cli command should be executed as end user
On Thu, Jul 10, 2014 at 10:51 AM, Venkat R <[email protected]> wrote: > correction -- after kinit (using falcon user principal), when I run the > command, I get "server not found exception". Looks like somthign to do with > Kerberos. > > What kerberos principal should I use when calling CLI command? -- > end-user, HTTP or falcon user? > > Thanks > Venkat > > > > org.apache.falcon.client.FalconCLIException: Could not authenticate, > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7) - UNKNOWN_SERVER) > at > org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166) > at > org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136) > at org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169) > at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125) > Caused by: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Server not > found in Kerberos database (7) - UNKNOWN_SERVER) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:306) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:196) > at > org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:232) > at > org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164) > ... 3 more > Caused by: GSSException: No valid credentials provided (Mechanism level: > Server not found in Kerberos database (7) - UNKNOWN_SERVER) > at > sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663) > at > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) > at > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:285) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:261) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:396) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:261) > ... 6 more > Caused by: KrbException: Server not found in Kerberos database (7) - > UNKNOWN_SERVER > at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64) > at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) > at > sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294) > at > sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106) > at > sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557) > at > sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) > ... 13 more > Caused by: KrbException: Identifier doesn't match expected value (906) > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) > at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) > at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) > at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) > ... 18 more > Error: Unable to initialize Falcon Client object > > > On Wednesday, July 9, 2014 9:55 PM, Venkat R <[email protected]> > wrote: > > > > Hi All, > > Running > bin/falcon admin -status > throws the following GSSException. > I have enabled kerberos for service and > SPNEGO (disabled SSL and bin/falcon-start -port 15000). > I'm able to access the falcon URL via Firefox, but not via CLI. > is there something i'm missing any parameter while calling CLI? > > appreciate any help. > Thanks > > ---- startup.properties ---- > > > *.falcon.authentication.type=kerberos > ##### Service Configuration > *.falcon.service.authentication.kerberos.principal=dm/_ > [email protected] > > *.falcon.service.authentication.kerberos.keytab=/export/apps/hadoop/keytabs/dm.keytab > *.dfs.namenode.kerberos.principal=hdfs/[email protected] > > ##### SPNEGO Configuration > *.falcon.http.authentication.type=kerberos > *.falcon.http.authentication.kerberos.principal=HTTP/_ > [email protected] > > *.falcon.http.authentication.kerberos.keytab=/export/apps/hadoop/keytabs/dm.keytab > *.falcon.http.authentication.token.validity=36000 > *.falcon.http.authentication.signature.secret=falcon > *.falcon.http.authentication.simple.anonymous.allowed=true > *.falcon.http.authentication.kerberos.name.rules=DEFAULT > *.falcon.http.authentication.blacklisted.users= > > ######### Authentication > Properties ######### > falcon.enableTLS=false > > > ---- Exception -------------- > > > FalconURL -> http://localhost:15000/ > Property: falcon.url = http://localhost:15000/ > org.apache.falcon.client.FalconCLIException: Could not authenticate, > GSSException: No valid credentials provided (Mechanism level: Failed to > find any > Kerberos tgt) > at > org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166) > at > org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136) > at > org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169) > at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125) > Caused by: > org.apache.hadoop.security.authentication.client.AuthenticationException: > GSSException: No valid credentials provided (Mechanism level: Failed to > find any Kerberos tgt) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:306) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:196) > at > > > org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:232) > at > org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164) > ... 3 more > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos tgt) > at > sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130) > at > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106) > at > sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172) > at > sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209) > at > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195) > > at > sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:285) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:261) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:396) > at > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:261) > ... 6 more > Error: Unable to initialize Falcon Client object > -- _____________________________________________________________ The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. The firm is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
