The supergroup is 'supergroup'. The user 'snapuser' is in that group.
I've added hadoop.proxyuser.snapuser.hosts, .groups, and .users to the conf file. (Via advanced options safety valve for core-site.xml in CDH manager.) I verified the change is in the deployed configuration. It works for SIMPLE auth on a different cluster. Before it gave me the "unable to impersonate" message. But something about Kerberos it tripping me up. What's really annoying is that we had it working earlier on a different cluster and AFAIK everything is configured identically, with the possible exception of a RPC vs SASL flag buried someone on a configuration page. On Fri, Jan 26, 2018 at 7:59 AM, Jorge Machado <jom...@me.com> wrote: > Have you added the proxy.***.hosts to hadoop config ? > Check this: https://hadoop.apache.org/docs/r2.8.0/hadoop- > project-dist/hadoop-common/Superusers.html > > Jorge Machado > www.jmachado.me > > > > > > On 26 Jan 2018, at 14:57, Bear Giles <bgi...@snaplogic.com> wrote: > > Thanks all. > > I've made the changes but am still getting an error. Notably it's not a > "user X cannot impersonate Y" error. > > exc: Caused by: org.apache.hadoop.security.AccessControlException: > Client cannot authenticate via:[TOKEN, KERBEROS] > exc: at org.apache.hadoop.security.SaslRpcClient.selectSaslClient( > SaslRpcClient.java:172) > exc: at org.apache.hadoop.security.SaslRpcClient.saslConnect( > SaslRpcClient.java:396) > exc: at org.apache.hadoop.ipc.Client$Connection. > setupSaslConnection(Client.java:555) > exc: at org.apache.hadoop.ipc.Client$Connection.access$1800(Client. > java:370) > exc: at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:724) > exc: at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:720) > exc: at java.security.AccessController.doPrivileged(Native Method) > exc: at javax.security.auth.Subject.doAs(Subject.java:422) > exc: at org.apache.hadoop.security.UserGroupInformation.doAs( > UserGroupInformation.java:1657) > exc: at org.apache.hadoop.ipc.Client$Connection.setupIOstreams( > Client.java:720) > exc: ... 33 more > > I don't understand this since the Kerberos user authenticates without a > problem after loading the keytab file. But when I use that UGI in a > UserGroupInformation.createProxyUser() call I get this error. > > I seem to recall coming across something on SASL and Kerberos user > impersonation having problems but can't find it now. > > Thanks, > > Bear > > On Thu, Jan 25, 2018 at 9:53 AM, Wei-Chiu Chuang <weic...@apache.org> > wrote: > >> Hi Near, >> >> Try setting proxyuser using with following doc: https://www.cloudera.com/ >> documentation/enterprise/latest/topics/admin_hdfs_proxy_users.html >> >> A while ago I helped a customer of us to configure proxy user. If you >> have at-rest encryption in the cluster, you'd also need to configure KMS >> proxyuser as well. https://www.cloudera.com/documentation/enterprise/late >> st/topics/cdh_sg_kms_security.html It isn't that obvious from CDH >> documentation nor Apache Hadoop doc. >> >> >> On Thu, Jan 25, 2018 at 7:24 AM, Bear Giles <bgi...@snaplogic.com> wrote: >> >>> Hi, kerberos auth question here. >>> >>> We need to have Kerberos authentication with user impersonation. I know >>> we had it working on one of our test clusters earlier but nobody can >>> remember which one or how it was configured. :-( >>> >>> From my research I have the following items: >>> >>> 1. There is are Kerberos users alice@REALM and bob@REALM. >>> >>> 2. 'alice' is in the 'supergroup' group on the HDFS node I access. >>> >>> 3. The server has hadoop.proxyuser.alice.users = * set in core-site.xml. >>> (see note) >>> >>> 4. I can connect using alice@REALM. >>> >>> 5. When I try to connect using UGI.createProxyUser("bob", alice) I get a >>> "Client cannot authenticate via:[TOKEN, KERBEROS]" error. >>> >>> 6. I didn't have success with "bob@REALM" earlier but I've change the >>> configuration since then so I might have missed something. >>> >>> Do I need to create an additional principal for alice? Something like >>> alice/hdfs@REALM? alice/supergroup@REALM? >>> >>> Is there >>> >>> (note: We're using CDH and I'm setting this on the 'advanced >>> configuration snippets' page. I saved the settings and restarted the >>> servers but I'm not sure that the files are actually being updated. I've >>> also changed the configuration files manually.) >>> >>> -- >>> >>> Bear Giles >>> >>> Sr. Java Application Engineer >>> bgi...@snaplogic.com >>> Mobile: 720-749-7876 <(720)%20749-7876> >>> >>> >>> <http://www.snaplogic.com/about-us/jobs> >>> >>> >>> *SnapLogic Inc | 929 Pearl St #200 >>> <https://maps.google.com/?q=929+Pearl+St+%23200&entry=gmail&source=g> | >>> 80303 CO 80302 | USA* >>> >>> *SnapLogic Inc | 2 W 5th Avenue 4th Floor | San Mateo CA 94402 | USA >>> <https://maps.google.com/?q=2+W+5th+Avenue+4th+Floor+%7C+San+Mateo+CA+94402+%7C+USA&entry=gmail&source=g> >>> * >>> >>> This message is confidential. It may also be privileged or otherwise >>> protected by work product immunity or other legal rules. If you have >>> received it by mistake, please let us know by e-mail reply and delete it >>> from your system; you may not copy this message or disclose its contents to >>> anyone. The integrity and security of this message cannot be guaranteed on >>> the Internet. >>> >> >> >> >> -- >> A very happy Hadoop contributor >> > > > > -- > > Bear Giles > > Sr. Java Application Engineer > bgi...@snaplogic.com > Mobile: 720-749-7876 <(720)%20749-7876> > > > <http://www.snaplogic.com/about-us/jobs> > > > *SnapLogic Inc | 929 Pearl St #200 > <https://maps.google.com/?q=929+Pearl+St+%23200&entry=gmail&source=g> | > 80303 CO 80302 | USA* > > *SnapLogic Inc | 2 W 5th Avenue 4th Floor | San Mateo CA 94402 | USA > <https://maps.google.com/?q=2+W+5th+Avenue+4th+Floor+%7C+San+Mateo+CA+94402+%7C+USA&entry=gmail&source=g> > * > > This message is confidential. It may also be privileged or otherwise > protected by work product immunity or other legal rules. If you have > received it by mistake, please let us know by e-mail reply and delete it > from your system; you may not copy this message or disclose its contents to > anyone. The integrity and security of this message cannot be guaranteed on > the Internet. > > > -- Bear Giles Sr. Java Application Engineer bgi...@snaplogic.com Mobile: 720-749-7876 <http://www.snaplogic.com/about-us/jobs> *SnapLogic Inc | 929 Pearl St #200 | 80303 CO 80302 | USA* *SnapLogic Inc | 2 W 5th Avenue 4th Floor | San Mateo CA 94402 | USA * This message is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. The integrity and security of this message cannot be guaranteed on the Internet.
