Hi Hugo,
The JAAS configuration is actually only used by ZooKeeper -- not for
HBase itself. You would need to perform the login by yourself using JAAS
or invoke the correct UserGroupInformation API yourself.
The "Client" keyword is a hint here as to what was happening. This
"term" is unique to the application which implements the JAAS-based
login. "Client" is unique to ZooKeeper. It would be an "improvement" to
have some "HBaseClient" keyword that would automatically perform login
via JAAS in HBase :)
LMK if that isn't clear.
- Josh
Hugo Labra wrote:
Hello,
I am having a problem to connect to a Secure HBase cluster when using
the JAAS config, I enabled Kerberos using the cloudera wizard.
My program is trying to create some tables and write to them, the
problem is that if I set the flag
-Djava.security.auth.login.config=jaas.conf the JAAS config and the
keytab, and then run kinit it suceeds, but if I do not do kinit before
then it doesn't works... Am I understanding things incorrectly?
Shouldn't the jaas configuration get the kerberos ticket transparently
without the need of kinit?
This is my JAAS config:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
keyTab="/scratch/kerberos/hbase.keytab"
principal="hbase/myhost.example....@example.com";
};
If I do exactly the same but without kinit first the I get the following
exception:
Caused by: java.lang.RuntimeException: SASL authentication failed. The
most likely cause is missing or invalid credentials. Consider 'kinit'.
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$1.run(RpcClientImpl.java:673)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleSaslConnectionFailure(RpcClientImpl.java:631)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:739)
... 17 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
at
org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:179)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:605)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$600(RpcClientImpl.java:154)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:731)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:728)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
at
org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:728)
... 17 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
... 26 more
Shouldn't the JAAS get the ticket without the need of kinit?
I appreciate any help :)
Kind regards,
Hugo Labra