Hi Harsh, thanks for the suggestion. I added HADOOP_PREFIX so that the conf folder is in the path. It still doesn't work, so I suppose Hadoop's core-site.xml is faulty (though I need a Kerberos ticket to use Hadoop, so security is working). In fact, when I try to list from HBase shell I get
13/08/29 23:47:43 ERROR security.UserGroupInformation: PriviledgedActionException as:[email protected] cause:java.io.IOException: Failed to specify server's Kerberos principal name 13/08/29 23:47:43 INFO security.UserGroupInformation: Initiating logout for [email protected] 13/08/29 23:47:43 INFO security.UserGroupInformation: Initiating re-login for [email protected] The file core-site.xml contains the following <name>fs.default.name</name> <value>hdfs://10.156.120.41:9000</value> </property> <property> <name>hadoop.security.authentication</name> <value>kerberos</value> </property> <property> <name>hadoop.security.authorization</name> <value>true</value> </property> <property> <name>hadoop.kerberos.kinit.command</name> <value>/usr/bin/kinit</value> </property> What else should I need? Maybe a reference to the keytab contained in hbase/conf/zk-jaas.conf? Bye, Matteo Matteo Lanati Distributed Resources Group Leibniz-Rechenzentrum (LRZ) Boltzmannstrasse 1 85748 Garching b. München (Germany) Phone: +49 89 35831 8724 ________________________________________ From: Harsh J [[email protected]] Sent: 29 August 2013 15:53 To: [email protected] Subject: Re: HBase client with security Two things come to mind: 1. Is HADOOP_CONF_DIR also on HBase's classpath? If it or HADOOP_PREFIX/HADOOP_HOME is defined, it usually is. But re-check via "hbase classpath" 2. Assuming (1) is good, does your core-site.xml have kerberos authentication settings for hadoop as well? On Thu, Aug 29, 2013 at 6:58 PM, Lanati, Matteo <[email protected]> wrote: > Hi all, > > I set up Hadoop (1.2.0), Zookeeper (3.4.5) and HBase (0.94.8-security) with > security. > HBase works if I launch the shell from the node running the master, but I'd > like to use it from an external machine. > I prepared one, copying the Hadoop and HBase installation folders and > adapting the path (indeed I can use the same client to run MR jobs and > interact with HDFS). > Regarding HBase client configuration: > > - hbase-site.xml specifies > > <property> > <name>hbase.security.authentication</name> > <value>kerberos</value> > </property> > <property> > <name>hbase.rpc.engine</name> > <value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value> > </property> > <property> > <name>hbase.zookeeper.quorum</name> > <value>master.hadoop.local,host49.hadoop.local</value> > </property> > > where the zookeeper hosts are reachable and can be solved via DNS. I had to > specify them otherwise the shell complains about > "org.apache.zookeeper.KeeperException$ConnectionLossException: > KeeperErrorCode = ConnectionLoss for /hbase/hbaseid" > > - I have a keytab for the principal I want to use (<user running hbase/my > client hostname@MYREALM>), correctly addressed by the file > hbase/conf/zk-jaas.conf. In hbase-env.sh, the variable HBASE_OPTS points to > zk-jaas.conf. > > Nonetheless, when I issue a command from a HBase shell on the client machine, > I got an error in the HBase master log > > 2013-08-29 10:11:30,890 WARN org.apache.hadoop.ipc.HBaseServer: IPC Server > listener on 60000: readAndProcess threw exception > org.apache.hadoop.security.AccessControlException: Authentication is > required. Count of bytes read: 0 > org.apache.hadoop.security.AccessControlException: Authentication is required > at > org.apache.hadoop.hbase.ipc.SecureServer$SecureConnection.readAndProcess(SecureServer.java:435) > at > org.apache.hadoop.hbase.ipc.HBaseServer$Listener.doRead(HBaseServer.java:748) > at > org.apache.hadoop.hbase.ipc.HBaseServer$Listener$Reader.doRunLoop(HBaseServer.java:539) > at > org.apache.hadoop.hbase.ipc.HBaseServer$Listener$Reader.run(HBaseServer.java:514) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > at java.lang.Thread.run(Unknown Source) > > It looks like there's a mismatch between the client and the master regarding > the authentication mechanism. Note that from the same client machine I can > launch and use a Zookeeper shell. > What am I missing in the client configuration? Does /etc/krb5.conf play any > role into this? > Thanks, > > Matteo > > > Matteo Lanati > Distributed Resources Group > Leibniz-Rechenzentrum (LRZ) > Boltzmannstrasse 1 > 85748 Garching b. München (Germany) > Phone: +49 89 35831 8724 > > -- Harsh J
