In the JAAS config, have you tried adding the following ? storeKey=true
On Thu, Nov 17, 2016 at 10:08 AM, Hugo Labra <[email protected]> wrote: > Hello, > > I am having a problem to connect to a Secure HBase cluster when using the > JAAS config, I enabled Kerberos using the cloudera wizard. > > My program is trying to create some tables and write to them, the problem > is that if I set the flag -Djava.security.auth.login.config=jaas.conf the > JAAS config and the keytab, and then run kinit it suceeds, but if I do not > do kinit before then it doesn't works... Am I understanding things > incorrectly? Shouldn't the jaas configuration get the kerberos ticket > transparently without the need of kinit? > > This is my JAAS config: > > Client { > com.sun.security.auth.module.Krb5LoginModule required > useKeyTab=true > useTicketCache=false > keyTab="/scratch/kerberos/hbase.keytab" > principal="hbase/[email protected]"; > }; > > > If I do exactly the same but without kinit first the I get the following > exception: > Caused by: java.lang.RuntimeException: SASL authentication failed. The > most likely cause is missing or invalid credentials. Consider 'kinit'. > at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$1.run( > RpcClientImpl.java:673) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:415) > at org.apache.hadoop.security.UserGroupInformation.doAs(UserGro > upInformation.java:1671) > at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.handleS > aslConnectionFailure(RpcClientImpl.java:631) > at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIO > streams(RpcClientImpl.java:739) > ... 17 more > Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused > by GSSException: No valid credentials provided (Mechanism level: Failed to > find any Kerberos tgt)] > at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChalleng > e(GssKrb5Client.java:212) > at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConn > ect(HBaseSaslRpcClient.java:179) > at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSa > slConnection(RpcClientImpl.java:605) > at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$ > 600(RpcClientImpl.java:154) > at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run( > RpcClientImpl.java:731) > at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run( > RpcClientImpl.java:728) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:415) > at org.apache.hadoop.security.UserGroupInformation.doAs(UserGro > upInformation.java:1671) > at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIO > streams(RpcClientImpl.java:728) > ... 17 more > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos tgt) > at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5In > itCredential.java:147) > at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement( > Krb5MechFactory.java:121) > at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(K > rb5MechFactory.java:187) > at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSMana > gerImpl.java:223) > at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextIm > pl.java:212) > at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextIm > pl.java:179) > at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChalleng > e(GssKrb5Client.java:193) > ... 26 more > > > Shouldn't the JAAS get the ticket without the need of kinit? > > I appreciate any help :) > > Kind regards, > Hugo Labra >
