Member since
01-27-2024
4
Posts
2
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1026 | 02-02-2024 04:44 AM |
02-05-2024
10:06 PM
Most likely, there was a synchronization error. Where are users with groups stored - in Active Directory? It is advisable to provide a fragment of the log and settings related to the synchronization of users and groups in ranger-ugsync-site.xml which version of Apache Ranger is used?
... View more
02-02-2024
04:44 AM
1 Kudo
the problem was in trust - the password was incorrectly set in the MIT KDC when creating the trust
... View more
01-29-2024
03:26 AM
1 Kudo
traffic analysis shows an error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN requests to dfs from a user in MIT KDC are successfully executed Checking ./hdfs groups returns the correct set of groups but the AD user's requests after kinit return the above error
... View more
01-27-2024
05:17 AM
I read the article But I can't understand a few things 1. I have a Hadoop (3.1.3) MIT KDC cluster on a separate server Active Directory for server users with hadoop is not included in the domain 2. All hadoop NN, DN, JN, etc. services are launched using the keytabs created for them and are working successfully 3. any requests from the user from AD fall with an error 2024-01-27 15:56:07,949 DEBUG security.SaslRpcClient: Sending sasl message state: NEGOTIATE 2024-01-27 15:56:07,950 DEBUG security.SaslRpcClient: Get token info proto:interface org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolPB info:@org.apache.hadoop.security.token.TokenInfo(value=class org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSelector) 2024-01-27 15:56:07,951 DEBUG security.SaslRpcClient: tokens aren't supported for this protocol or user doesn't have one 2024-01-27 15:56:07,951 DEBUG security.SaslRpcClient: Get kerberos info proto:interface org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolPB info:@org.apache.hadoop.security.KerberosInfo(clientPrincipal=, serverPrincipal=dfs.namenode.kerberos.principal) 2024-01-27 15:56:07,953 DEBUG security.SaslRpcClient: RPC Server's Kerberos principal name for protocol=org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolPB is hdfs/hadoop01dev.local@HADOOP.LOCAL 2024-01-27 15:56:07,953 DEBUG security.SaslRpcClient: Creating SASL GSSAPI(KERBEROS) client to authenticate to service at hadoop01dev.local 2024-01-27 15:56:07,955 DEBUG security.SaslRpcClient: Use KERBEROS authentication for protocol ClientNamenodeProtocolPB 2024-01-27 15:56:07,987 DEBUG security.UserGroupInformation: PrivilegedActionException as:user1@AD.LOCAL (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)] single-party trust between AD and MIT KDC is set up I can't understand what algorithm works in this scheme for users in AD through kinit they get a ticket to AD, but how do they get into hadoop, which works with MIT KDC tickets? It turns out that after authentication via kinit in AD, they should receive a ticket to MIT KDC somehow? or does this ticket get a NameNode for them , for example? Can someone explain how this mechanism works?
... View more