This looks promising!
On the host machine at /etc/hbase/conf, we have a jaas.conf file.
It had useKeyTab = false
We have changed it to:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab=/home/<username>/username.keytab
useTicketCache=true;
};
Do we also need to add the other jaas files as shown here?
https://ambari.apache.org/1.2.5/installing-hadoop-using-ambari/content/ambari-kerb-2-3-2-2.html
Sent from my iPhone
> On Feb 11, 2015, at 7:05 PM, Mikhail Antonov <[email protected]> wrote:
>
> at
> com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856)
> at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)
>
> Krb5LoginModule falls back to asking user for password when it's
> either not configured to use keytabs, or can't find/read one. Do you
> have JAAS conf file setup? You'd need to set useKeyTab=true and
> keyTab=<path> there.
>
> -Mikhail
>
>> On Wed, Feb 11, 2015 at 6:50 PM, Jiten Gore <[email protected]> wrote:
>> Currently, running from a windows computer from within Eclipse. So
>> permissions should not be an issue.
>>
>> Just set the property:
>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
>>
>> And got this output:
>> Java config name: null
>> Native config name: C:\Windows\krb5.ini
>> getRealmFromDNS: trying <realm>
>> getRealmFromDNS: trying <realm>
>> Java config name: null
>> Native config name: C:\Windows\krb5.ini
>>>>> KdcAccessibility: reset
>>>>> KdcAccessibility: reset
>>>>> KeyTabInputStream, readName(): <REALM>
>>>>> KeyTabInputStream, readName(): <username>
>>>>> KeyTab: load() entry length: 53; type: 23
>>>>> KeyTabInputStream, readName(): <REALM>
>>>>> KeyTabInputStream, readName(): <username>
>>>>> KeyTab: load() entry length: 69; type: 18
>>>>> KeyTabInputStream, readName(): <REALM>
>>>>> KeyTabInputStream, readName(): <username>
>>>>> KeyTab: load() entry length: 53; type: 17
>> Ordering keys wrt default_tkt_enctypes list
>> Using builtin default etypes for default_tkt_enctypes
>> default etypes for default_tkt_enctypes: 17 16 23 1 3.
>> Exception in thread "main" java.io.IOException: Login failure for
>> <username>/<hostname>@<REALM> from keytab <path_to_keytab_file>
>> at
>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008)
>> at Kerberos.KerberosAuthentication.App.hbase(App.java:44)
>> at Kerberos.KerberosAuthentication.App.main(App.java:17)
>> Caused by: javax.security.auth.login.LoginException: Unable to obtain
>> password from user
>>
>> at
>> com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856)
>> at
>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)
>> at
>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:606)
>> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
>> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
>> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
>> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
>> at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
>> at
>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997)
>> ... 2 more
>> LSA: Found Ticket
>> LSA: Made NewWeakGlobalRef
>> LSA: Found PrincipalName
>> LSA: Made NewWeakGlobalRef
>> LSA: Found DerValue
>> LSA: Made NewWeakGlobalRef
>> LSA: Found EncryptionKey
>> LSA: Made NewWeakGlobalRef
>> LSA: Found TicketFlags
>> LSA: Made NewWeakGlobalRef
>> LSA: Found KerberosTime
>> LSA: Made NewWeakGlobalRef
>> LSA: Found String
>> LSA: Made NewWeakGlobalRef
>> LSA: Found DerValue constructor
>> LSA: Found Ticket constructor
>> LSA: Found PrincipalName constructor
>> LSA: Found EncryptionKey constructor
>> LSA: Found TicketFlags constructor
>> LSA: Found KerberosTime constructor
>> LSA: Finished OnLoad processing
>>
>>
>> Sent from my iPhone
>>
>>> On Feb 11, 2015, at 6:29 PM, Mikhail Antonov <[email protected]> wrote:
>>>
>>> Interesting.
>>>
>>> Your java program runs under the same user, as shall for kinit?
>>> Anything in /var/log/krb5kdc.log (with debug logging on)?
>>>
>>>> On Wed, Feb 11, 2015 at 6:17 PM, Jiten Gore <[email protected]> wrote:
>>>> The host names in libdefaults and realms in krb5.conf exactly match the
>>>> host name used in the principal name.
>>>>
>>>> From command line, we are able to get the TGT using the following command:
>>>> kinit -k -t <keytab> -p <username>
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On Feb 11, 2015, at 6:01 PM, Mikhail Antonov <[email protected]> wrote:
>>>>>
>>>>> Another thing to check are [libdefaults] and [realms] sections in
>>>>> krb5.conf, in case there's any typo or wrong case in there.
>>>>>
>>>>> You can get the TGT from the kinit command using this keytab, right?
>>>>>
>>>>> -Mikhail
>>>>>
>>>>>> On Wed, Feb 11, 2015 at 5:58 PM, Mikhail Antonov <[email protected]>
>>>>>> wrote:
>>>>>> Just checking.. is that full log? Does the principal name have the
>>>>>> _HOST portion in it?
