Hi,
We are facing issue with multiple crendentials present in the Kerberos credential cache and when other users trying to connect curl fails and throwing expecting only the user from the primary cache. We have 2 different principals each attached to the same realm and when trying to connect using the curl, it always loading the primary cache and not searching for other credentials in the cache and failing. klist -A output snippet showing 2 different credentials, Ticket cache: DIR::/etc/netwitness/wc_cache_dir/tktSQ8abu Default principal: <javascript:void(0);> [email protected] Valid starting Expires Service principal 07/09/14 18:31:12 07/10/14 18:22:55 krbtgt/ <javascript:void(0);> [email protected] renew until 07/09/14 18:31:12 Ticket cache: DIR::/etc/netwitness/wc_cache_dir/tktEJgnPE Default principal: hdfs/ <javascript:void(0);> [email protected] Valid starting Expires Service principal 07/09/14 18:30:54 07/10/14 18:22:38 krbtgt/ <javascript:void(0);> [email protected] renew until 07/09/14 18:30:54 Here our cache has 2 users gpadmin and hdfs, when user tries to connect with gpadmin user curl works fine and when user switches to hdfs curl fails with error. Is there any way to provide the username parameter in the curl negotiate, even though we are proving the users in the -u hdfs: it's not considering the curl user and authentication fails. curl -i --negotiate -u hdfs: " <http://www.rediffmail.com/cgi-bin/red.cgi?red=http%3A%2F%2F10.31.251.254%3A 50070%2Fwebhdfs%2Fv1%2F%3Fuser.name%3Dhdfs%26amp%3Bop%3DLISTSTATUS%22&isImag e=0&BlockImage=0&rediffng=0&rogue=7463cc5314a72bb6a967958fd283c6f87beafc96> http://10.31.251.254:50070/webhdfs/v1/?user.name=hdfs&op=LISTSTATUS"; HTTP/1.1 401 Date: Wed, 09 Jul 2014 13:19:56 GMT Pragma: no-cache Date: Wed, 09 Jul 2014 13:19:56 GMT Pragma: no-cache WWW-Authenticate: Negotiate Set-Cookie: hadoop.auth=;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT Content-Type: text/html;charset=ISO-8859-1 Cache-Control: must-revalidate,no-cache,no-store Content-Length: 1358 Server: Jetty(7.6.10.v20130312) HTTP/1.1 401 Unauthorized Date: Wed, 09 Jul 2014 13:19:56 GMT Pragma: no-cache Cache-Control: no-cache Date: Wed, 09 Jul 2014 13:19:56 GMT Pragma: no-cache Set-Cookie: hadoop.auth="u=gpadmin&p= <javascript:void(0);> [email protected]&t=kerberos&e=1404947996223&s=KfBg3KDnhd5dxYvHMUYmDPqdEy4 =";Path=/ Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Type: application/json Transfer-Encoding: chunked Server: Jetty(7.6.10.v20130312) {"RemoteException":{"exception":"SecurityException","javaClassName":"java.la ng.SecurityException","message":"Failed to obtain user group information: java.io.IOException: Usernames not matched: name=hdfs != expected=gpadmin"}} Can anyone suggest how to make curl library to scan kerberos directory cache and load the proper principal for the particular user. Are there any options required in the webhdfs front for support multiple users with Kerberos. Regards Sathish Valluri
smime.p7s
Description: S/MIME cryptographic signature
