There should be a password. You should have a keytab associated with that principal, which would allow you to authenticate as that principal. See http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/CDH4-Security-Guide.htmlfor more details on how that works.
A couple of things... 1. You need to make your kerberos credentials renewable. Right now it seems like you cannot renew. See http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/cdh4sg_topic_17.html . 2. AES256 encryption is not inherently supported. Did you install support for AES256? -Abe On Mon, Aug 5, 2013 at 1:53 PM, Suhas Satish <[email protected]> wrote: > klist -e -v > > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 08/05/13 12:34:42 08/05/13 22:34:42 krbtgt/[email protected] > renew until 08/05/13 12:34:42, Etype (skey, tkt): aes256-cts-hmac-sha1-96, > aes256-cts-hmac-sha1-96 > > Kerberos 5 version 1.10.3 > > The principal in hbase-site.xml is > hbase/[email protected] > > How do I create a credential using kinit matching that in hbase-site.xml? > kinit hbase/qa-node133.qa.lab throws an error msg > *kinit: Password incorrect while getting initial credentials* > *although I know that there is no password for that principal. * > * > * > * > * > > Cheers, > Suhas. > > > On Mon, Aug 5, 2013 at 12:52 PM, Abraham Elmahrek <[email protected]>wrote: > >> Hi there, >> >> It seems like your client isn't authenticated in both cases. You seem to >> be receiving errors from HBase and Sqoop. Sqoop 1.4.3 should simply work if >> your user is already authenticated. Internally, Sqoop is generating >> delegation tokens to communicate with HBase. It cannot do that without >> being properly authenticated first though. >> >> Could you provide the output of the following command: >> "klist -e -v" >> >> -Abe >> >> >> On Mon, Aug 5, 2013 at 12:15 PM, Suhas Satish <[email protected]>wrote: >> >>> I have configured hbase 94.9 with kerberos successfully for >>> authentication and authorization as mentioned in the CDH security docs. I >>> am using sqoop 1.4.3. Is there any configuration required from the sqoop >>> client side for kerberos? >>> >>> I have the following permissions on hbase tables - >>> hbase(main):003:0> grant 'kuser1', 'RWXCA', 'demo' >>> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: >>> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient >>> permissions (user=kuser1, scope=demo, family=, qualifer=, action=ADMIN) >>> >>> >>> bin/sqoop import --connect jdbc:mysql://10.10.1.10/TestDB --table t1 >>> --hbase-table t1 --column-family world >>> >>> >>> When I try to import into it using sqoop with the above cmd, I get the >>> following error - >>> >>> >>> 2013-08-05 11:59:33,121 ERROR >>> org.apache.hadoop.hbase.regionserver.HRegionServer: >>> org.apache.hadoop.hbase.security.AccessDeniedException: Token generation >>> only allowed for Kerberos authenticated clients >>> at >>> org.apache.hadoop.hbase.security.token.TokenProvider.getAuthenticationToken(TokenProvider.java:87) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>> at java.lang.reflect.Method.invoke(Method.java:597) >>> at org.apache.hadoop.hbase.regionserver.HRegion.exec(HRegion.java:5576) >>> at >>> org.apache.hadoop.hbase.regionserver.HRegionServer.execCoprocessor(HRegionServer.java:3868) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>> at java.lang.reflect.Method.invoke(Method.java:597) >>> at >>> org.apache.hadoop.hbase.ipc.SecureRpcEngine$Server.call(SecureRpcEngine.java:308) >>> at >>> org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1426) >>> >>> >>> Cheers, >>> Suhas. >>> >> >> >
