Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

rest interface :Failed to find any Kerberos credentails

Highlighted

rest interface :Failed to find any Kerberos credentails

New Contributor

I can access hdfs by 'hadoop fs',but can't access it by rest interface

here is my test:

hadoop fs -ls /
Found 8 items
drwxrwxrwx   - yarn   hadoop          0 2015-12-17 17:22 /app-logs
drwxr-xr-x   - hdfs   hdfs            0 2015-12-15 18:44 /apps
drwxr-xr-x   - hdfs   hdfs            0 2015-12-14 13:26 /hdp
drwxr-xr-x   - mapred hdfs            0 2015-12-14 13:26 /mapred
drwxrwxrwx   - mapred hadoop          0 2015-12-14 13:26 /mr-history
drwxrwxrwx   - hdfs   hdfs            0 2015-12-31 15:02 /tmp
drwxr-xr-x   - hdfs   hdfs            0 2015-12-24 15:53 /tpch
drwxr-xr-x   - hdfs   hdfs            0 2016-01-04 14:33 /user
[root@spark2 ~]# curl --negotiate -u:   "spark2:50070/webhdfs/v1/?op=LISTSTATUS"
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 403 GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /webhdfs/v1/. Reason:
<pre>    GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/>
...
[root@spark2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@INFOPOWER.COM
Valid starting     Expires            Service principal
01/05/16 14:35:52  01/06/16 14:35:52  krbtgt/INFOPOWER.COM@INFOPOWER.COM
        renew until 01/05/16 14:35:52
01/05/16 14:36:31  01/06/16 14:35:52  HTTP/spark2.infopower.com@
        renew until 01/05/16 14:35:52
01/05/16 14:36:31  01/06/16 14:35:52  HTTP/spark2.infopower.com@INFOPOWER.COM
        renew until 01/05/16 14:35:52
9 REPLIES 9

Re: rest interface :Failed to find any Kerberos credentails

I think there is a whitespace missing between -u and the colon

Try:

curl --negotiate -u : "spark2:50070/webhdfs/v1/?op=LISTSTATUS"

Syntax:

curl -i --negotiate -u : "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=..."

Re: rest interface :Failed to find any Kerberos credentails

New Contributor

thank you for replying ,but it not work.

Re: rest interface :Failed to find any Kerberos credentails

Expert Contributor

Re: rest interface :Failed to find any Kerberos credentails

Mentor

@cp sven has this been resolved? Please accept best answer or provide your own solution.

Re: rest interface :Failed to find any Kerberos credentails

@cp sven

See this http://www.adaltas.com/blog/2013/09/25/webhdfs-security-kerberos-delegation-tokens/

The first uses Kerberos to send the request. CURL knows how to do this with the “–negotiate” option. Here’s an example:

kinit -kt /etc/security/keytabs/test.headless.keytab test

curl -s --negotiate -u : "http://nn:50070/webhdfs/v1/user/test?op=LISTSTATUS"

Re: rest interface :Failed to find any Kerberos credentails

Rising Star

@cp sven DId you ever find an answer to this? Having the same problem...

Re: rest interface :Failed to find any Kerberos credentails

Rising Star

@cp sven I ran into the same error message and it was because I wasn't using the Fully Qualified Domain Name.

On your namenode, to get the fully qualified domain name: hostname --fqdn

Then use commands @Jonas Straub has in his answer. For example:

curl --negotiate -u : "http://spark2.infopower.com:50070/webhdfs/v1/?op=LISTSTATUS"

Re: rest interface :Failed to find any Kerberos credentails

New Contributor

@cp sven I ran into the same error message ,and resolve it

because the value of dfs.web.authentication.kerberos.principal in hdfs-site like HTTP/_HOST@xxxxxx

the _HOST is not the same as my hostname of namenode.

if your hostname of namenode is abc ,be sure that dfs.web.authentication.kerberos.principal is HTTP/abc@xxxxxx

On your namenode, to get the fully qualified domain name: hostname --fqdn

Re: rest interface :Failed to find any Kerberos credentails

New Contributor

Hadoop simplifies the deployment of configuration files by allowing the hostname component of the service principal to be specified as the _HOST wildcard. Each service instance will substitute _HOSTwith its own fully qualified hostname at runtime. This allows administrators to deploy the same set of configuration files on all nodes. However, the keytab files will be different.

Don't have an account?
Coming from Hortonworks? Activate your account here