I generated a keytab with the following cmd and it supports multiple encryption types other than aes256 as listed below. But I still get the same error from sqoop import tool because the sqoop.keytab is not being read (sqoop being the hbase client in this case).
kadmin: ktadd -k sqoop.keytab kuser1 Entry for principal kuser1 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:sqoop.keytab. Entry for principal kuser1 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:sqoop.keytab. Entry for principal kuser1 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:sqoop.keytab. Entry for principal kuser1 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:sqoop.keytab. Entry for principal kuser1 with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:sqoop.keytab. Entry for principal kuser1 with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:sqoop.keytab. Here are some more debug logs I obtained from kerberos - *kadmin: getprinc kuser1* Principal: [email protected] Expiration date: [never] Last password change: Mon Aug 05 15:40:30 PDT 2013 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 0 days 00:00:00 Last modified: Mon Aug 05 15:40:30 PDT 2013 (mapr/[email protected]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 2, aes256-cts-hmac-sha1-96, no salt Key: vno 2, aes128-cts-hmac-sha1-96, no salt Key: vno 2, des3-cbc-sha1, no salt Key: vno 2, arcfour-hmac, no salt Key: vno 2, des-hmac-sha1, no salt Key: vno 2, des-cbc-md5, no salt MKey: vno 1 Attributes: Policy: [none] *getprinc hbase/qa-node133.qa.lab* Principal: hbase/[email protected] Expiration date: [never] Last password change: Mon Jul 29 19:17:46 PDT 2013 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Jul 29 19:17:46 PDT 2013 (kuser1/[email protected]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 2, aes256-cts-hmac-sha1-96, no salt Key: vno 2, aes128-cts-hmac-sha1-96, no salt Key: vno 2, des3-cbc-sha1, no salt Key: vno 2, arcfour-hmac, no salt Key: vno 2, des-hmac-sha1, no salt Key: vno 2, des-cbc-md5, no salt MKey: vno 1 Attributes: Policy: [none] Thanks, Suhas. On Mon, Aug 5, 2013 at 2:29 PM, Abraham Elmahrek <[email protected]> wrote: > There should be a password. You should have a keytab associated with that > principal, which would allow you to authenticate as that principal. See > http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/CDH4-Security-Guide.htmlfor > more details on how that works. > > A couple of things... > 1. You need to make your kerberos credentials renewable. Right now it > seems like you cannot renew. See > http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/cdh4sg_topic_17.html > . > 2. AES256 encryption is not inherently supported. Did you install support > for AES256? > > -Abe > > > On Mon, Aug 5, 2013 at 1:53 PM, Suhas Satish <[email protected]>wrote: > >> klist -e -v >> >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: [email protected] >> >> Valid starting Expires Service principal >> 08/05/13 12:34:42 08/05/13 22:34:42 krbtgt/[email protected] >> renew until 08/05/13 12:34:42, Etype (skey, tkt): >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> >> Kerberos 5 version 1.10.3 >> >> The principal in hbase-site.xml is >> hbase/[email protected] >> >> How do I create a credential using kinit matching that in hbase-site.xml? >> kinit hbase/qa-node133.qa.lab throws an error msg >> *kinit: Password incorrect while getting initial credentials* >> *although I know that there is no password for that principal. * >> * >> * >> * >> * >> >> Cheers, >> Suhas. >> >> >> On Mon, Aug 5, 2013 at 12:52 PM, Abraham Elmahrek <[email protected]>wrote: >> >>> Hi there, >>> >>> It seems like your client isn't authenticated in both cases. You seem to >>> be receiving errors from HBase and Sqoop. Sqoop 1.4.3 should simply work if >>> your user is already authenticated. Internally, Sqoop is generating >>> delegation tokens to communicate with HBase. It cannot do that without >>> being properly authenticated first though. >>> >>> Could you provide the output of the following command: >>> "klist -e -v" >>> >>> -Abe >>> >>> >>> On Mon, Aug 5, 2013 at 12:15 PM, Suhas Satish <[email protected]>wrote: >>> >>>> I have configured hbase 94.9 with kerberos successfully for >>>> authentication and authorization as mentioned in the CDH security docs. I >>>> am using sqoop 1.4.3. Is there any configuration required from the sqoop >>>> client side for kerberos? >>>> >>>> I have the following permissions on hbase tables - >>>> hbase(main):003:0> grant 'kuser1', 'RWXCA', 'demo' >>>> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: >>>> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient >>>> permissions (user=kuser1, scope=demo, family=, qualifer=, action=ADMIN) >>>> >>>> >>>> bin/sqoop import --connect jdbc:mysql://10.10.1.10/TestDB --table >>>> t1 --hbase-table t1 --column-family world >>>> >>>> >>>> When I try to import into it using sqoop with the above cmd, I get the >>>> following error - >>>> >>>> >>>> 2013-08-05 11:59:33,121 ERROR >>>> org.apache.hadoop.hbase.regionserver.HRegionServer: >>>> org.apache.hadoop.hbase.security.AccessDeniedException: Token >>>> generation only allowed for Kerberos authenticated clients >>>> at >>>> org.apache.hadoop.hbase.security.token.TokenProvider.getAuthenticationToken(TokenProvider.java:87) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>> at >>>> org.apache.hadoop.hbase.regionserver.HRegion.exec(HRegion.java:5576) >>>> at >>>> org.apache.hadoop.hbase.regionserver.HRegionServer.execCoprocessor(HRegionServer.java:3868) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>> at >>>> org.apache.hadoop.hbase.ipc.SecureRpcEngine$Server.call(SecureRpcEngine.java:308) >>>> at >>>> org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1426) >>>> >>>> >>>> Cheers, >>>> Suhas. >>>> >>> >>> >> >
