[ https://issues.apache.org/jira/browse/ATLAS-354?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Suma Shivaprasad updated ATLAS-354: ----------------------------------- Fix Version/s: (was: trunk) 0.6-incubating Affects Version/s: (was: 0.5-incubating) 0.6-incubating > Kerberized cluster: quick_start.py fails to add sample data > ----------------------------------------------------------- > > Key: ATLAS-354 > URL: https://issues.apache.org/jira/browse/ATLAS-354 > Project: Atlas > Issue Type: Bug > Affects Versions: 0.6-incubating > Reporter: Ayub Khan > Assignee: Shwetha G S > Priority: Blocker > Fix For: 0.6-incubating > > Attachments: ATLAS-354-v2.patch, ATLAS-354-v3.patch, ATLAS-354.patch > > > Check the ticket cache available > {noformat} > [atlas@os-r7-apathan-hbase-1 ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_1010 > Default principal: atlas/os-r7-apathan-hbase-1.novalo...@example.com > Valid starting Expires Service principal > 12/01/2015 17:57:14 12/02/2015 17:57:14 krbtgt/example....@example.com > [atlas@os-r7-apathan-hbase-1 ~]$ > {noformat} > Below is the client.properties from kerberized cluster > {noformat} > ######### Security Properties ######### > # SSL config > atlas.enableTLS=false > truststore.file=/path/to/truststore.jks > cert.stores.credential.provider.path=jceks://file/path/to/credentialstore.jceks > # following only required for 2-way SSL > keystore.file=/path/to/keystore.jks > # Authentication config > # enabled: true or false > atlas.http.authentication.enabled=false > # type: simple or kerberos > atlas.http.authentication.type=simple > ######### Security Properties ######### > {noformat} > Now try running quick_start.py, it throws below exception > {noformat} > Exception in thread "main" com.sun.jersey.api.client.ClientHandlerException: > java.io.IOException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > Authentication failed, status: 401, message: Authentication required > at > com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149) > at com.sun.jersey.api.client.Client.handle(Client.java:648) > at com.sun.jersey.api.client.WebResource.handle(WebResource.java:670) > at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) > at > com.sun.jersey.api.client.WebResource$Builder.method(WebResource.java:623) > at > org.apache.atlas.AtlasClient.callAPIWithResource(AtlasClient.java:351) > at org.apache.atlas.AtlasClient.callAPI(AtlasClient.java:370) > at org.apache.atlas.AtlasClient.createType(AtlasClient.java:170) > at org.apache.atlas.examples.QuickStart.createTypes(QuickStart.java:97) > at org.apache.atlas.examples.QuickStart.main(QuickStart.java:57) > Caused by: java.io.IOException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > Authentication failed, status: 401, message: Authentication required > at > org.apache.atlas.security.SecureClientUtils$1$1.run(SecureClientUtils.java:107) > at > org.apache.atlas.security.SecureClientUtils$1$1.run(SecureClientUtils.java:99) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:415) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657) > at > org.apache.atlas.security.SecureClientUtils$1.getHttpURLConnection(SecureClientUtils.java:99) > at > com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:159) > at > com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:147) > ... 9 more > Caused by: > org.apache.hadoop.security.authentication.client.AuthenticationException: > Authentication failed, status: 401, message: Authentication required > at > org.apache.hadoop.security.authentication.client.AuthenticatedURL.extractToken(AuthenticatedURL.java:274) > at > org.apache.hadoop.security.authentication.client.PseudoAuthenticator.authenticate(PseudoAuthenticator.java:77) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:128) > at > org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:215) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.openConnection(DelegationTokenAuthenticatedURL.java:322) > at > org.apache.atlas.security.SecureClientUtils$1$1.run(SecureClientUtils.java:103) > ... 16 more > Example data added to Apache Atlas Server!!! > {noformat} > To fix the above issue, I have tried adding authentication config to > client.properties manually, like below > {noformat} > atlas.enableTLS=false > truststore.file=/path/to/truststore.jks > cert.stores.credential.provider.path=jceks://file/path/to/credentialstore.jceks > # following only required for 2-way SSL > keystore.file=/path/to/keystore.jks > # Authentication config > # enabled: true or false > atlas.http.authentication.enabled=true > # type: simple or kerberos > atlas.http.authentication.type=kerberos > ######### Security Properties ######### > atlas.authentication.keytab=/etc/security/keytabs/atlas.service.keytab > atlas.authentication.method=kerberos > atlas.authentication.principal=atlas/_h...