Member since
01-16-2019
2
Posts
0
Kudos Received
0
Solutions
01-25-2019
01:37 PM
It turns out I had some incorrect conceptions, but things still aren't happening as I'd like. First, you can FUSE-mount the mountpoint, and let it sit there. Any user who tries to access it (root, demouser, demoadmin, ..) will try to use their own kerberos ticket to access the mountpoint. unique: 6, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 18419
getattr /
fuseNewConnect: failed to find Kerberos ticket cache file '/tmp/krb5cc_0'. Did you remember to kinit for UID 0?
fuseConnect(usrname=root): fuseNewConnect failed with error code -13
fuseConnectAsThreadUid: failed to open a libhdfs connection! error -13.
unique: 6, error: -5 (Input/output error), outsize: 16
unique: 7, opcode: GETATTR (3), nodeid: 1, insize: 56, pid: 18643
getattr /
hdfsBuilderConnect(forceNewInstance=1, nn=hdfs://optimusdata, port=0, kerbTicketCachePath=/tmp/krb5cc_1000, userName=demouser) error:
LoginException: Unable to obtain password from user
org.apache.hadoop.security.KerberosAuthException: failure to login: for principal: demouser using ticket cache file: /tmp/krb5cc_1000 javax.security.auth.login.LoginException: Unable to obtain password from user
at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1846)
...
fuseNewConnect(usrname=demouser): Unable to create fs: error code 255
fuseConnect(usrname=demouser): fuseNewConnect failed with error code 255
fuseConnectAsThreadUid: failed to open a libhdfs connection! error 255.
unique: 15, error: -5 (Input/output error), outsize: 16 with mount option debug, it shows that the kerberos ticket that's attempted to be used is changing as each user does `ls /mnt/hdfs`. Still, I want to use a service principal for Hadoop/kerberos access, and let the local system do user-based authentication (or even just expose the whole thing to any logged-in user, or use uid/gid mount options). It feels like there is an error somewhere. $ klist
Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: hdfs/fs-03.internal.mydomain.com@INTERNAL.MYDOMAIN.COM
01/17/2019 14:36:23 krbtgt/INTERNAL.MYDOMAIN.COM@INTERNAL.MYDOMAIN.COM klist shows that the principal for my user should be the HDFS service principal. It shows that the referenced kerberos ticket file does exist, and is being referenced. Nevertheless, the fuse client is trying to authenticate by the username 'demouser'. Does anyone know a way of changing this?
... View more