sqoop-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suhas Satish <suhas.sat...@gmail.com>
Subject Re: sqoop import into secure Hbase with kerberos
Date Mon, 05 Aug 2013 20:53:21 GMT
klist -e -v

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kuser1@QA.LAB

Valid starting     Expires            Service principal
08/05/13 12:34:42  08/05/13 22:34:42  krbtgt/QA.LAB@QA.LAB
renew until 08/05/13 12:34:42, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96

Kerberos 5 version 1.10.3

The principal in hbase-site.xml is
hbase/qa-node133.qa.lab@QA.LAB

How do I create a credential using kinit matching that in hbase-site.xml?
 kinit  hbase/qa-node133.qa.lab   throws an error msg
*kinit: Password incorrect while getting initial credentials*
*although I know that there is no password for that principal. *
*
*
*
*

Cheers,
Suhas.


On Mon, Aug 5, 2013 at 12:52 PM, Abraham Elmahrek <abe@cloudera.com> wrote:

> Hi there,
>
> It seems like your client isn't authenticated in both cases. You seem to
> be receiving errors from HBase and Sqoop. Sqoop 1.4.3 should simply work if
> your user is already authenticated. Internally, Sqoop is generating
> delegation tokens to communicate with HBase. It cannot do that without
> being properly authenticated first though.
>
> Could you provide the output of the following command:
> "klist -e -v"
>
> -Abe
>
>
> On Mon, Aug 5, 2013 at 12:15 PM, Suhas Satish <suhas.satish@gmail.com>wrote:
>
>> I have configured hbase 94.9  with kerberos successfully for
>> authentication and authorization as mentioned in the CDH security docs. I
>> am using sqoop 1.4.3. Is there any configuration required from the sqoop
>> client side for kerberos?
>>
>> I have the following permissions on hbase tables -
>> hbase(main):003:0> grant 'kuser1', 'RWXCA', 'demo'
>> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
>> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
>> permissions (user=kuser1, scope=demo, family=, qualifer=, action=ADMIN)
>>
>>
>> bin/sqoop import --connect jdbc:mysql://10.10.1.10/TestDB    --table t1
>>  --hbase-table  t1  --column-family world
>>
>>
>> When I try to import into it using sqoop with the above cmd, I get the
>> following error -
>>
>>
>> 2013-08-05 11:59:33,121 ERROR
>> org.apache.hadoop.hbase.regionserver.HRegionServer:
>> org.apache.hadoop.hbase.security.AccessDeniedException: Token generation
>> only allowed for Kerberos authenticated clients
>> at
>> org.apache.hadoop.hbase.security.token.TokenProvider.getAuthenticationToken(TokenProvider.java:87)
>>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>  at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>> at java.lang.reflect.Method.invoke(Method.java:597)
>>  at org.apache.hadoop.hbase.regionserver.HRegion.exec(HRegion.java:5576)
>> at
>> org.apache.hadoop.hbase.regionserver.HRegionServer.execCoprocessor(HRegionServer.java:3868)
>>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>  at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>> at java.lang.reflect.Method.invoke(Method.java:597)
>>  at
>> org.apache.hadoop.hbase.ipc.SecureRpcEngine$Server.call(SecureRpcEngine.java:308)
>> at
>> org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1426)
>>
>>
>> Cheers,
>> Suhas.
>>
>
>

Mime
View raw message