I'd say you don't need to have HBase cluster up and running at all to be able to obtain kerberos ticket from standalone java app.
On thing I noticed, which I overlooked before.. This piece of config containing hbase Configuration properties like hbase.master.kerberos.principal etc shouldn't be needed in your custom java app, right? All you need is a call to UGI.loginFromKeytab with right principal and keytab file? On Wed, Feb 11, 2015 at 9:38 PM, Jiten Gore <[email protected]> wrote: > The JAAS files on HBase Master, Region servers and Zookeeper do not currently > exist. We will have to wait until tomorrow for their creation and further > testing. > > Simply having the HBase-client.jaas on HBase client did not help. The error > remains the same. > > Sent from my iPhone > >> On Feb 11, 2015, at 9:30 PM, Mikhail Antonov <[email protected]> wrote: >> >> Does error remain the same after changes in jaas config? >> >>> On Wed, Feb 11, 2015 at 7:56 PM, Jiten Gore <[email protected]> wrote: >>> The keytabs have been working for us when we use HBase shell as well as >>> when we run pig scripts. >>> >>> Although our Java program is still unable to connect. >>> >>> Sent from my iPhone >>> >>>> On Feb 11, 2015, at 7:47 PM, Mikhail Antonov <[email protected]> wrote: >>>> >>>> I don't have any secured cluster handy to check and don't remember. I >>>> supposed if you master and regionservers are starting fine and able to >>>> login from keytabs than you're fine, otherwise you'll need to >>>> configure jaas files for them. >>>> >>>> So does it work for you now? For your java program? >>>> >>>> -Mikhail >>>> >>>>> On Wed, Feb 11, 2015 at 7:40 PM, Jiten Gore <[email protected]> wrote: >>>>> This looks promising! >>>>> >>>>> On the host machine at /etc/hbase/conf, we have a jaas.conf file. >>>>> >>>>> It had useKeyTab = false >>>>> We have changed it to: >>>>> Client { >>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>> useKeyTab=true >>>>> keyTab=/home/<username>/username.keytab >>>>> useTicketCache=true; >>>>> }; >>>>> >>>>> Do we also need to add the other jaas files as shown here? >>>>> https://ambari.apache.org/1.2.5/installing-hadoop-using-ambari/content/ambari-kerb-2-3-2-2.html >>>>> >>>>> >>>>> >>>>> Sent from my iPhone >>>>> >>>>>> On Feb 11, 2015, at 7:05 PM, Mikhail Antonov <[email protected]> >>>>>> wrote: >>>>>> >>>>>> at >>>>>> com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856) >>>>>> at >>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719) >>>>>> >>>>>> Krb5LoginModule falls back to asking user for password when it's >>>>>> either not configured to use keytabs, or can't find/read one. Do you >>>>>> have JAAS conf file setup? You'd need to set useKeyTab=true and >>>>>> keyTab=<path> there. >>>>>> >>>>>> -Mikhail >>>>>> >>>>>>> On Wed, Feb 11, 2015 at 6:50 PM, Jiten Gore <[email protected]> wrote: >>>>>>> Currently, running from a windows computer from within Eclipse. So >>>>>>> permissions should not be an issue. >>>>>>> >>>>>>> Just set the property: >>>>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); >>>>>>> >>>>>>> And got this output: >>>>>>> Java config name: null >>>>>>> Native config name: C:\Windows\krb5.ini >>>>>>> getRealmFromDNS: trying <realm> >>>>>>> getRealmFromDNS: trying <realm> >>>>>>> Java config name: null >>>>>>> Native config name: C:\Windows\krb5.ini >>>>>>>>>> KdcAccessibility: reset >>>>>>>>>> KdcAccessibility: reset >>>>>>>>>> KeyTabInputStream, readName(): <REALM> >>>>>>>>>> KeyTabInputStream, readName(): <username> >>>>>>>>>> KeyTab: load() entry length: 53; type: 23 >>>>>>>>>> KeyTabInputStream, readName(): <REALM> >>>>>>>>>> KeyTabInputStream, readName(): <username> >>>>>>>>>> KeyTab: load() entry length: 69; type: 18 >>>>>>>>>> KeyTabInputStream, readName(): <REALM> >>>>>>>>>> KeyTabInputStream, readName(): <username> >>>>>>>>>> KeyTab: load() entry length: 53; type: 17 >>>>>>> Ordering keys wrt default_tkt_enctypes list >>>>>>> Using builtin default etypes for default_tkt_enctypes >>>>>>> default etypes for default_tkt_enctypes: 17 16 23 1 3. >>>>>>> Exception in thread "main" java.io.IOException: Login failure for >>>>>>> <username>/<hostname>@<REALM> from keytab <path_to_keytab_file> >>>>>>> at >>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) >>>>>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:44) >>>>>>> at