klist -e -v Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected]
Valid starting Expires Service principal 08/05/13 12:34:42 08/05/13 22:34:42 krbtgt/[email protected] renew until 08/05/13 12:34:42, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 Kerberos 5 version 1.10.3 The principal in hbase-site.xml is hbase/[email protected] How do I create a credential using kinit matching that in hbase-site.xml? kinit hbase/qa-node133.qa.lab throws an error msg *kinit: Password incorrect while getting initial credentials* *although I know that there is no password for that principal. * * * * * Cheers, Suhas. On Mon, Aug 5, 2013 at 12:52 PM, Abraham Elmahrek <[email protected]> wrote: > Hi there, > > It seems like your client isn't authenticated in both cases. You seem to > be receiving errors from HBase and Sqoop. Sqoop 1.4.3 should simply work if > your user is already authenticated. Internally, Sqoop is generating > delegation tokens to communicate with HBase. It cannot do that without > being properly authenticated first though. > > Could you provide the output of the following command: > "klist -e -v" > > -Abe > > > On Mon, Aug 5, 2013 at 12:15 PM, Suhas Satish <[email protected]>wrote: > >> I have configured hbase 94.9 with kerberos successfully for >> authentication and authorization as mentioned in the CDH security docs. I >> am using sqoop 1.4.3. Is there any configuration required from the sqoop >> client side for kerberos? >> >> I have the following permissions on hbase tables - >> hbase(main):003:0> grant 'kuser1', 'RWXCA', 'demo' >> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: >> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient >> permissions (user=kuser1, scope=demo, family=, qualifer=, action=ADMIN) >> >> >> bin/sqoop import --connect jdbc:mysql://10.10.1.10/TestDB --table t1 >> --hbase-table t1 --column-family world >> >> >> When I try to import into it using sqoop with the above cmd, I get the >> following error - >> >> >> 2013-08-05 11:59:33,121 ERROR >> org.apache.hadoop.hbase.regionserver.HRegionServer: >> org.apache.hadoop.hbase.security.AccessDeniedException: Token generation >> only allowed for Kerberos authenticated clients >> at >> org.apache.hadoop.hbase.security.token.TokenProvider.getAuthenticationToken(TokenProvider.java:87) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >> at java.lang.reflect.Method.invoke(Method.java:597) >> at org.apache.hadoop.hbase.regionserver.HRegion.exec(HRegion.java:5576) >> at >> org.apache.hadoop.hbase.regionserver.HRegionServer.execCoprocessor(HRegionServer.java:3868) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >> at java.lang.reflect.Method.invoke(Method.java:597) >> at >> org.apache.hadoop.hbase.ipc.SecureRpcEngine$Server.call(SecureRpcEngine.java:308) >> at >> org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1426) >> >> >> Cheers, >> Suhas. >> > >
