Hi, I am using HDP2.6 and have enabled kerberos. The rules generated by ambari has:
RULE:[1:$1@$0](hdfs-spark_cluster@test_kdc.com)s/.*/hdfs/ Also, klist shows hdfs user is mapped correctly to the rule: [hdfs@test-namenode ~]$ klist Ticket cache: KEYRING:persistent:1012:1012 Default principal: hdfs-spark_cluster@test_kdc.com User hdfs-spark_cluster is associated with hdfs keytab: [hdfs@test-namenode ~]$ kinit -V -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-spark_cluster Using existing cache: persistent:1012:1012 Using principal: hdfs-spark_cluster@test_kdc.com Using keytab: /etc/security/keytabs/hdfs.headless.keytab Authenticated to Kerberos v5 However, hdfs is NOT associated with this hdfs keytab: [hdfs@test-namenode ~]$ kinit -V -kt /etc/security/keytabs/hdfs.headless.keytab hdfs Using new cache: persistent:1012:krb_ccache_V36KQXp Using principal: hdfs@test_kdc.com Using keytab: /etc/security/keytabs/hdfs.headless.keytab kinit: Keytab contains no suitable keys for hdfs@test_kdc.com while getting initial credentials As you can see, kinit maps hdfs to hdfs@test_kdc.com instead of hdfs-spark_cluster@test_kdc.com. I guess this is the reason I got "Failed to find any Kerberos tgt" when doing "hdfs dfs -ls". I don't know why ambari create kerberos users in the format of "hdfs-{CLUSTERNAME}@{REALNAME}" instead of "hdfs@{REALNAME}". Should I follow https://community.hortonworks.com/articles/79574/build-a-cluster-with-custom-principal-names-using.html to force ambari to create hdfs@test_kdc.com instead of hdfs-spark_cluster@test_kdc.com? Or I am missing anything else? Thanks for any help.