Kerberos.KerberosAuthentication.App.main(App.java:17) >>>>>>> Caused by: javax.security.auth.login.LoginException: Unable to obtain >>>>>>> password from user >>>>>>> >>>>>>> at >>>>>>> com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856) >>>>>>> at >>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719) >>>>>>> at >>>>>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) >>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>> at >>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>> at >>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>>> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) >>>>>>> at >>>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) >>>>>>> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) >>>>>>> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) >>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>> at >>>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) >>>>>>> at javax.security.auth.login.LoginContext.login(LoginContext.java:595) >>>>>>> at >>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) >>>>>>> ... 2 more >>>>>>> LSA: Found Ticket >>>>>>> LSA: Made NewWeakGlobalRef >>>>>>> LSA: Found PrincipalName >>>>>>> LSA: Made NewWeakGlobalRef >>>>>>> LSA: Found DerValue >>>>>>> LSA: Made NewWeakGlobalRef >>>>>>> LSA: Found EncryptionKey >>>>>>> LSA: Made NewWeakGlobalRef >>>>>>> LSA: Found TicketFlags >>>>>>> LSA: Made NewWeakGlobalRef >>>>>>> LSA: Found KerberosTime >>>>>>> LSA: Made NewWeakGlobalRef >>>>>>> LSA: Found String >>>>>>> LSA: Made NewWeakGlobalRef >>>>>>> LSA: Found DerValue constructor >>>>>>> LSA: Found Ticket constructor >>>>>>> LSA: Found PrincipalName constructor >>>>>>> LSA: Found EncryptionKey constructor >>>>>>> LSA: Found TicketFlags constructor >>>>>>> LSA: Found KerberosTime constructor >>>>>>> LSA: Finished OnLoad processing >>>>>>> >>>>>>> >>>>>>> Sent from my iPhone >>>>>>> >>>>>>>> On Feb 11, 2015, at 6:29 PM, Mikhail Antonov <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> Interesting. >>>>>>>> >>>>>>>> Your java program runs under the same user, as shall for kinit? >>>>>>>> Anything in /var/log/krb5kdc.log (with debug logging on)? >>>>>>>> >>>>>>>>> On Wed, Feb 11, 2015 at 6:17 PM, Jiten Gore <[email protected]> wrote: >>>>>>>>> The host names in libdefaults and realms in krb5.conf exactly match >>>>>>>>> the host name used in the principal name. >>>>>>>>> >>>>>>>>> From command line, we are able to get the TGT using the following >>>>>>>>> command: >>>>>>>>> kinit -k -t <keytab> -p <username> >>>>>>>>> >>>>>>>>> Sent from my iPhone >>>>>>>>> >>>>>>>>>> On Feb 11, 2015, at 6:01 PM, Mikhail Antonov <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Another thing to check are [libdefaults] and [realms] sections in >>>>>>>>>> krb5.conf, in case there's any typo or wrong case in there. >>>>>>>>>> >>>>>>>>>> You can get the TGT from the kinit command using this keytab, right? >>>>>>>>>> >>>>>>>>>> -Mikhail >>>>>>>>>> >>>>>>>>>>> On Wed, Feb 11, 2015 at 5:58 PM, Mikhail Antonov >>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>> Just checking.. is that full log? Does the principal name have the >>>>>>>>>>> _HOST portion in it? >>>>>>>>>>> >>>>>>>>>>>> On Wed, Feb 11, 2015 at 5:24 PM, Jiten Gore <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> Thanks Mikhail. Yes it has been so installed. >>>>>>>>>>>> >>>>>>>>>>>> We downloaded the JCE unlimited encryption jar files and replaced >>>>>>>>>>>> the existing jre jar files. Is there any thing else that we need >>>>>>>>>>>> to do? >>>>>>>>>>>> >>>>>>>>>>>> Sent from my iPhone >>>>>>>>>>>> >>>>>>>>>>>>> On Feb 11, 2015, at 5:08 PM, Mikhail Antonov >>>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Does your java app has JCE installed with unlimited encryption >>>>>>>>>>>>> strength? >>>>>>>>>>>>> >>>>>>>>>>>>> -Mikhail >>>>>>>>>>>>> >>>>>>>>>>>>>> On Wed, Feb 11, 2015 at 4:52 PM, Jiten Gore <[email protected]> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> Hi Dima, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks for the prompt response. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Here's what we are doing and the error we are seeing: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Code: >>>>>>>>>>>>>> System.setProperty("javax.security.auth.useSubjectCredsOnly", >>>>>>>>>>>>>> "false"); >>>>>>>>>>>>>> final Configuration hBaseConfig = HBaseConfiguration.create(); >>>>>>>>>>>>>> hBaseConfig.setInt("timeout", 120000); >>>>>>>>>>>>>> hBaseConfig.set("hbase.zookeeper.quorum", "*************"); >>>>>>>>>>>>>> hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181"); >>>>>>>>>>>>>> hBaseConfig.set("hadoop.security.authentication", "kerberos"); >>>>>>>>>>>>>> hBaseConfig.set("hbase.security.authentication", "kerberos"); >>>>>>>>>>>>>> hBaseConfig.set("hbase.master.kerberos.principal", >>>>>>>>>>>>>> "*****************"); >>>>>>>>>>>>>> hBaseConfig.set("hbase.regionserver.kerberos.principal", >>>>>>>>>>>>>> "*******************"); >>>>>>>>>>>>>> hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab"); >>>>>>>>>>>>>> hBaseConfig.set("hbase.regionserver.keytab.file", >>>>>>>>>>>>>> "hbase.keytab"); >>>>>>>>>>>>>> UserGroupInformation.setConfiguration(hBaseConfig); >>>>>>>>>>>>>> >>>>>>>>>>>>>> UserGroupInformation ugi = >>>>>>>>>>>>>> UserGroupInformation.loginUserFromKeytabAndReturnUGI("principle_name", >>>>>>>>>>>>>> "user.keytab"); >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Error: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Exception in thread "main" java.io.IOException: Login failure >>>>>>>>>>>>>> for <PRINCIPAL_NAME> from keytab >>>>>>>>>>>>>> at >>>>>>>>>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008) >>>>>>>>>>>>>> at Kerberos.KerberosAuthentication.App.hbase(App.java:32) >>>>>>>>>>>>>> at Kerberos.KerberosAuthentication.App.main(App.java:15) >>>>>>>>>>>>>> Caused by: javax.security.auth.login.LoginException: null (68) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) >>>>>>>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>>>>>>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:606) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) >>>>>>>>>>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:595) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997) >>>>>>>>>>>>>> ... 2 more >>>>>>>>>>>>>> Caused by: KrbException: null (68) >>>>>>>>>>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) >>>>>>>>>>>>>> at >>>>>>>>>>>>>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735) >>>>>>>>>>>>>> ... 15 more >>>>>>>>>>>>>> Caused by: KrbException: Identifier doesn't match expected value >>>>>>>>>>>>>> (906) >>>>>>>>>>>>>> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) >>>>>>>>>>>>>> at sun.security.krb5.internal.ASRep.init(ASRep.java:65) >>>>>>>>>>>>>> at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60) >>>>>>>>>>>>>> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) >>>>>>>>>>>>>> Sent from my iPhone >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Feb 11, 2015, at 10:56 AM, Dima Spivak >>>>>>>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hey Jiten, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Have you followed the steps outlined in >>>>>>>>>>>>>>> http://hbase.apache.org/book.html#hbase.secure.configuration ? >>>>>>>>>>>>>>> What issues >>>>>>>>>>>>>>> are you seeing? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -Dima >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Wed, Feb 11, 2015 at 12:49 PM, Jiten Gore <[email protected]> >>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> We are having difficulties connecting with our Java >>>>>>>>>>>>>>>> application to our >>>>>>>>>>>>>>>> Kerberized HBase cluster. We are using a keytab file to >>>>>>>>>>>>>>>> authenticate. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Has anyone successfully connected this way? If you have and >>>>>>>>>>>>>>>> can help, >>>>>>>>>>>>>>>> please let me know. I can share details about the issue. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Best Regards, >>>>>>>>>>>>>>>> Jiten >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Sent from my iPhone >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> Michael Antonov >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Thanks, >>>>>>>>>>> Michael Antonov >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Thanks, >>>>>>>>>> Michael Antonov >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thanks, >>>>>>>> Michael Antonov >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks, >>>>>> Michael Antonov >>>> >>>> >>>> >>>> -- >>>> Thanks, >>>> Michael Antonov >> >> >> >> -- >> Thanks, >> Michael Antonov >> -- Thanks, Michael Antonov
