I¹m having the same problem. What do you mean it should be executed as end user? Why we don¹t see this error when using simple authentication?
Thanks -Claudia On 7/10/14, 12:35 AM, "Shwetha GS" <[email protected]> wrote: >cli command should be executed as end user > > >On Thu, Jul 10, 2014 at 10:51 AM, Venkat R <[email protected]> >wrote: > >> correction -- after kinit (using falcon user principal), when I run the >> command, I get "server not found exception". Looks like somthign to do >>with >> Kerberos. >> >> What kerberos principal should I use when calling CLI command? -- >> end-user, HTTP or falcon user? >> >> Thanks >> Venkat >> >> >> >> org.apache.falcon.client.FalconCLIException: Could not authenticate, >> GSSException: No valid credentials provided (Mechanism level: Server not >> found in Kerberos database (7) - UNKNOWN_SERVER) >> at >> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166) >> at >> org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136) >> at org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169) >> at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125) >> Caused by: >> >>org.apache.hadoop.security.authentication.client.AuthenticationException: >> GSSException: No valid credentials provided (Mechanism level: Server not >> found in Kerberos database (7) - UNKNOWN_SERVER) >> at >> >>org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do >>SpnegoSequence(KerberosAuthenticator.java:306) >> at >> >>org.apache.hadoop.security.authentication.client.KerberosAuthenticator.au >>thenticate(KerberosAuthenticator.java:196) >> at >> >>org.apache.hadoop.security.authentication.client.AuthenticatedURL.openCon >>nection(AuthenticatedURL.java:232) >> at >> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164) >> ... 3 more >> Caused by: GSSException: No valid credentials provided (Mechanism level: >> Server not found in Kerberos database (7) - UNKNOWN_SERVER) >> at >> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663) >> at >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) >> at >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) >> at >> >>org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1. >>run(KerberosAuthenticator.java:285) >> at >> >>org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1. >>run(KerberosAuthenticator.java:261) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAs(Subject.java:396) >> at >> >>org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do >>SpnegoSequence(KerberosAuthenticator.java:261) >> ... 6 more >> Caused by: KrbException: Server not found in Kerberos database (7) - >> UNKNOWN_SERVER >> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64) >> at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) >> at >> >>sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.j >>ava:294) >> at >> >>sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Credential >>sUtil.java:106) >> at >> sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557) >> at >> sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) >> ... 13 more >> Caused by: KrbException: Identifier doesn't match expected value (906) >> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) >> at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) >> at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) >> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) >> ... 18 more >> Error: Unable to initialize Falcon Client object >> >> >> On Wednesday, July 9, 2014 9:55 PM, Venkat R >><[email protected]> >> wrote: >> >> >> >> Hi All, >> >> Running >> bin/falcon admin -status >> throws the following GSSException. >> I have enabled kerberos for service and >> SPNEGO (disabled SSL and bin/falcon-start -port 15000). >> I'm able to access the falcon URL via Firefox, but not via CLI. >> is there something i'm missing any parameter while calling CLI? >> >> appreciate any help. >> Thanks >> >> ---- startup.properties ---- >> >> >> *.falcon.authentication.type=kerberos >> ##### Service Configuration >> *.falcon.service.authentication.kerberos.principal=dm/_ >> [email protected] >> >> >>*.falcon.service.authentication.kerberos.keytab=/export/apps/hadoop/keyta >>bs/dm.keytab >> *.dfs.namenode.kerberos.principal=hdfs/[email protected] >> >> ##### SPNEGO Configuration >> *.falcon.http.authentication.type=kerberos >> *.falcon.http.authentication.kerberos.principal=HTTP/_ >> [email protected] >> >> >>*.falcon.http.authentication.kerberos.keytab=/export/apps/hadoop/keytabs/ >>dm.keytab >> *.falcon.http.authentication.token.validity=36000 >> *.falcon.http.authentication.signature.secret=falcon >> *.falcon.http.authentication.simple.anonymous.allowed=true >> *.falcon.http.authentication.kerberos.name.rules=DEFAULT >> *.falcon.http.authentication.blacklisted.users= >> >> ######### Authentication >> Properties ######### >> falcon.enableTLS=false >> >> >> ---- Exception -------------- >> >> >> FalconURL -> http://localhost:15000/ >> Property: falcon.url = http://localhost:15000/ >> org.apache.falcon.client.FalconCLIException: Could not authenticate, >> GSSException: No valid credentials provided (Mechanism level: Failed to >> find any >> Kerberos tgt) >> at >> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166) >> at >> org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136) >> at >> org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169) >> at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125) >> Caused by: >> >>org.apache.hadoop.security.authentication.client.AuthenticationException: >> GSSException: No valid credentials provided (Mechanism level: Failed to >> find any Kerberos tgt) >> at >> >>org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do >>SpnegoSequence(KerberosAuthenticator.java:306) >> at >> >>org.apache.hadoop.security.authentication.client.KerberosAuthenticator.au >>thenticate(KerberosAuthenticator.java:196) >> at >> >> >>org.apache.hadoop.security.authentication.client.AuthenticatedURL.openCon >>nection(AuthenticatedURL.java:232) >> at >> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164) >> ... 3 more >> Caused by: GSSException: No valid credentials provided (Mechanism level: >> Failed to find any Kerberos tgt) >> at >> >>sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential. >>java:130) >> at >> >>sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFacto >>ry.java:106) >> at >> >>sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactor >>y.java:172) >> at >> >>sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java: >>209) >> at >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195) >> >> at >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) >> at >> >>org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1. >>run(KerberosAuthenticator.java:285) >> at >> >>org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1. >>run(KerberosAuthenticator.java:261) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAs(Subject.java:396) >> at >> >>org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do >>SpnegoSequence(KerberosAuthenticator.java:261) >> ... 6 more >> Error: Unable to initialize Falcon Client object >> > >-- >_____________________________________________________________ >The information contained in this communication is intended solely for >the >use of the individual or entity to whom it is addressed and others >authorized to receive it. It may contain confidential or legally >privileged >information. If you are not the intended recipient you are hereby >notified >that any disclosure, copying, distribution or taking any action in >reliance >on the contents of this information is strictly prohibited and may be >unlawful. If you have received this communication in error, please notify >us immediately by responding to this email and then delete it from your >system. The firm is neither liable for the proper and complete >transmission >of the information contained in this communication nor for any delay in >its >receipt.
