Cloudera Community
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
ORCloud
user rank
New Contributor

Re: FUSE, keytabs, and fstab..

by New Contributor in Support Questions
‎01-25-2019 01:37 PM
‎01-25-2019 01:37 PM
It turns out I had some incorrect conceptions, but things still aren't happening as I'd like.   First, you can FUSE-mount the mountpoint, and let it sit there. Any user who tries to access it (root, demouser, demoadmin, ..) will try to use their own kerberos ticket to access the mountpoint. unique: 6, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 18419 getattr / fuseNewConnect: failed to find Kerberos ticket cache file '/tmp/krb5cc_0'. Did you remember to kinit for UID 0? fuseConnect(usrname=root): fuseNewConnect failed with error code -13 fuseConnectAsThreadUid: failed to open a libhdfs connection! error -13. unique: 6, error: -5 (Input/output error), outsize: 16 unique: 7, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 18643 getattr / hdfsBuilderConnect(forceNewInstance=1, nn=hdfs://optimusdata, port=0, kerbTicketCachePath=/tmp/krb5cc_1000, userName=demouser) error: LoginException: Unable to obtain password from user org.apache.hadoop.security.KerberosAuthException: failure to login: for principal: demouser using ticket cache file: /tmp/krb5cc_1000 javax.security.auth.login.LoginException: Unable to obtain password from user at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1846) ... fuseNewConnect(usrname=demouser): Unable to create fs: error code 255 fuseConnect(usrname=demouser): fuseNewConnect failed with error code 255 fuseConnectAsThreadUid: failed to open a libhdfs connection! error 255. unique: 15, error: -5 (Input/output error), outsize: 16 with mount option debug, it shows that the kerberos ticket that's attempted to be used is changing as each user does `ls /mnt/hdfs`.   Still, I want to use a service principal for Hadoop/kerberos access, and let the local system do user-based authentication (or even just expose the whole thing to any logged-in user, or use uid/gid mount options).   It feels like there is an error somewhere. $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: hdfs/fs-03.internal.mydomain.com@INTERNAL.MYDOMAIN.COM 01/17/2019 14:36:23 krbtgt/INTERNAL.MYDOMAIN.COM@INTERNAL.MYDOMAIN.COM   klist shows that the principal for my user should be the HDFS service principal. It shows that the referenced kerberos ticket file does exist, and is being referenced. Nevertheless, the fuse client is trying to authenticate by the username 'demouser'. Does anyone know a way of changing this? ... View more
Contact Me
Online
Offline
Last Visited
‎03-25-2019 02:00 PM
Community Statistics
Member Since ‎01-16-2019 07:33 AM
Last Visited ‎03-25-2019 02:00 PM
Posts 2