robinlin created STORM-771:
------------------------------
Summary: Authentication with Kerberos
Key: STORM-771
URL: https://issues.apache.org/jira/browse/STORM-771
Project: Apache Storm
Issue Type: Question
Affects Versions: 0.9.1-incubating
Reporter: robinlin
I am using Storm in a Kerberized Cluster.
There is an user "Robin" in the Storm server. And I follow the steps below to
generate keytab for Robin.
{noformat}
# /usr/sbin/kadmin.local
# kadmin.local: addprinc -randkey [email protected]
# kadmin.local: xst -norandkey -k Robin.keytab Robin
# scp Robin.keytab Robin@storm_server:/home/Robin
{noformat}
After these, I login the Storm server as Robin. And authenticate Robin with his
own keytab(Robin.keytab)
{noformat}
# kinit -k -t Robin.keytab Robin
{noformat}
The output of klist is
{noformat}
Ticket cache: FILE:/tmp/krb5cc_1006
Default principal: [email protected]
Valid starting Expires Service principal
04/15/15 11:34:19 04/16/15 11:34:19 krbtgt/[email protected]
renew until 04/15/15 11:34:19
{noformat}
But there was an authentication error occurred when I executed
{noformat}
#storm list
{noformat}
The error was
{noformat}
Exception in thread "main" java.lang.RuntimeException:
javax.security.auth.login.LoginException: No password provided
at
backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin.connect(KerberosSaslTransportPlugin.java:108)
at
backtype.storm.security.auth.TBackoffConnect.doConnectWithRetry(TBackoffConnect.java:48)
at
backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:97)
at
backtype.storm.security.auth.ThriftClient.<init>(ThriftClient.java:66)
at backtype.storm.utils.NimbusClient.<init>(NimbusClient.java:47)
at backtype.storm.thrift$nimbus_client_and_conn.invoke(thrift.clj:71)
at backtype.storm.command.list$_main.invoke(list.clj:22)
at clojure.lang.AFn.applyToHelper(AFn.java:159)
at clojure.lang.AFn.applyTo(AFn.java:151)
at backtype.storm.command.list.main(Unknown Source)
Caused by: javax.security.auth.login.LoginException: No password provided
at
com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:878)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)
{noformat}
Here is my Kerberos settings in "storm.yaml"
{noformat}
storm.principal.tolocal: "backtype.storm.security.auth.KerberosPrincipalToLocal"
storm.zookeeper.superACL: "sasl:storm"
java.security.auth.login.config: "/etc/storm/conf/storm_jaas.conf"
nimbus.admins:
- "storm"
nimbus.supervisor.users:
- "storm"
nimbus.authorizer: "backtype.storm.security.auth.authorizer.SimpleACLAuthorizer"
drpc.authorizer:
"backtype.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer"
ui.filter:
"org.apache.hadoop.security.authentication.server.AuthenticationFilter"
ui.filter.params:
"type": "kerberos"
"kerberos.principal": "HTTP/slave"
"kerberos.keytab": "/etc/security/keytabs/spnego.service.keytab"
"kerberos.name.rules": "DEFAULT"
supervisor.enable: true
{noformat}
And "storm_jaas.conf"
{noformat}
StormServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytabs/nimbus.service.keytab"
storeKey=true
useTicketCache=false
principal="nimbus/[email protected]";
};
StormClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytabs/storm.service.keytab"
storeKey=true
useTicketCache=false
serviceName="nimbus"
principal="[email protected]";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytabs/storm.service.keytab"
storeKey=true
useTicketCache=false
serviceName="zookeeper"
principal="[email protected]";
};
{noformat}
By the way, the cluster is installed via Ambari 1.7.
Thanks in advanced.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
