[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[ https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HDFS-3367: -- Resolution: Fixed Target Version/s: 2.0.3-alpha, 1.2.0, 3.0.0, 0.23.7 (was: 1.2.0, 3.0.0, 2.0.3-alpha, 0.23.7) Hadoop Flags: Reviewed Status: Resolved (was: Patch Available) Thanks Alejandro, I have committed to trunk/2/23. WebHDFS doesn't use the logged in user when opening connections --- Key: HDFS-3367 URL: https://issues.apache.org/jira/browse/HDFS-3367 Project: Hadoop HDFS Issue Type: Sub-task Components: webhdfs Affects Versions: 0.23.0, 1.0.2, 2.0.0-alpha, 3.0.0 Reporter: Jakob Homan Assignee: Daryn Sharp Priority: Critical Attachments: HDFS-3367.branch-23.patch, HDFS-3367.branch-23.patch, HDFS-3367.patch, HDFS-3367.patch, HDFS-3367.patch Something along the lines of {noformat} UserGroupInformation.loginUserFromKeytab(blah blah) Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf) {noformat} doesn't work as webhdfs doesn't use the correct context and the user shows up to the spnego filter without kerberos credentials: {noformat}Exception in thread main java.io.IOException: Authentication failed, url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) ... Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332) ... 16 more Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130) ...{noformat} Explicitly getting the current user's context via a doAs block works, but this should be done by webhdfs. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[ https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HDFS-3367: -- Issue Type: Sub-task (was: Bug) Parent: HDFS-4576 WebHDFS doesn't use the logged in user when opening connections --- Key: HDFS-3367 URL: https://issues.apache.org/jira/browse/HDFS-3367 Project: Hadoop HDFS Issue Type: Sub-task Components: webhdfs Affects Versions: 0.23.0, 1.0.2, 2.0.0-alpha, 3.0.0 Reporter: Jakob Homan Assignee: Daryn Sharp Priority: Critical Attachments: HDFS-3367.branch-23.patch, HDFS-3367.patch, HDFS-3367.patch Something along the lines of {noformat} UserGroupInformation.loginUserFromKeytab(blah blah) Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf) {noformat} doesn't work as webhdfs doesn't use the correct context and the user shows up to the spnego filter without kerberos credentials: {noformat}Exception in thread main java.io.IOException: Authentication failed, url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) ... Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332) ... 16 more Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130) ...{noformat} Explicitly getting the current user's context via a doAs block works, but this should be done by webhdfs. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[ https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HDFS-3367: -- Attachment: HDFS-3367.patch HDFS-3367.branch-23.patch Uses the instantiating UGI to open all connections. Authenticated urls are only used for token ops, since all others are secured by a delegation token. WebHDFS doesn't use the logged in user when opening connections --- Key: HDFS-3367 URL: https://issues.apache.org/jira/browse/HDFS-3367 Project: Hadoop HDFS Issue Type: Sub-task Components: webhdfs Affects Versions: 0.23.0, 1.0.2, 2.0.0-alpha, 3.0.0 Reporter: Jakob Homan Assignee: Daryn Sharp Priority: Critical Attachments: HDFS-3367.branch-23.patch, HDFS-3367.branch-23.patch, HDFS-3367.patch, HDFS-3367.patch, HDFS-3367.patch Something along the lines of {noformat} UserGroupInformation.loginUserFromKeytab(blah blah) Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf) {noformat} doesn't work as webhdfs doesn't use the correct context and the user shows up to the spnego filter without kerberos credentials: {noformat}Exception in thread main java.io.IOException: Authentication failed, url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) ... Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332) ... 16 more Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130) ...{noformat} Explicitly getting the current user's context via a doAs block works, but this should be done by webhdfs. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[ https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HDFS-3367: -- Attachment: HDFS-3367.patch Will report back with testing results shortly. WebHDFS doesn't use the logged in user when opening connections --- Key: HDFS-3367 URL: https://issues.apache.org/jira/browse/HDFS-3367 Project: Hadoop HDFS Issue Type: Bug Components: webhdfs Affects Versions: 0.23.0, 1.0.2, 2.0.0-alpha, 3.0.0 Reporter: Jakob Homan Assignee: Daryn Sharp Priority: Critical Attachments: HDFS-3367.branch-23.patch, HDFS-3367.patch, HDFS-3367.patch Something along the lines of {noformat} UserGroupInformation.loginUserFromKeytab(blah blah) Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf) {noformat} doesn't work as webhdfs doesn't use the correct context and the user shows up to the spnego filter without kerberos credentials: {noformat}Exception in thread main java.io.IOException: Authentication failed, url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) ... Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332) ... 16 more Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130) ...{noformat} Explicitly getting the current user's context via a doAs block works, but this should be done by webhdfs. