In the JAAS config, have you tried adding the following ?
storeKey=true
On Thu, Nov 17, 2016 at 10:08 AM, Hugo Labra <hugo.la...@oracle.com> wrote:
> Hello,
>
> I am having a problem to connect to a Secure HBase cluster when using the
> JAAS config, I enabled Kerberos using the cloudera wizard.
>
> My program is trying to create some tables and write to them, the problem
> is that if I set the flag -Djava.security.auth.login.config=jaas.conf the
> JAAS config and the keytab, and then run kinit it suceeds, but if I do not
> do kinit before then it doesn't works... Am I understanding things
> incorrectly? Shouldn't the jaas configuration get the kerberos ticket
> transparently without the need of kinit?
>
> This is my JAAS config:
>
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> useTicketCache=false
> keyTab="/scratch/kerberos/hbase.keytab"
> principal="hbase/myhost.example....@example.com";
> };
>
>
> If I do exactly the same but without kinit first the I get the following
> exception:
> Caused by: java.lang.RuntimeException: SASL authentication failed. The
> most likely cause is missing or invalid credentials. Consider 'kinit'.
> at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$1.run(
> RpcClientImpl.java:673)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:415)
> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGro
> upInformation.java:1671)
> at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleS
> aslConnectionFailure(RpcClientImpl.java:631)
> at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIO
> streams(RpcClientImpl.java:739)
> ... 17 more
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused
> by GSSException: No valid credentials provided (Mechanism level: Failed to
> find any Kerberos tgt)]
> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChalleng
> e(GssKrb5Client.java:212)
> at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConn
> ect(HBaseSaslRpcClient.java:179)
> at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSa
> slConnection(RpcClientImpl.java:605)
> at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$
> 600(RpcClientImpl.java:154)
> at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(
> RpcClientImpl.java:731)
> at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(
> RpcClientImpl.java:728)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:415)
> at org.apache.hadoop.security.UserGroupInformation.doAs(UserGro
> upInformation.java:1671)
> at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIO
> streams(RpcClientImpl.java:728)
> ... 17 more
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos tgt)
> at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5In
> itCredential.java:147)
> at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(
> Krb5MechFactory.java:121)
> at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(K
> rb5MechFactory.java:187)
> at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSMana
> gerImpl.java:223)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
> pl.java:212)
> at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextIm
> pl.java:179)
> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChalleng
> e(GssKrb5Client.java:193)
> ... 26 more
>
>
> Shouldn't the JAAS get the ticket without the need of kinit?
>
> I appreciate any help :)
>
> Kind regards,
> Hugo Labra
>
