Hi ,
If your Problem is just to have refreshed TGT at regular interval you can
consider using k5start service. http://linux.die.net/man/1/k5start THis
service daemon will keep your keytab refreshed in regular time. \Rajesh
On Tuesday, 5 January 2016 6:34 AM, Christopher Jackson
<[email protected]> wrote:
Hey guys,
Thanks for your feedback. Indeed you were correct the issue was that the guest
user was not created on each node in the cluster. After doing so I was able to
get webhdfs working through the gateway.
Before I continue discussing my issues with my custom service using knox and
kerberos I would like to ask a more general question as I believe I may have
gone about kerberos the wrong way. I know this is the knox user thread but I’m
sure you guys are in general good with securing hadoop so I’ll ask, if I should
redirect the question to another group please let me know.
Some brief background:
My web application interacts with HBase (using client and rest) and Oozie
(using client) quite frequently and thus will need to be authenticated to
kerberos to perform those actions. Since its a service that is always running I
need a TGT pretty much indefinitely. How is this usually handled?
Programmatically? Cron-job issuing kinit using keytab? Or is this done via
proxy, using doAs java calls from the Hadoop Security classes?
My initial approach overlooked this issue, a TGT is generated at install time
of the service, but after a given period of time it expires and the service
starts throwing errors when it tries to access other services in the cluster.
I appreciated any best practices or common approaches anyone could share.
Regards,
Christopher [email protected]
On Dec 28, 2015, at 11:48 AM, Kevin Minder <[email protected]> wrote:
In addition to Larry’s comments, this
error:{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
to obtain user group information:
org.apache.hadoop.security.authorize.AuthorizationException: User: knox is not
allowed to impersonate guest"}}Is usually caused by missing proxy user
config:http://knox.apache.org/books/knox-0-6-0/user-guide.html#Grant+Proxy+privileges+for+Knox+user+in+`core-site.xml`+on+Hadoop+master+nodes
From: Christopher Jackson <[email protected]>
Reply-To: "[email protected]" <[email protected]>
Date: Thursday, December 24, 2015 at 1:24 PM
To: "[email protected]" <[email protected]>
Subject: Custom Ambari Service using Knox and Kerberos.
{"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
to obtain user group information:
org.apache.hadoop.security.authorize.AuthorizationException: User: knox is not
allowed to impersonate guest"}}
