klist -e -v 

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: kuser1@QA.LAB

Valid starting     Expires            Service principal
08/05/13 12:34:42  08/05/13 22:34:42  krbtgt/QA.LAB@QA.LAB
renew until 08/05/13 12:34:42, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 

Kerberos 5 version 1.10.3

The principal in hbase-site.xml is 
hbase/qa-node133.qa.lab@QA.LAB

How do I create a credential using kinit matching that in hbase-site.xml?  kinit  hbase/qa-node133.qa.lab   throws an error msg 
kinit: Password incorrect while getting initial credentials
although I know that there is no password for that principal.



Cheers,
Suhas.


On Mon, Aug 5, 2013 at 12:52 PM, Abraham Elmahrek <abe@cloudera.com> wrote:
Hi there,

It seems like your client isn't authenticated in both cases. You seem to be receiving errors from HBase and Sqoop. Sqoop 1.4.3 should simply work if your user is already authenticated. Internally, Sqoop is generating delegation tokens to communicate with HBase. It cannot do that without being properly authenticated first though.

Could you provide the output of the following command:
"klist -e -v"

-Abe


On Mon, Aug 5, 2013 at 12:15 PM, Suhas Satish <suhas.satish@gmail.com> wrote:
I have configured hbase 94.9  with kerberos successfully for authentication and authorization as mentioned in the CDH security docs. I am using sqoop 1.4.3. Is there any configuration required from the sqoop client side for kerberos?

I have the following permissions on hbase tables - 
hbase(main):003:0> grant 'kuser1', 'RWXCA', 'demo'
ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=kuser1, scope=demo, family=, qualifer=, action=ADMIN)


bin/sqoop import --connect jdbc:mysql://10.10.1.10/TestDB    --table t1  --hbase-table  t1  --column-family world


When I try to import into it using sqoop with the above cmd, I get the following error - 


2013-08-05 11:59:33,121 ERROR org.apache.hadoop.hbase.regionserver.HRegionServer: 
org.apache.hadoop.hbase.security.AccessDeniedException: Token generation only allowed for Kerberos authenticated clients
at org.apache.hadoop.hbase.security.token.TokenProvider.getAuthenticationToken(TokenProvider.java:87)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.hbase.regionserver.HRegion.exec(HRegion.java:5576)
at org.apache.hadoop.hbase.regionserver.HRegionServer.execCoprocessor(HRegionServer.java:3868)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.hbase.ipc.SecureRpcEngine$Server.call(SecureRpcEngine.java:308)
at org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1426)


Cheers,
Suhas.