Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

rest interface :Failed to find any Kerberos credentails

rest interface :Failed to find any Kerberos credentails

New Contributor

I can access hdfs by 'hadoop fs',but can't access it by rest interface

here is my test:

hadoop fs -ls /
Found 8 items
drwxrwxrwx   - yarn   hadoop          0 2015-12-17 17:22 /app-logs
drwxr-xr-x   - hdfs   hdfs            0 2015-12-15 18:44 /apps
drwxr-xr-x   - hdfs   hdfs            0 2015-12-14 13:26 /hdp
drwxr-xr-x   - mapred hdfs            0 2015-12-14 13:26 /mapred
drwxrwxrwx   - mapred hadoop          0 2015-12-14 13:26 /mr-history
drwxrwxrwx   - hdfs   hdfs            0 2015-12-31 15:02 /tmp
drwxr-xr-x   - hdfs   hdfs            0 2015-12-24 15:53 /tpch
drwxr-xr-x   - hdfs   hdfs            0 2016-01-04 14:33 /user
[root@spark2 ~]# curl --negotiate -u:   "spark2:50070/webhdfs/v1/?op=LISTSTATUS"
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 403 GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /webhdfs/v1/. Reason:
<pre>    GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/>
...
[root@spark2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@INFOPOWER.COM
Valid starting     Expires            Service principal
01/05/16 14:35:52  01/06/16 14:35:52  krbtgt/INFOPOWER.COM@INFOPOWER.COM
        renew until 01/05/16 14:35:52
01/05/16 14:36:31  01/06/16 14:35:52  HTTP/spark2.infopower.com@
        renew until 01/05/16 14:35:52
01/05/16 14:36:31  01/06/16 14:35:52  HTTP/spark2.infopower.com@INFOPOWER.COM
        renew until 01/05/16 14:35:52
9 REPLIES 9

Re: rest interface :Failed to find any Kerberos credentails

I think there is a whitespace missing between -u and the colon

Try:

curl --negotiate -u : "spark2:50070/webhdfs/v1/?op=LISTSTATUS"

Syntax:

curl -i --negotiate -u : "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=..."

Re: rest interface :Failed to find any Kerberos credentails

New Contributor

thank you for replying ,but it not work.

Re: rest interface :Failed to find any Kerberos credentails

Expert Contributor

Re: rest interface :Failed to find any Kerberos credentails

Mentor

@cp sven has this been resolved? Please accept best answer or provide your own solution.

Re: rest interface :Failed to find any Kerberos credentails

@cp sven

See this http://www.adaltas.com/blog/2013/09/25/webhdfs-security-kerberos-delegation-tokens/

The first uses Kerberos to send the request. CURL knows how to do this with the “–negotiate” option. Here’s an example:

kinit -kt /etc/security/keytabs/test.headless.keytab test

curl -s --negotiate -u : "http://nn:50070/webhdfs/v1/user/test?op=LISTSTATUS"

Re: rest interface :Failed to find any Kerberos credentails

Rising Star

@cp sven DId you ever find an answer to this? Having the same problem...

Re: rest interface :Failed to find any Kerberos credentails

Rising Star

@cp sven I ran into the same error message and it was because I wasn't using the Fully Qualified Domain Name.

On your namenode, to get the fully qualified domain name: hostname --fqdn

Then use commands @Jonas Straub has in his answer. For example:

curl --negotiate -u : "http://spark2.infopower.com:50070/webhdfs/v1/?op=LISTSTATUS"

Re: rest interface :Failed to find any Kerberos credentails

New Contributor

@cp sven I ran into the same error message ,and resolve it

because the value of dfs.web.authentication.kerberos.principal in hdfs-site like HTTP/_HOST@xxxxxx

the _HOST is not the same as my hostname of namenode.

if your hostname of namenode is abc ,be sure that dfs.web.authentication.kerberos.principal is HTTP/abc@xxxxxx

On your namenode, to get the fully qualified domain name: hostname --fqdn

Re: rest interface :Failed to find any Kerberos credentails

New Contributor

Hadoop simplifies the deployment of configuration files by allowing the hostname component of the service principal to be specified as the _HOST wildcard. Each service instance will substitute _HOSTwith its own fully qualified hostname at runtime. This allows administrators to deploy the same set of configuration files on all nodes. However, the keytab files will be different.