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[ https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HDFS-3367: -- Attachment: HDFS-3367.patch HDFS-3367.branch-23.patch Wrap the opening of a connection with a doAs, similar to hftp. No tests are included since kerberos must be enabled, but it has been successfully tested with an internal application that is encountering this issue. WebHDFS doesn't use the logged in user when opening connections --- Key: HDFS-3367 URL: https://issues.apache.org/jira/browse/HDFS-3367 Project: Hadoop HDFS Issue Type: Bug Components: webhdfs Affects Versions: 0.23.0, 1.0.2, 2.0.0-alpha, 3.0.0 Reporter: Jakob Homan Assignee: Daryn Sharp Priority: Critical Attachments: HDFS-3367.branch-23.patch, HDFS-3367.patch Something along the lines of {noformat} UserGroupInformation.loginUserFromKeytab(blah blah) Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf) {noformat} doesn't work as webhdfs doesn't use the correct context and the user shows up to the spnego filter without kerberos credentials: {noformat}Exception in thread main java.io.IOException: Authentication failed, url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) ... Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332) ... 16 more Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130) ...{noformat} Explicitly getting the current user's context via a doAs block works, but this should be done by webhdfs. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[ https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HDFS-3367: -- Status: Patch Available (was: Open) WebHDFS doesn't use the logged in user when opening connections --- Key: HDFS-3367 URL: https://issues.apache.org/jira/browse/HDFS-3367 Project: Hadoop HDFS Issue Type: Bug Components: webhdfs Affects Versions: 2.0.0-alpha, 1.0.2, 0.23.0, 3.0.0 Reporter: Jakob Homan Assignee: Daryn Sharp Priority: Critical Attachments: HDFS-3367.branch-23.patch, HDFS-3367.patch Something along the lines of {noformat} UserGroupInformation.loginUserFromKeytab(blah blah) Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf) {noformat} doesn't work as webhdfs doesn't use the correct context and the user shows up to the spnego filter without kerberos credentials: {noformat}Exception in thread main java.io.IOException: Authentication failed, url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) ... Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332) ... 16 more Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130) ...{noformat} Explicitly getting the current user's context via a doAs block works, but this should be done by webhdfs. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[ https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Daryn Sharp updated HDFS-3367: -- Target Version/s: 1.2.0, 3.0.0, 2.0.3-alpha, 0.23.7 (was: 1.2.0) Affects Version/s: 3.0.0 0.23.0 2.0.0-alpha WebHDFS doesn't use the logged in user when opening connections --- Key: HDFS-3367 URL: https://issues.apache.org/jira/browse/HDFS-3367 Project: Hadoop HDFS Issue Type: Bug Components: webhdfs Affects Versions: 0.23.0, 1.0.2, 2.0.0-alpha, 3.0.0 Reporter: Jakob Homan Assignee: Daryn Sharp Priority: Critical Something along the lines of {noformat} UserGroupInformation.loginUserFromKeytab(blah blah) Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf) {noformat} doesn't work as webhdfs doesn't use the correct context and the user shows up to the spnego filter without kerberos credentials: {noformat}Exception in thread main java.io.IOException: Authentication failed, url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) ... Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332) ... 16 more Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130) ...{noformat} Explicitly getting the current user's context via a doAs block works, but this should be done by webhdfs. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[ https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eli Collins updated HDFS-3367: -- Priority: Critical (was: Major) Target Version/s: 1.2.0 Bumping since w/o this secure distcp using webhdfs won't work for some people. WebHDFS doesn't use the logged in user when opening connections --- Key: HDFS-3367 URL: https://issues.apache.org/jira/browse/HDFS-3367 Project: Hadoop HDFS Issue Type: Bug Components: webhdfs Affects Versions: 1.0.2 Reporter: Jakob Homan Priority: Critical Something along the lines of {noformat} UserGroupInformation.loginUserFromKeytab(blah blah) Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf) {noformat} doesn't work as webhdfs doesn't use the correct context and the user shows up to the spnego filter without kerberos credentials: {noformat}Exception in thread main java.io.IOException: Authentication failed, url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) ... Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332) ... 16 more Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130) ...{noformat} Explicitly getting the current user's context via a doAs block works, but this should be done by webhdfs. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (HDFS-3367) WebHDFS doesn't use the logged in user when opening connections
[ https://issues.apache.org/jira/browse/HDFS-3367?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Eli Collins updated HDFS-3367: -- Component/s: webhdfs WebHDFS doesn't use the logged in user when opening connections --- Key: HDFS-3367 URL: https://issues.apache.org/jira/browse/HDFS-3367 Project: Hadoop HDFS Issue Type: Bug Components: webhdfs Affects Versions: 1.0.2 Reporter: Jakob Homan Priority: Critical Something along the lines of {noformat} UserGroupInformation.loginUserFromKeytab(blah blah) Filesystem fs = FileSystem.get(new URI(webhdfs://blah), conf) {noformat} doesn't work as webhdfs doesn't use the correct context and the user shows up to the spnego filter without kerberos credentials: {noformat}Exception in thread main java.io.IOException: Authentication failed, url=http://NN:50070/webhdfs/v1/?op=GETDELEGATIONTOKENuser.name=USER at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160) at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386) ... Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332) ... 16 more Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130) ...{noformat} Explicitly getting the current user's context via a doAs block works, but this should be done by webhdfs. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira