I'm having a separate conversation with Claudia and have observed that the keytab for SPNEGO does not have the HTTP principal. Its a setup issue.
On Thu, Jul 10, 2014 at 9:51 PM, Arpit Gupta <[email protected]> wrote: > This is probably related to having the wrong principal configured for > spnego principal. > > SPNEGO protocol states that if your hostname is abdc.com the spnego > principal it will try to connect to is HTTP/abcd.com. > > I think the spnego principal that is configured in the falcon properties > does not map to the above guidelines. Hence when the client tries to > authenticate kdc it does not find the HTTP/abcd.com logged in as the > falcon server logged in for the other user. > > -- > Arpit Gupta > Hortonworks Inc. > http://hortonworks.com/ > > On Jul 10, 2014, at 9:02 AM, Seetharam Venkatesh < > [email protected]> wrote: > > > Please send the configs and logs so I can see whats the issue. Very hard > to > > debug with information in the email. > > > > > > On Thu, Jul 10, 2014 at 8:19 PM, Shwetha GS <[email protected]> > wrote: > > > >> The error is specific to Kerberos authentication, probably something > >> related to setup. > >> > >> Venkatesh, can you check this? > >> > >> Sent from my iPhone > >> > >>> On Jul 10, 2014, at 7:36 PM, Claudia Nunez > <[email protected]> > >> wrote: > >>> > >>> I¹m having the same problem. What do you mean it should be executed as > >> end > >>> user? Why we don¹t see this error when using simple authentication? > >>> > >>> Thanks > >>> > >>> -Claudia > >>> > >>>> On 7/10/14, 12:35 AM, "Shwetha GS" <[email protected]> wrote: > >>>> > >>>> cli command should be executed as end user > >>>> > >>>> > >>>> On Thu, Jul 10, 2014 at 10:51 AM, Venkat R > <[email protected] > >>> > >>>> wrote: > >>>> > >>>>> correction -- after kinit (using falcon user principal), when I run > the > >>>>> command, I get "server not found exception". Looks like somthign to > do > >>>>> with > >>>>> Kerberos. > >>>>> > >>>>> What kerberos principal should I use when calling CLI command? -- > >>>>> end-user, HTTP or falcon user? > >>>>> > >>>>> Thanks > >>>>> Venkat > >>>>> > >>>>> > >>>>> > >>>>> org.apache.falcon.client.FalconCLIException: Could not authenticate, > >>>>> GSSException: No valid credentials provided (Mechanism level: Server > >> not > >>>>> found in Kerberos database (7) - UNKNOWN_SERVER) > >>>>> at > >>>>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166) > >>>>> at > >>>>> org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136) > >>>>> at org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169) > >>>>> at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125) > >>>>> Caused by: > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.AuthenticationException: > >>>>> GSSException: No valid credentials provided (Mechanism level: Server > >> not > >>>>> found in Kerberos database (7) - UNKNOWN_SERVER) > >>>>> at > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do > >>>>> SpnegoSequence(KerberosAuthenticator.java:306) > >>>>> at > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.au > >>>>> thenticate(KerberosAuthenticator.java:196) > >>>>> at > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.AuthenticatedURL.openCon > >>>>> nection(AuthenticatedURL.java:232) > >>>>> at > >>>>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164) > >>>>> ... 3 more > >>>>> Caused by: GSSException: No valid credentials provided (Mechanism > >> level: > >>>>> Server not found in Kerberos database (7) - UNKNOWN_SERVER) > >>>>> at > >>>>> > sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663) > >>>>> at > >>>>> > >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) > >>>>> at > >>>>> > >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) > >>>>> at > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1. > >>>>> run(KerberosAuthenticator.java:285) > >>>>> at > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1. > >>>>> run(KerberosAuthenticator.java:261) > >>>>> at java.security.AccessController.doPrivileged(Native Method) > >>>>> at javax.security.auth.Subject.doAs(Subject.java:396) > >>>>> at > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do > >>>>> SpnegoSequence(KerberosAuthenticator.java:261) > >>>>> ... 6 more > >>>>> Caused by: KrbException: Server not found in Kerberos database (7) - > >>>>> UNKNOWN_SERVER > >>>>> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:64) > >>>>> at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) > >>>>> at > >>>>> > >>>>> > >> > sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.j > >>>>> ava:294) > >>>>> at > >>>>> > >>>>> > >> > sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Credential > >>>>> sUtil.java:106) > >>>>> at > >>>>> > sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557) > >>>>> at > >>>>> > sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) > >>>>> ... 13 more > >>>>> Caused by: KrbException: Identifier doesn't match expected value > (906) > >>>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) > >>>>> at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) > >>>>> at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) > >>>>> at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) > >>>>> ... 18 more > >>>>> Error: Unable to initialize Falcon Client object > >>>>> > >>>>> > >>>>> On Wednesday, July 9, 2014 9:55 PM, Venkat R > >>>>> <[email protected]> > >>>>> wrote: > >>>>> > >>>>> > >>>>> > >>>>> Hi All, > >>>>> > >>>>> Running > >>>>> bin/falcon admin -status > >>>>> throws the following GSSException. > >>>>> I have enabled kerberos for service and > >>>>> SPNEGO (disabled SSL and bin/falcon-start -port 15000). > >>>>> I'm able to access the falcon URL via Firefox, but not via CLI. > >>>>> is there something i'm missing any parameter while calling CLI? > >>>>> > >>>>> appreciate any help. > >>>>> Thanks > >>>>> > >>>>> ---- startup.properties ---- > >>>>> > >>>>> > >>>>> *.falcon.authentication.type=kerberos > >>>>> ##### Service Configuration > >>>>> *.falcon.service.authentication.kerberos.principal=dm/_ > >>>>> [email protected] > >>>>> > >>>>> > >>>>> > >> > *.falcon.service.authentication.kerberos.keytab=/export/apps/hadoop/keyta > >>>>> bs/dm.keytab > >>>>> *.dfs.namenode.kerberos.principal=hdfs/[email protected] > >>>>> > >>>>> ##### SPNEGO Configuration > >>>>> *.falcon.http.authentication.type=kerberos > >>>>> *.falcon.http.authentication.kerberos.principal=HTTP/_ > >>>>> [email protected] > >>>>> > >>>>> > >>>>> > >> > *.falcon.http.authentication.kerberos.keytab=/export/apps/hadoop/keytabs/ > >>>>> dm.keytab > >>>>> *.falcon.http.authentication.token.validity=36000 > >>>>> *.falcon.http.authentication.signature.secret=falcon > >>>>> *.falcon.http.authentication.simple.anonymous.allowed=true > >>>>> *.falcon.http.authentication.kerberos.name.rules=DEFAULT > >>>>> *.falcon.http.authentication.blacklisted.users= > >>>>> > >>>>> ######### Authentication > >>>>> Properties ######### > >>>>> falcon.enableTLS=false > >>>>> > >>>>> > >>>>> ---- Exception -------------- > >>>>> > >>>>> > >>>>> FalconURL -> http://localhost:15000/ > >>>>> Property: falcon.url = http://localhost:15000/ > >>>>> org.apache.falcon.client.FalconCLIException: Could not authenticate, > >>>>> GSSException: No valid credentials provided (Mechanism level: Failed > to > >>>>> find any > >>>>> Kerberos tgt) > >>>>> at > >>>>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:166) > >>>>> at > >>>>> org.apache.falcon.client.FalconClient.<init>(FalconClient.java:136) > >>>>> at > >>>>> org.apache.falcon.cli.FalconCLI.run(FalconCLI.java:169) > >>>>> at org.apache.falcon.cli.FalconCLI.main(FalconCLI.java:125) > >>>>> Caused by: > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.AuthenticationException: > >>>>> GSSException: No valid credentials provided (Mechanism level: Failed > to > >>>>> find any Kerberos tgt) > >>>>> at > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do > >>>>> SpnegoSequence(KerberosAuthenticator.java:306) > >>>>> at > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.au > >>>>> thenticate(KerberosAuthenticator.java:196) > >>>>> at > >>>>> > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.AuthenticatedURL.openCon > >>>>> nection(AuthenticatedURL.java:232) > >>>>> at > >>>>> org.apache.falcon.client.FalconClient.getToken(FalconClient.java:164) > >>>>> ... 3 more > >>>>> Caused by: GSSException: No valid credentials provided (Mechanism > >> level: > >>>>> Failed to find any Kerberos tgt) > >>>>> at > >>>>> > >>>>> > >> > sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential. > >>>>> java:130) > >>>>> at > >>>>> > >>>>> > >> > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFacto > >>>>> ry.java:106) > >>>>> at > >>>>> > >>>>> > >> > sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactor > >>>>> y.java:172) > >>>>> at > >>>>> > >>>>> > >> > sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java: > >>>>> 209) > >>>>> at > >>>>> > >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195) > >>>>> > >>>>> at > >>>>> > >> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) > >>>>> at > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1. > >>>>> run(KerberosAuthenticator.java:285) > >>>>> at > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1. > >>>>> run(KerberosAuthenticator.java:261) > >>>>> at java.security.AccessController.doPrivileged(Native Method) > >>>>> at javax.security.auth.Subject.doAs(Subject.java:396) > >>>>> at > >>>>> > >>>>> > >> > org.apache.hadoop.security.authentication.client.KerberosAuthenticator.do > >>>>> SpnegoSequence(KerberosAuthenticator.java:261) > >>>>> ... 6 more > >>>>> Error: Unable to initialize Falcon Client object > >>>> > >>>> -- > >>>> _____________________________________________________________ > >>>> The information contained in this communication is intended solely for > >>>> the > >>>> use of the individual or entity to whom it is addressed and others > >>>> authorized to receive it. It may contain confidential or legally > >>>> privileged > >>>> information. If you are not the intended recipient you are hereby > >>>> notified > >>>> that any disclosure, copying, distribution or taking any action in > >>>> reliance > >>>> on the contents of this information is strictly prohibited and may be > >>>> unlawful. If you have received this communication in error, please > >> notify > >>>> us immediately by responding to this email and then delete it from > your > >>>> system. The firm is neither liable for the proper and complete > >>>> transmission > >>>> of the information contained in this communication nor for any delay > in > >>>> its > >>>> receipt. > >>> > >> > >> -- > >> _____________________________________________________________ > >> The information contained in this communication is intended solely for > the > >> use of the individual or entity to whom it is addressed and others > >> authorized to receive it. It may contain confidential or legally > privileged > >> information. If you are not the intended recipient you are hereby > notified > >> that any disclosure, copying, distribution or taking any action in > reliance > >> on the contents of this information is strictly prohibited and may be > >> unlawful. If you have received this communication in error, please > notify > >> us immediately by responding to this email and then delete it from your > >> system. The firm is neither liable for the proper and complete > transmission > >> of the information contained in this communication nor for any delay in > its > >> receipt. > >> > > > > > > > > -- > > Regards, > > Venkatesh > > Hortonworks, Inc. > > > > -- > > CONFIDENTIALITY NOTICE > > NOTICE: This message is intended for the use of the individual or entity > to > > which it is addressed and may contain information that is confidential, > > privileged and exempt from disclosure under applicable law. If the reader > > of this message is not the intended recipient, you are hereby notified > that > > any printing, copying, dissemination, distribution, disclosure or > > forwarding of this communication is strictly prohibited. If you have > > received this communication in error, please contact the sender > immediately > > and delete it from your system. Thank You. > > > -- > CONFIDENTIALITY NOTICE > NOTICE: This message is intended for the use of the individual or entity to > which it is addressed and may contain information that is confidential, > privileged and exempt from disclosure under applicable law. If the reader > of this message is not the intended recipient, you are hereby notified that > any printing, copying, dissemination, distribution, disclosure or > forwarding of this communication is strictly prohibited. If you have > received this communication in error, please contact the sender immediately > and delete it from your system. Thank You. > -- Regards, Venkatesh “Perfection (in design) is achieved not when there is nothing more to add, but rather when there is nothing more to take away.” - Antoine de Saint-Exupéry
