Problem with Scan operation over a Secure HBase 1.0.0-CDH5.4

[gabriela montiel]

Hello,

We are running a Secure HBase cluster (enabling kerberos authentication 
and setting up hbase authorization) and we are trying to execute 
operations using a Java client. We are using the following configuration.

   import org.apache.hadoop.security.*;
   szQuorum="node01.example.com,node02.example.com,node01.example.com";

   config = HBaseConfiguration.create();
   config.set("hbase.zookeeper.quorum", szQuorum);
   config.set("hbase.zookeeper.property.clientPort", "2181");
   config.set("hbase.security.authentication", "kerberos");
   config.set("hadoop.security.authentication", "kerberos");
   config.set("hbase.master.kerberos.principal",
   "hbase/node03.example....@example.com");
   config.set("hbase.regionserver.kerberos.principal",
   "hbase/node03.example....@example.com");

   UserGroupInformation.setConfiguration(config);
   ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(
   
"hbase/node03.example....@example.com","/var/run/cloudera-scm-agent/process/224-hbase-REGIONSERVER/hbase.keytab");

   UserGroupInformation.setLoginUser(ugi);

   hconn = HConnectionManager.createConnection(config);
   hti=conn.getTable("exampletbl");

   scan = new Scan();
   rsScanner=hti.getScanner(scan);


While we are able to create a table, puts and gets, when we try to 
execute a scan after a few seconds we get the following exceptions:

   97976 [hconnection-0x4f2c9ba6-shared--pool1-t6] DEBUG
   org.apache.hadoop.hbase.security.HBaseSaslRpcClient  - Have sent
   token of size 674 from initSASLContext.
   97977 [hconnection-0x4f2c9ba6-shared--pool1-t6] WARN
   org.apache.hadoop.security.UserGroupInformation  -
   PriviledgedActionException as:hbase/node01.example....@example.com
   (auth:KERBEROS)
   
cause:org.apache.hadoop.ipc.RemoteException(javax.security.sasl.SaslException):
   GSS initiate failed
   97977 [hconnection-0x4f2c9ba6-shared--pool1-t6] DEBUG
   org.apache.hadoop.security.UserGroupInformation  - PrivilegedAction
   as:hbase/node01.example....@example.com (auth:KERBEROS)
   
from:org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleSaslConnectionFailure(RpcClientImpl.java:631)
   97977 [hconnection-0x4f2c9ba6-shared--pool1-t6] WARN
   org.apache.hadoop.hbase.ipc.AbstractRpcClient  - Couldn't setup
   connection for hbase/node01.example....@example.com to
   hbase/node01.example....@example.com


We have run the kinit and setup the jaas.conf in the JAVA_OPTIONS of our 
Java application.

   export JAVA_OPTIONS="
   
-Djava.security.auth.login.config=/var/run/cloudera-scm-agent/process/224-hbase-REGIONSERVER/jaas.conf
   -Dsun.security.krb5.debug=true "

   kinit -k -t
   /var/run/cloudera-scm-agent/process/224-hbase-REGIONSERVER/hbase.keytab
   hbase/hbase/node03.example....@example.com

   klist -f
   Ticket cache: FILE:/tmp/krb5cc_0
   Default principal: hbase/hbase/node03.example....@example.com

   Valid starting     Expires            Service principal
   06/17/15 17:37:31  06/18/15 17:37:31 krbtgt/example....@example.com
        renew until 06/22/15 17:37:31, Flags: FRI

   less
   /var/run/cloudera-scm-agent/process/224-hbase-REGIONSERVER/jaas.conf

   Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      useTicketCache=true
      keyTab="hbase.keytab"
      principal="hbase/hbase/node03.example....@example.com";
   };


Is there any missing configuration?

Thanks,

Gaby