>>>>>>
>>>>>>> On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <[email protected]> wrote:
>>>>>>> Thanks Mikhail. Yes it has been so installed.
>>>>>>>
>>>>>>> We downloaded the JCE unlimited encryption jar files and replaced the
>>>>>>> existing jre jar files. Is there any thing else that we need to do?
>>>>>>>
>>>>>>> Sent from my iPhone
>>>>>>>
>>>>>>>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov <[email protected]>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Does your java app has JCE installed with unlimited encryption
>>>>>>>> strength?
>>>>>>>>
>>>>>>>> -Mikhail
>>>>>>>>
>>>>>>>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <[email protected]> wrote:
>>>>>>>>> Hi Dima,
>>>>>>>>>
>>>>>>>>> Thanks for the prompt response.
>>>>>>>>>
>>>>>>>>> Here's what we are doing and the error we are seeing:
>>>>>>>>>
>>>>>>>>> Code:
>>>>>>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly",
>>>>>>>>> "false");
>>>>>>>>> final Configuration hBaseConfig = HBaseConfiguration.create();
>>>>>>>>> hBaseConfig.setInt("timeout", 120000);
>>>>>>>>> hBaseConfig.set("hbase.zookeeper.quorum", "*************");
>>>>>>>>> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181");
>>>>>>>>> hBaseConfig.set("hadoop.security.authentication", "kerberos");
>>>>>>>>> hBaseConfig.set("hbase.security.authentication", "kerberos");
>>>>>>>>> hBaseConfig.set("hbase.master.kerberos.principal",
>>>>>>>>> "*****************");
>>>>>>>>> hBaseConfig.set("hbase.regionserver.kerberos.principal",
>>>>>>>>> "*******************");
>>>>>>>>> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab");
>>>>>>>>> hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab");
>>>>>>>>> UserGroupInformation.setConfiguration(hBaseConfig);
>>>>>>>>>
>>>>>>>>> UserGroupInformation ugi =
>>>>>>>>> UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name",
>>>>>>>>> "user.keytab");
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Error:
>>>>>>>>>
>>>>>>>>> Exception in thread "main" java.io.IOException: Login failure for
>>>>>>>>> <PRINCIPAL_NAME> from keytab
>>>>>>>>> at
>>>>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008)
>>>>>>>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:32)
>>>>>>>>> at Kerberos.KerberosAuthentication.App.main(App.java:15)
>>>>>>>>> Caused by: javax.security.auth.login.LoginException: null (68)
>>>>>>>>> at
>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763)
>>>>>>>>> at
>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
>>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>>>>> at
>>>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>>>>>>>> at
>>>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:606)
>>>>>>>>> at
>>>>>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
>>>>>>>>> at
>>>>>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
>>>>>>>>> at
>>>>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
>>>>>>>>> at
>>>>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>>>>>> at
>>>>>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
>>>>>>>>> at
>>>>>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:595)
>>>>>>>>> at
>>>>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997)
>>>>>>>>> ... 2 more
>>>>>>>>> Caused by: KrbException: null (68)
>>>>>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
>>>>>>>>> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
>>>>>>>>> at
>>>>>>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
>>>>>>>>> at
>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735)
>>>>>>>>> ... 15 more
>>>>>>>>> Caused by: KrbException: Identifier doesn't match expected value (906)
>>>>>>>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
>>>>>>>>> at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
>>>>>>>>> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
>>>>>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
>>>>>>>>> Sent from my iPhone
>>>>>>>>>
>>>>>>>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak <[email protected]>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Hey Jiten,
>>>>>>>>>>
>>>>>>>>>> Have you followed the steps outlined in
>>>>>>>>>> http://hbase.apache.org/book.html#hbase.secure.configuration ? What
>>>>>>>>>> issues
>>>>>>>>>> are you seeing?
>>>>>>>>>>
>>>>>>>>>> -Dima
>>>>>>>>>>
>>>>>>>>>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <[email protected]>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> We are having difficulties connecting with our Java application to
>>>>>>>>>>> our
>>>>>>>>>>> Kerberized HBase cluster. We are using a keytab file to
>>>>>>>>>>> authenticate.
>>>>>>>>>>>
>>>>>>>>>>> Has anyone successfully connected this way? If you have and can
>>>>>>>>>>> help,
>>>>>>>>>>> please let me know. I can share details about the issue.
>>>>>>>>>>>
>>>>>>>>>>> Best Regards,
>>>>>>>>>>> Jiten
>>>>>>>>>>>
>>>>>>>>>>> Sent from my iPhone
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Thanks,
>>>>>>>> Michael Antonov
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thanks,
>>>>>> Michael Antonov
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks,
>>>>> Michael Antonov
>>>
>>>
>>>
>>> --
>>> Thanks,
>>> Michael Antonov
>
>
>
> --
> Thanks,
> Michael Antonov
>
