Re: Kerberos auth + user impersonation

2018-01-26 Thread Bear Giles
The supergroup is 'supergroup'. The user 'snapuser' is in that group. I've added hadoop.proxyuser.snapuser.hosts, .groups, and .users to the conf file. (Via advanced options safety valve for core-site.xml in CDH manager.) I verified the change is in the deployed configuration. It works for

Re: Kerberos auth + user impersonation

2018-01-26 Thread Jorge Machado
Have you added the proxy.***.hosts to hadoop config ? Check this: https://hadoop.apache.org/docs/r2.8.0/hadoop-project-dist/hadoop-common/Superusers.html Jorge Machado www.jmachado.me > On 26 Jan

Re: Kerberos auth + user impersonation

2018-01-26 Thread Bear Giles
Thanks all. I've made the changes but am still getting an error. Notably it's not a "user X cannot impersonate Y" error. exc: Caused by: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS] exc: at

Re: Kerberos auth + user impersonation

2018-01-25 Thread Jorge Machado
Hi Bear, I have spend quite a time about this topics, actually if you just set the HADOOP_PROXY_USER and then just use loginUserFromKeytab or loginfromSubject it will create a proxy for you. have you set the hadoop.proxyuse..hosts ? that is important could be your error to. Jorge Machado

Kerberos auth + user impersonation

2018-01-25 Thread Bear Giles
Hi, kerberos auth question here. We need to have Kerberos authentication with user impersonation. I know we had it working on one of our test clusters earlier but nobody can remember which one or how it was configured. :-( >From my research I have the following items: 1. There is are Kerberos