[
https://issues.apache.org/jira/browse/HADOOP-15758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16615305#comment-16615305
]
Hrishikesh Gadre edited comment on HADOOP-15758 at 9/14/18 7:50 PM:
--------------------------------------------------------------------
Here is a sample program to reproduce this issue:
[https://gist.github.com/hgadre/38e1b625a6af70f1659fb19137a12ece]
The steps to reproduce are as follows
* export KRB5CCNAME=/tmp/krb5cc_foo
* export CLASSPATH=$CLASSPATH:$(hadoop classpath)
* javac ReadWriteHDFSWithKinit.java
* kinit -l 1m -kt hdfs.keytab [[email protected]|mailto:[email protected]] # kinit as a
superuser (could be any user that has ability to proxy)
* java ReadWriteHDFSWithKinit systest # note: access file as systest via the
FileSystem.get(uri,conf,user) API
The last step fails with following exception,
{noformat}
WARN security.UserGroupInformation: PriviledgedActionException as:[email protected]
(auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos tgt)]
18/06/21 12:59:58 WARN ipc.Client: Exception encountered while connecting to
the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)]
18/06/21 12:59:58 WARN security.UserGroupInformation:
PriviledgedActionException as:[email protected] (auth:KERBEROS)
cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate
failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)]
18/06/21 12:59:58 WARN hdfs.LeaseRenewer: Failed to renew lease for
[DFSClient_NONMAPREDUCE_1855947848_1] for 30 seconds. Will retry shortly ...
java.io.IOException: Failed on local exception: java.io.IOException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Failed to find any Kerberos
tgt)]; Host Details : local host is: "host-2.abc.com/10.15.13.17"; destination
host is: "host-1.abc.com":8020;{noformat}
was (Author: hgadre):
Here is a sample program to reproduce this issue:
[https://gist.github.com/hgadre/38e1b625a6af70f1659fb19137a12ece]
The steps to reproduce are as follows
* export KRB5CCNAME=/tmp/krb5cc_foo
* export CLASSPATH=$CLASSPATH:$(hadoop classpath)
* javac ReadWriteHDFSWithKinit.java
* kinit -l 1m -kt hdfs.keytab [[email protected]|mailto:[email protected]] # kinit as a
superuser (could be any user that has ability to proxy)
* java ReadWriteHDFSWithKinitCloudera systest # note: access file as systest
via the FileSystem.get(uri,conf,user) API
The last step fails with following exception,
{noformat}
WARN security.UserGroupInformation: PriviledgedActionException as:[email protected]
(auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided (Mechanism level: Failed
to find any Kerberos tgt)]
18/06/21 12:59:58 WARN ipc.Client: Exception encountered while connecting to
the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)]
18/06/21 12:59:58 WARN security.UserGroupInformation:
PriviledgedActionException as:[email protected] (auth:KERBEROS)
cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate
failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)]
18/06/21 12:59:58 WARN hdfs.LeaseRenewer: Failed to renew lease for
[DFSClient_NONMAPREDUCE_1855947848_1] for 30 seconds. Will retry shortly ...
java.io.IOException: Failed on local exception: java.io.IOException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Failed to find any Kerberos
tgt)]; Host Details : local host is: "host-2.abc.com/10.15.13.17"; destination
host is: "host-1.abc.com":8020;{noformat}
> Filesystem.get API not working as expected with user argument
> -------------------------------------------------------------
>
> Key: HADOOP-15758
> URL: https://issues.apache.org/jira/browse/HADOOP-15758
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Hrishikesh Gadre
> Priority: Major
>
> A user reported that the Filesystem.get API is not working as expected when
> they use the 'FileSystem.get(URI, Configuration, user)' method signature -
> but 'FileSystem.get(URI, Configuration)' works fine. The user is trying to
> use this method signature to mimic proxy user functionality e.g. provide
> ticket cache based kerberos credentials (using KRB5CCNAME env variable) for
> the proxy user and then in the java program pass name of the user to be
> impersonated. The alternative, to use [proxy users
> functionality|https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/Superusers.html]
> in Hadoop works as expected.
>
> Since FileSystem.get(URI, Configuration, user) is a public API and it does
> not restrict its usage in this fashion, we should ideally make it work or add
> docs to discourage its usage to implement proxy users.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
