Henning… I didn’t know about that hadoop command. This is awesome. Thanks!
hadoop org.apache.hadoop.security.HadoopKerberosName <mailto:trafodion-robertaclus...@trafkdc.com> trafodion-robertaclus...@trafkdc.com<mailto:trafodion-robertaclus...@trafkdc.com> Rob From: Henning Kropp <hkr...@microlution.de<mailto:hkr...@microlution.de>> Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>> Date: Monday, March 21, 2016 at 5:49 PM To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>> Subject: Re: Trying to create hbase tables after enabling Kerberos with Ambari Hi, what Robert suggested sounds to me exactly what you would need. It would help if you could provide your auth_to_local setting and the output of hbase> whoami Another way to test your auth_to_locals setting would be to execute: % hadoop org.apache.hadoop.security.HadoopKerberosName <mailto:trafodion-robertaclus...@trafkdc.com> trafodion-robertaclus...@trafkdc.com<mailto:trafodion-robertaclus...@trafkdc.com> Please be aware that the rules are applied in order, so it is important to have the rule from Robert before the default rule. A more simple rule could also be: RULE:[1:$1@$0](trafidion-robertaclus...@trafkdc.com<mailto:trafidion-robertaclus...@trafkdc.com>)s/.*/trafodion/ The above rule will only work for this principal/user. Put it as the first line of your auth to local and use HadoopKerberosName to test if it is working. Regards, Henning Am 21/03/16 um 21:40 schrieb Roberta Marton: Thanks for your suggestion. My property settings did have the second rule defined but not the first. However, it did not seem to help. I tried setting the rule several other ways but nothing seems to work. I still get the same behavior. Roberta From: Robert Levas [mailto:<mailto:rle...@hortonworks.com>rle...@hortonworks.com<mailto:rle...@hortonworks.com>] Sent: Monday, March 21, 2016 11:21 AM To: user@ambari.apache.org<mailto:user@ambari.apache.org> Subject: Re: Trying to create hbase tables after enabling Kerberos with Ambari Hi Roberta… It seems like you need an auth-to-local run set up to translate <mailto:trafodion-robertaclus...@trafkdc.com> trafodion-robertaclus...@trafkdc.com<mailto:trafodion-robertaclus...@trafkdc.com> to trafodion. To can do this by editing the hadoop.security.auth_to_local property under HDFS->Configs->Advanced->Advanced core-site. Adding the following rule should do the trick: RULE:[1:$1@$0](.*-robertaclus...@trafkdc.com)s/-robertaCluster@.*//<mailto:.*-robertaclus...@trafkdc.com%29s/-robertaCluster@.*//> You will need to add this rule to the ruleset before/above less general rules like RULE:[1:$1@$0](.*@TRAFKDC.COM)s/@.*//<mailto:.*@TRAFKDC.COM%29s/@.*//> After adding this rule, save the config and restart the recommended services. I hope this helps, Rob From: Roberta Marton <<mailto:roberta.mar...@esgyn.com>roberta.mar...@esgyn.com<mailto:roberta.mar...@esgyn.com>> Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>> Date: Monday, March 21, 2016 at 2:08 PM To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>> Subject: Trying to create hbase tables after enabling Kerberos with Ambari I am trying to install Kerberos on top of my Hortonworks installation. I have tried this with both versions 2.2 and 2.3 and get similar results. After I enable Kerberos, I create a Linux user called trafodion and grant this user all HBase permissions. I connect as trafodion but get permission errors when I try to create a table. Details: [trafodion@myhost ~]$ whoami trafodion [trafodion@myhost ~]$ klist Ticket cache: FILE:/tmp/krb5cc_503 Default principal: trafodion-robertaclus...@trafkdc.com<mailto:trafodion-robertaclus...@trafkdc.com> Valid starting Expires Service principal 03/21/16 16:39:33 03/22/16 16:39:33 <mailto:krbtgt/trafkdc....@trafkdc.com> krbtgt/trafkdc....@trafkdc.com<mailto:krbtgt/trafkdc....@trafkdc.com> renew until 03/21/16 16:39:33 hbase shell hbase(main):002:0> whoami trafodion-robertaclus...@trafkdc.com<mailto:trafodion-robertaclus...@trafkdc.com>(auth:KERBEROS)OIw 2016-03-21 17:06:22,925 WARN [main] security.UserGroupInformation: No groups available for user trafodion-robertaCluster hbase(main):003:0> user_permission User Table,Family,Qualifier:Permission trafodion hbase:acl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN] ambari-qa hbase:acl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN] 2 row(s) in 1.7630 seconds hbase(main):004:0> create 't1', 'f1', 'f2' ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'trafodion-robertaCluster' (global, action=CREATE) I am able to perform ‘user_permission’ but not ‘create’ Any suggestion on how to proceed? Roberta