@example.com > atlas.http.authentication.kerberos.keytab=/etc/security/keytabs/spnego.service.keytab > atlas.http.authentication.kerberos.name.rules=RULE:[1:$1@$0](ambari...@example.com)s/.*/ambari-qa/ > \ > RULE:[1:$1@$0](hb...@example.com)s/.*/hbase/ \ > RULE:[1:$1@$0](h...@example.com)s/.*/hdfs/ \ > RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*// \ > RULE:[2:$1@$0](amshb...@example.com)s/.*/ams/ \ > RULE:[2:$1@$0](am...@example.com)s/.*/ams/ \ > RULE:[2:$1@$0](at...@example.com)s/.*/atlas/ \ > RULE:[2:$1@$0](d...@example.com)s/.*/hdfs/ \ > RULE:[2:$1@$0](hb...@example.com)s/.*/hbase/ \ > RULE:[2:$1@$0](h...@example.com)s/.*/hive/ \ > RULE:[2:$1@$0](j...@example.com)s/.*/mapred/ \ > RULE:[2:$1@$0](j...@example.com)s/.*/hdfs/ \ > RULE:[2:$1@$0](n...@example.com)s/.*/hdfs/ \ > RULE:[2:$1@$0](n...@example.com)s/.*/yarn/ \ > RULE:[2:$1@$0](n...@example.com)s/.*/hdfs/ \ > RULE:[2:$1@$0](r...@example.com)s/.*/yarn/ \ > RULE:[2:$1@$0](y...@example.com)s/.*/yarn/ \ > DEFAULT > atlas.http.authentication.kerberos.principal=HTTP/_h...@example.com > {noformat} > with the new auth config, tried running > /grid/0/hdp/current/atlas-server/bin/quick_start.py, exception with > "Mechanism level: Server not found in Kerberos database (7) - > LOOKING_UP_SERVER" > {noformat} > Exception in thread "main" com.sun.jersey.api.client.ClientHandlerException: > java.io.IOException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7) - LOOKING_UP_SERVER) > at > com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149) > at com.sun.jersey.api.client.Client.handle(Client.java:648) > at com.sun.jersey.api.client.WebResource.handle(WebResource.java:670) > at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) > at > com.sun.jersey.api.client.WebResource$Builder.method(WebResource.java:623) > at > org.apache.atlas.AtlasClient.callAPIWithResource(AtlasClient.java:351) > at org.apache.atlas.AtlasClient.callAPI(AtlasClient.java:370) > at org.apache.atlas.AtlasClient.createType(AtlasClient.java:170) > at org.apache.atlas.examples.QuickStart.createTypes(QuickStart.java:97) > at org.apache.atlas.examples.QuickStart.main(QuickStart.java:57) > Caused by: java.io.IOException: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7) - LOOKING_UP_SERVER) > at > org.apache.atlas.security.SecureClientUtils$1$1.run(SecureClientUtils.java:107) > at > org.apache.atlas.security.SecureClientUtils$1$1.run(SecureClientUtils.java:99) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:415) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657) > at > org.apache.atlas.security.SecureClientUtils$1.getHttpURLConnection(SecureClientUtils.java:99) > at > com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:159) > at > com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:147) > ... 9 more > Caused by: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7) - LOOKING_UP_SERVER) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:332) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:205) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.authenticate(DelegationTokenAuthenticator.java:128) > at > org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:215) > at > org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL.openConnection(DelegationTokenAuthenticatedURL.java:322) > at > org.apache.atlas.security.SecureClientUtils$1$1.run(SecureClientUtils.java:103) > ... 16 more > Caused by: GSSException: No valid credentials provided (Mechanism level: > Server not found in Kerberos database (7) - LOOKING_UP_SERVER) > at > sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:710) > at > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) > at > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:311) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:287) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:415) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:287) > ... 21 more > Caused by: KrbException: Server not found in Kerberos database (7) - > LOOKING_UP_SERVER > at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73) > at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:191) > at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:202) > at > sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:292) > at > sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:101) > at > sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:456) > at > sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:641) > ... 28 more > Caused by: KrbException: Identifier doesn't match expected value (906) > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) > at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) > at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) > at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55) > ... 34 more > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)