falcon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Venkat R <verama...@yahoo.com.INVALID>
Subject Re: Falcon CLI throws exception when hadoop security enabled
Date Thu, 10 Jul 2014 05:21:56 GMT
correction -- after kinit (using falcon user principal), when I run the command, I get "server
not found exception". Looks like somthign to do with Kerberos.

What kerberos principal should I use when calling CLI command? -- end-user, HTTP or falcon
user?

Thanks
Venkat



org.apache.falcon.client.FalconCLIException: Could not authenticate, GSSException: No valid
credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)
        at org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166)
        at org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136)
        at org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169)
        at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125)
Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException:
No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)
- UNKNOWN_SERVER)
        at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:306)
        at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:196)
        at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:232)
        at org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164)
        ... 3 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found
in Kerberos database (7) - UNKNOWN_SERVER)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
        at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:285)
        at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:261)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:396)
        at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:261)
        ... 6 more
Caused by: KrbException: Server not found in Kerberos database (7) - UNKNOWN_SERVER
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64)
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
        at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
        ... 13 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
        ... 18 more
Error: Unable to initialize Falcon Client object


On Wednesday, July 9, 2014 9:55 PM, Venkat R <veramacha@yahoo.com.INVALID> wrote:
 


Hi All,

Running 
bin/falcon admin -status 
throws the following GSSException. 
I have enabled kerberos for service and
 SPNEGO (disabled SSL and bin/falcon-start -port 15000). 
I'm able to access the falcon URL via Firefox, but not via CLI. 
is there something i'm missing any parameter while calling CLI?

appreciate any help.
Thanks

---- startup.properties ----


*.falcon.authentication.type=kerberos
##### Service Configuration
*.falcon.service.authentication.kerberos.principal=dm/_HOST@GRID.EXAMPLE.COM
*.falcon.service.authentication.kerberos.keytab=/export/apps/hadoop/keytabs/dm.keytab
*.dfs.namenode.kerberos.principal=hdfs/_HOST@GRID.EXAMPLE.COM

##### SPNEGO Configuration
*.falcon.http.authentication.type=kerberos
*.falcon.http.authentication.kerberos.principal=HTTP/_HOST@GRID.EXAMPLE.COM
*.falcon.http.authentication.kerberos.keytab=/export/apps/hadoop/keytabs/dm.keytab
*.falcon.http.authentication.token.validity=36000
*.falcon.http.authentication.signature.secret=falcon
*.falcon.http.authentication.simple.anonymous.allowed=true
*.falcon.http.authentication.kerberos.name.rules=DEFAULT
*.falcon.http.authentication.blacklisted.users=

######### Authentication
 Properties #########
falcon.enableTLS=false


---- Exception --------------


FalconURL -> http://localhost:15000/
Property: falcon.url = http://localhost:15000/
org.apache.falcon.client.FalconCLIException: Could not authenticate, GSSException: No valid
credentials provided (Mechanism level: Failed to find any
 Kerberos tgt)
        at org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166)
        at org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136)
        at
 org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169)
        at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125)
Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException:
No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
        at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:306)
        at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:196)
        at
 org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:232)
        at
 org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164)
        ... 3 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any
Kerberos tgt)
        at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
        at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
        at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
     
   at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
        at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:285)
        at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:261)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:396)
        at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:261)
        ... 6 more
Error: Unable to initialize Falcon Client object
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message