable.java:930)
        at org.apache.hadoop.hbase.client.HTable.exists(HTable.java:1436)
        at com.netease.yx.hbase.LMRegistUserHbase.exists(LMRegistUserHbase.java:270)
        at com.netease.yx.leave.motivate.LMLogConsumer$TestConsumeRunner.dealWebLeaveLog(LMLogConsumer.java:132)
        at com.netease.yx.leave.motivate.LMLogConsumer$TestConsumeRunner.run(LMLogConsumer.java:268)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
        at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
        at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
        at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
        at org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:227)
        at org.apache.hadoop.hbase.ipc.AbstractRpcClient$BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:336)
        at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingStub.get(ClientProtos.java:34070)
        at org.apache.hadoop.hbase.protobuf.ProtobufUtil.getRowOrBefore(ProtobufUtil.java:1594)
        at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation.locateRegionInMeta(ConnectionManager.java:1398)
        at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation.locateRegion(ConnectionManager.java:1199)
        at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation.relocateRegion(ConnectionManager.java:1166)
        at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation.relocateRegion(ConnectionManager.java:1150)
        at org.apache.hadoop.hbase.client.ConnectionManager$HConnectionImplementation.getRegionLocation(ConnectionManager.java:971)
        at org.apache.hadoop.hbase.client.HRegionLocator.getRegionLocation(HRegionLocator.java:83)
        at org.apache.hadoop.hbase.client.RegionServerCallable.prepare(RegionServerCallable.java:79)
        at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:134)
        at org.apache.hadoop.hbase.client.HTable.get(HTable.java:930)
        at org.apache.hadoop.hbase.client.HTable.exists(HTable.java:1436)
        at com.netease.yx.hbase.LMRegistUserHbase.exists(LMRegistUserHbase.java:270)
        at com.netease.yx.leave.motivate.LMLogConsumer$TestConsumeRunner.dealWebLeaveLog(LMLogConsumer.java:132)
        at com.netease.yx.leave.motivate.LMLogConsumer$TestConsumeRunner.run(LMLogConsumer.java:268)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
        at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
        at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
        at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
        ... 32 more

why? please help me , thanks very much.

2 REPLIES 2

Re: hbase kerberos authentication error with java

Super Collaborator

Hello,

 

The ticket you acquire from the keytab has an expiry date and a max renewable date.

So, if you see that error after a few days, it might just be that (either the expiry date or the max renewable date).

 

You need to "handle" these cases.

 

regards,

Mathieu

Re: hbase kerberos authentication error with java

New Contributor

I think the keytab you used has expired.

 

Try to kinit a new keytab for your code, and issue should be solved