[ https://issues.apache.org/jira/browse/HADOOP-15758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16615305#comment-16615305 ]
Hrishikesh Gadre edited comment on HADOOP-15758 at 9/14/18 7:50 PM: -------------------------------------------------------------------- Here is a sample program to reproduce this issue: [https://gist.github.com/hgadre/38e1b625a6af70f1659fb19137a12ece] The steps to reproduce are as follows * export KRB5CCNAME=/tmp/krb5cc_foo * export CLASSPATH=$CLASSPATH:$(hadoop classpath) * javac ReadWriteHDFSWithKinit.java * kinit -l 1m -kt hdfs.keytab [h...@abc.com|mailto:h...@abc.com] # kinit as a superuser (could be any user that has ability to proxy) * java ReadWriteHDFSWithKinit systest # note: access file as systest via the FileSystem.get(uri,conf,user) API The last step fails with following exception, {noformat} WARN security.UserGroupInformation: PriviledgedActionException as:h...@abc.com (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 18/06/21 12:59:58 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 18/06/21 12:59:58 WARN security.UserGroupInformation: PriviledgedActionException as:h...@abc.com (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 18/06/21 12:59:58 WARN hdfs.LeaseRenewer: Failed to renew lease for [DFSClient_NONMAPREDUCE_1855947848_1] for 30 seconds. Will retry shortly ... java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "host-2.abc.com/10.15.13.17"; destination host is: "host-1.abc.com":8020;{noformat} was (Author: hgadre): Here is a sample program to reproduce this issue: [https://gist.github.com/hgadre/38e1b625a6af70f1659fb19137a12ece] The steps to reproduce are as follows * export KRB5CCNAME=/tmp/krb5cc_foo * export CLASSPATH=$CLASSPATH:$(hadoop classpath) * javac ReadWriteHDFSWithKinit.java * kinit -l 1m -kt hdfs.keytab [h...@abc.com|mailto:h...@abc.com] # kinit as a superuser (could be any user that has ability to proxy) * java ReadWriteHDFSWithKinitCloudera systest # note: access file as systest via the FileSystem.get(uri,conf,user) API The last step fails with following exception, {noformat} WARN security.UserGroupInformation: PriviledgedActionException as:h...@abc.com (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 18/06/21 12:59:58 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 18/06/21 12:59:58 WARN security.UserGroupInformation: PriviledgedActionException as:h...@abc.com (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 18/06/21 12:59:58 WARN hdfs.LeaseRenewer: Failed to renew lease for [DFSClient_NONMAPREDUCE_1855947848_1] for 30 seconds. Will retry shortly ... java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "host-2.abc.com/10.15.13.17"; destination host is: "host-1.abc.com":8020;{noformat} > Filesystem.get API not working as expected with user argument > ------------------------------------------------------------- > > Key: HADOOP-15758 > URL: https://issues.apache.org/jira/browse/HADOOP-15758 > Project: Hadoop Common > Issue Type: Bug > Reporter: Hrishikesh Gadre > Priority: Major > > A user reported that the Filesystem.get API is not working as expected when > they use the 'FileSystem.get(URI, Configuration, user)' method signature - > but 'FileSystem.get(URI, Configuration)' works fine. The user is trying to > use this method signature to mimic proxy user functionality e.g. provide > ticket cache based kerberos credentials (using KRB5CCNAME env variable) for > the proxy user and then in the java program pass name of the user to be > impersonated. The alternative, to use [proxy users > functionality|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html] > in Hadoop works as expected. > > Since FileSystem.get(URI, Configuration, user) is a public API and it does > not restrict its usage in this fashion, we should ideally make it work or add > docs to discourage its usage to implement proxy users. > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org