Cloudera Community
daleb
user rank
Expert Contributor

Re: Hue kerberos authentication - bad format in cr...

by Expert Contributor in Support Questions
‎07-05-2016 04:10 PM
‎07-05-2016 04:10 PM
Yes. Thanks for the help anyways ... View more

Re: Hue kerberos authentication - bad format in cr...

by Expert Contributor in Support Questions
‎07-05-2016 02:31 PM
‎07-05-2016 02:31 PM
Yes my mistake. The thing is I'm not entirely sure on the purpose of the /tmp/hue_krb5_ccache file - should there be a setting in the hue.ini file that defines this? I created the file because Hue complained it did not exist in the "About Hue" page. hue@edge:~$ klist /tmp/hue_krb5_ccache klist: Bad format in credentials cache while setting cache flags (ticket cache FILE:/tmp/hue_krb5_ccache) Do you know how much of an impact Ranger has on this? For example, I cannot see the Hue user in the Ranger UI. Thanks. ... View more

Re: Hue kerberos authentication - bad format in cr...

by Expert Contributor in Support Questions
‎07-05-2016 09:02 AM
‎07-05-2016 09:02 AM
Thanks @Kuldeep Kulkarni, but I have already created this folder and given it 777 permissions just to be certainly sure. The same error messages still exist. On the About Hue page there is the failed to access filesystem root error appearing. The Hue.ini file is 100% correct, I have validated this many times. Could you please elaborate on how Hue accesses the cluster using kerberos? 1. Proxy user configs are set to allow the Hue user to access the cluster on other user's behalf. 2. User logs into Hue however only Hue is required to be authenticated using kerberos because the proxy configs are set. 3. Once Hue is authenticated, it accesses the cluster as a proxy user but authorization is still applied on the user level. Is HDFS ever required to be authenticated during this process? Also, is there anything I need to watch out for with Ranger? Thanks. ... View more

Hue kerberos authentication - bad format in creden...

by Expert Contributor in Support Questions
‎07-04-2016 04:36 PM
‎07-04-2016 04:36 PM
Hello, I have a KDC sitting on an existing Active Directory instance and have successfully installed kerberos in Hadoop and have been using this successfully with the command line. However, I cannot get it working with Hue. I have HA configured therefore have installed and configured Hadoop-HTTPFS. This is working via command line: hue@edge:~$ kinit -kt /etc/security/keytabs/hue.service.keytab hue hue@edge:~$ curl -i --negotiate -u : "http://edge:14000/webhdfs/v1/user/?op=LISTSTATUS" HTTP/1.1 200 OK ......{"FileStatuses":{"FileStatus":[{"pathSuffix":"ambari-qa",...... etc However when I log into Hue, I first see the "Cannot create home directory" error and then when I try to access the Filebrowser tab, this appears in the server logs: [04/Jul/2016 08:45:32 -0700] middleware INFO Processing exception: Cannot access: /user/daleb. Note: you are a Hue admin but not a HDFS superuser, "hdfs" or part of HDFS supergroup, "hdfs".: Traceback (most recent call last): File "/opt/hue/build/env/local/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/core/handlers/base.py", line 112, in get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/opt/hue/build/env/local/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/db/transaction.py", line 371, in inner return func(*args, **kwargs) File "/opt/hue/apps/filebrowser/src/filebrowser/views.py", line 108, in index return view(request, path) File "/opt/hue/apps/filebrowser/src/filebrowser/views.py", line 186, in view raise PopupException(msg , detail=e) PopupException: Cannot access: /user/daleb. Note: you are a Hue admin but not a HDFS superuser, "hdfs" or part of HDFS supergroup, "hdfs". [04/Jul/2016 08:45:32 -0700] webhdfs ERROR Failed to determine superuser of WebHdfs at http://edge:14000/webhdfs/v1/: Unable to authenticate <Response [401]> Traceback (most recent call last): File "/opt/hue/desktop/libs/hadoop/src/hadoop/fs/webhdfs.py", line 149, in superuser sb = self.stats('/') File "/opt/hue/desktop/libs/hadoop/src/hadoop/fs/webhdfs.py", line 236, in stats res = self._stats(path) File "/opt/hue/desktop/libs/hadoop/src/hadoop/fs/webhdfs.py", line 230, in _stats raise ex WebHdfsException: Unable to authenticate <Response [401]> [04/Jul/2016 08:45:32 -0700] kerberos_ ERROR handle_mutual_auth(): Mutual authentication failed [04/Jul/2016 08:45:32 -0700] kerberos_ ERROR authenticate_server(): authGSSClientStep() failed: Traceback (most recent call last): File "/opt/hue/build/env/local/lib/python2.7/site-packages/requests_kerberos-0.6.1-py2.7.egg/requests_kerberos/kerberos_.py", line 229, in authenticate_server _negotiate_value(response)) GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Bad format in credentials cache', -1765328185)) I have the proxy user configurations set up. I have created the `hue_krb5_ccache` file but also notice this: hue@edge:/tmp$ klist -k hue_krb5_ccache Keytab name: FILE:hue_krb5_ccache klist: Unsupported key table format version number while starting keytab scan hue@edge:/tmp# kinit -f -c hue_krb5_ccache klist: Bad format in credentials cache while setting cache flags (ticket cache FILE:/tmp/hue_krb5_ccache) Does anyone have any suggestions? I've seen few things regarding the kt_renewer but not quite sure where that fits in with my architecture. Thanks. ... View more
Labels:

