Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

metron start failed

Highlighted

metron start failed

Explorer

I disabled kerberos and installed metron with ambari, but ambari showed:

3137 [main] INFO o.a.s.f.Flux - Running remotely... 3138 [main] INFO o.a.s.f.Flux - Deploying topology in an ACTIVE state... 3156 [main] INFO o.a.s.StormSubmitter - Generated ZooKeeper secret payload for MD5-digest: -8204121732888936297:-4718837925061130180 3241 [main] WARN o.a.s.s.a.k.ClientCallbackHandler - Could not login: the client is being asked for a password, but the client code does not currently support obtaining a password from the user. Make sure that the client is configured to use a ticket cache (using the JAAS configuration setting 'useTicketCache=true)' and restart the client. If you still get this message after that, the TGT in the ticket cache has expired and must be manually refreshed. To do so, first determine if you are using a password or a keytab. If the former, run kinit in a Unix shell in the environment of the user who is running this client using the command 'kinit <princ>' (where <princ> is the name of the client's Kerberos principal). If the latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of the Kerberos principal, and <keytab> is the location of the keytab file). After manually refreshing your cache, restart this client. If you continue to see this message after manually refreshing your cache, ensure that your KDC host's clock is in sync with this host's clock. 3243 [main] ERROR o.a.s.s.a.k.KerberosSaslTransportPlugin - Server failed to login in principal:javax.security.auth.login.LoginException: No password provided javax.security.auth.login.LoginException: No password provided at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:919) ~[?:1.8.0_151] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760) ~[?:1.8.0_151] at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) ~[?:1.8.0_151] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_151] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_151] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_151] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) ~[?:1.8.0_151] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_151] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_151] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_151] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_151] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_151] at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_151] at org.apache.storm.messaging.netty.Login.login(Login.java:299) ~[storm-core-1.1.0.2.6.3.0-235.jar:1.1.0.2.6.3.0-235] at org.apache.storm.messaging.netty.Login.<init>(Login.java:96) ~[storm-core-1.1.0.2.6.3.0-235.jar:1.1.0.2.6.3.0-235] at org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin.connect(KerberosSaslTransportPlugin.java:108) [storm-core-1.1.0.2.6.3.0-235.jar:1.1.0.2.6.3.0-235]

Who can help me ?

11 REPLIES 11
Highlighted

Re: metron start failed

Mentor

@Wang Ao

Despite disabling Kerberos the errors clearly shows your metron to startup needs a keytab specified in the client_jaas.conf.

Could you give a reason why you disabled Kerberos? Are other components starting up correctly?

Highlighted

Re: metron start failed

Explorer

Other components started up correctly except for metron, I just want to test if I can start metron without kerberos, because kerberos is not that important to me and it's a bit of a problem.

Highlighted

Re: metron start failed

Mentor

@Wang Ao

Unfortunately, there is no half method you can't install a non-kerberized component on a kerberized cluster and expect it to work because the cluster security can be compromised through that loophole.

What's the problem or biggest issue with having kerberos enabled for Metron?

Your workaround is to go to Ambari UI-->Admin-->Stacks & Versions-->Enable Kerberos---> Generate the missing keytabs

this will generate the keytabs for Metron and It should start normally thereafter

Highlighted

Re: metron start failed

Explorer

OK,thank you very much

Highlighted

Re: metron start failed

Explorer

But when I enabled kerberos, the storm ui can not access, and I have tried to kinit the principal and keytab, it doesn't work.

Highlighted

Re: metron start failed

Mentor

@Wang Ao

Can you paste the contents of your /etc/storm/conf/clientjaas.conf

Highlighted

Re: metron start failed

Explorer

Ok:

StormClient{ com.sun.security.auth.module.Krb5LoginModulerequireduseTicketCache=truerenewTicket=trueserviceName="nimbus"; };KafkaClient{ com.sun.security.auth.module.Krb5LoginModulerequireduseTicketCache=truerenewTicket=trueserviceName="kafka"; };

Highlighted

Re: metron start failed

Mentor

@Wang Ao

I don't see the keytab it should look like this example below

StormClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useTicketCache=true
    renewTicket=true
    serviceName="nimbus";
};
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/security/keytabs/metron.headless.keytab"
    storeKey=true
    useTicketCache=false
    serviceName="zookeeper"
    principal="metron@EXAMPLE.COM";
};
KafkaClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/security/keytabs/metron.headless.keytab"
    storeKey=true
    useTicketCache=false
    serviceName="kafka"
    principal="metron@EXAMPLE.COM";
};

Make sure that the values map to your actual config.

Highlighted

Re: metron start failed

Explorer

Hello , I founf that there was a storm_jaas.conf at the same folder:

StormServer {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/nimbus.service.keytab"
   storeKey=true
   useTicketCache=false
   principal="nimbus/am3.ics.com@ICS.COM";
};
StormClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   serviceName="nimbus"
   principal="storm-ics_bigdata@ICS.COM";
};
RegistryClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   principal="storm-ics_bigdata@ICS.COM";
};
com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    renewTGT=false
    doNotPrompt=true
    useKeyTab=true
    keyTab="/etc/security/keytabs/nimbus.service.keytab"
    principal="nimbus/am3.ics.com@ICS.COM"
    storeKey=true
    useTicketCache=false;
};
Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   serviceName="zookeeper"
   principal="storm-ics_bigdata@ICS.COM";
};
KafkaClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   serviceName="kafka"
   principal="storm-ics_bigdata@ICS.COM";
};
Is there any problem?
Don't have an account?
Coming from Hortonworks? Activate your account here