Member since
07-24-2017
19
Posts
3
Kudos Received
2
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
6976 | 03-27-2018 08:48 AM | |
3011 | 09-09-2017 08:19 AM |
07-22-2019
02:54 PM
@mmmunafo, I guess your workaround should be OK. The only other two option I could see would be to wrap the pam.authenticate() call with an unset and set of KRB5CCNAME. Assuming authentication takes milliseconds, it would be unlikely that Hue is attempting to retrieve cache information at that moment, but I don't know that it is any better than what you are up to. for instance, in desktop/core/src/desktop/auth/backend.py wrap: if pam.authenticate(username, password, desktop.conf.AUTH.PAM_SERVICE.get()): With del os.environ['KRB5CCNAME'] and then after auth: os.environ['KRB5CCNAME'] = desktop.conf.KERBEROS.CCACHE_PATH.get() NOTE: we would need to import os in backend.py to do that. So possibly, something like this would work: class PamBackend(DesktopBackendBase):
"""
Authentication backend that uses PAM to authenticate logins. The first user to
login will become the superuser.
"""
@metrics.pam_authentication_time
def authenticate(self, request=None, username=None, password=None):
username = force_username_case(username)
del os.environ['KRB5CCNAME']
if pam.authenticate(username, password, desktop.conf.AUTH.PAM_SERVICE.get()):
os.environ['KRB5CCNAME'] = desktop.conf.KERBEROS.CCACHE_PATH.get()
is_super = False
if User.objects.count() == 0:
is_super = True
try:
if desktop.conf.AUTH.IGNORE_USERNAME_CASE.get():
user = User.objects.get(username__iexact=username)
else:
user = User.objects.get(username=username)
except User.DoesNotExist:
user = find_or_create_user(username, None)
if user is not None and user.is_active:
profile = get_profile(user)
profile.creation_method = UserProfile.CreationMethod.EXTERNAL.name
profile.save()
user.is_superuser = is_super
ensure_has_a_group(user)
user.save()
user = rewrite_user(user)
return user
os.environ['KRB5CCNAME'] = desktop.conf.KERBEROS.CCACHE_PATH.get()
return None
@classmethod
def manages_passwords_externally(cls):
return True Might not be worth it, though
... View more
04-06-2018
09:08 AM
@michalis I removed the salt :normal while enabling kerberos using cloudera manager and it imported the kdc successfully.. Thanks @bgooley and @michalis for the support and helping me to solve this tricky one.
... View more
03-31-2018
09:40 PM
Thank you! kerberos configured successfully bue when i am trying to execute commands, i was not able work wiht my cluster as i am getting below error please help [hdfs@cn1 ~]$ hdfs dfsadmin -safemode get 18/03/31 09:16:48 WARN security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 18/03/31 09:16:48 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 18/03/31 09:16:48 WARN security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] safemode: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "cn1.hadoop.com/192.168.56.121"; destination host is: "cn1.hadoop.com":8020; Thanks Balaji Vemula
... View more
09-09-2017
08:19 AM
I did not see the reply. It was my problem. I was looking in to .out file instead of .log. Its solved. @csguna wrote: not sure if you are still looking for the solution i am kind of late though .
... View more