Re: Ranger KMS Login failure for keyadmin@AD.HADOO...

by Expert Contributor in Support Questions
‎06-09-2016 10:02 AM
‎06-09-2016 10:02 AM
Interesting, not come across this before. Try checking the permissions of the keyadmin user in Ranger UI? Does it have get permissions? Are you editing the Ranger KMS Ambari configs in this 1-2 day period? ... View more

Re: Ranger KMS Login failure for keyadmin@AD.HADOO...

by Expert Contributor in Support Questions
‎06-08-2016 08:13 AM
‎06-08-2016 08:13 AM
See my answer above. But basically, be careful with what you change in Ambari. Once Ambari is saved and Ranger KMS is restarted, it will not always update the same configurations that appear in the Ranger UI. So double check all your configs in Ranger UI. Make sure your REPOSITORY_CONFIG_USERNAME=<principal>@AD.EXAMPLE in Ranger UI too You're using kerberos and AD integration? ... View more

Re: Ranger KMS Login failure for keyadmin@AD.HADOO...

by Expert Contributor in Support Questions
‎05-23-2016 09:11 PM
‎05-23-2016 09:11 PM
@Vipin Rathor If these parameters are changed then Ambari will not update the KMS service in Ranger UI! You have to go into the UI and update the username/password fields to that of your AD yourself!! REPOSITORY_CONFIG_USERNAME = keyadmin@AD.HADOOP.PRIVATE REPOSITORY_CONFIG_PASSWORD= password set in active directory for keyadmin user ... View more

Re: Ranger KMS Login failure for keyadmin@AD.HADOO...

by Expert Contributor in Support Questions
‎05-23-2016 04:16 PM
‎05-23-2016 04:16 PM
Thanks for your response @Vipin Rathor, I have changed to those configurations now. But the same error appears in the Ranger UI and on the logs. Enabling debug logging doesn't actually produce anything else that is useful. I have followed the Ranger KMS guide as much as possible. Could you confirm if the following configurations are correct please: REPOSITORY_CONFIG_USERNAME = keyadmin@AD.HADOOP.PRIVATE REPOSITORY_CONFIG_PASSWORD= password set in active directory for keyadmin user Also, on the actual server that Ranger is hosted, if I ssh as keyadmin then the following appears: root@dagobah:~# su keyadmin kms@dagobah:~# I have user sync set up with AD. The keyadmin username in AD is keyadmin not kms. Is this normal? ... View more

Ranger KMS Login failure for keyadmin@AD.HADOOP.PR...

by Expert Contributor in Support Questions
‎05-23-2016 11:30 AM
2 Kudos
‎05-23-2016 11:30 AM
2 Kudos
I have a kerberised cluster that uses AD. I have successfully installed Ranger and synced all users/groups specified. I am now working on using Ranger KMS but am running into some issues when I select the service in the Encryption tab. When I select my cluster under "Select Service" the following error appears in a red pop up box: Login failure for keyadmin@AD.HADOOP.PRIVATE using password ******** Here is the log output from xa_portal.log: 2016-05-23 12:02:08,290 [http-bio-6080-exec-2] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:64) - Request failed. SessionId=496, loginId=keyadmin, logMessage=Login failure for keyadmin@AD.HADOOP.PRIVATE using password ******** javax.ws.rs.WebApplicationException 2016-05-23 12:02:08,292 [http-bio-6080-exec-2] INFO org.apache.ranger.common.RESTErrorUtil (RESTErrorUtil.java:311) - Operation error. response=VXResponse={org.apache.ranger.view.VXResponse@279fbf8dstatusCode={1} msgDesc={Login failure for keyadmin@AD.HADOOP.PRIVATE using password ********} messageList={[VXMessage={org.apache.ranger.view.VXMessage@537d5281name={ERROR_SYSTEM} rbKey={xa.error.system} message={System Error. Please try later.} objectId={null} fieldName={null} }]} } javax.ws.rs.WebApplicationException Which configuration manages this credential? I have a user created in AD called `keyadmin` however this user is not listed in the Ranger UI Users tab with all the other users... should it be? What should the value of `hadoop.kms.authentication.kerberos.keytab` be? At the moment I have it set to /etc/security/keytabs/keyadmin.keytab. Thanks. ... View more

Re: Ranger HDFS plug in error - No common protecti...

by Expert Contributor in Support Questions
‎05-23-2016 08:00 AM
1 Kudo
‎05-23-2016 08:00 AM
1 Kudo
Simple solution.... On the Ranger UI in the HDFS repo configuration, the username was set to `rangerrepouser` when it should have been set to `rangerrepouser@AD.EXAMPLE` ... View more
Contact Me
Online
Offline
Last Visited
‎07-03-2017 09:46 AM
Community Statistics
Member Since ‎01-22-2016 10:00 AM
Last Visited ‎07-03-2017 09:46 AM
Posts 41
Kudos received 10