Hi,
I am using HDP2.6 and have enabled kerberos. The rules generated by ambari
has:
RULE:[1:$1@$0](hdfs-spark_cluster@test_kdc.com)s/.*/hdfs/
Also, klist shows hdfs user is mapped correctly to the rule:
[hdfs@test-namenode ~]$ klist
Ticket cache: KEYRING:persistent:1012:1012
Default principal: hdfs-spark_cluster@test_kdc.com
User hdfs-spark_cluster is associated with hdfs keytab:
[hdfs@test-namenode ~]$ kinit -V -kt
/etc/security/keytabs/hdfs.headless.keytab hdfs-spark_cluster
Using existing cache: persistent:1012:1012
Using principal: hdfs-spark_cluster@test_kdc.com
Using keytab: /etc/security/keytabs/hdfs.headless.keytab
Authenticated to Kerberos v5
However, hdfs is NOT associated with this hdfs keytab:
[hdfs@test-namenode ~]$ kinit -V -kt
/etc/security/keytabs/hdfs.headless.keytab hdfs
Using new cache: persistent:1012:krb_ccache_V36KQXp
Using principal: hdfs@test_kdc.com
Using keytab: /etc/security/keytabs/hdfs.headless.keytab
kinit: Keytab contains no suitable keys for hdfs@test_kdc.com while getting
initial credentials
As you can see, kinit maps hdfs to hdfs@test_kdc.com instead of
hdfs-spark_cluster@test_kdc.com.
I guess this is the reason I got "Failed to find any Kerberos tgt" when
doing "hdfs dfs -ls".
I don't know why ambari create kerberos users in the format of
"hdfs-{CLUSTERNAME}@{REALNAME}" instead of "hdfs@{REALNAME}".
Should I follow
https://community.hortonworks.com/articles/79574/build-a-cluster-with-custom-principal-names-using.html
to force ambari to create hdfs@test_kdc.com instead of
hdfs-spark_cluster@test_kdc.com? Or I am missing anything else?
Thanks for any help.
