User, Could you please provide your KDC logs around the time you tried to authenticate?
Note: A kerberos client will negotiate the encryption algorithm it can/will use with the KDC. It may choose AES-256. -Abe On Mon, Aug 5, 2013 at 3:55 PM, Suhas Satish <[email protected]> wrote: > I generated a keytab with the following cmd and it supports multiple > encryption types other than aes256 as listed below. > But I still get the same error from sqoop import tool because the > sqoop.keytab is not being read (sqoop being the hbase client in this case). > > kadmin: ktadd -k sqoop.keytab kuser1 > Entry for principal kuser1 with kvno 2, encryption type > aes256-cts-hmac-sha1-96 added to keytab WRFILE:sqoop.keytab. > Entry for principal kuser1 with kvno 2, encryption type > aes128-cts-hmac-sha1-96 added to keytab WRFILE:sqoop.keytab. > Entry for principal kuser1 with kvno 2, encryption type des3-cbc-sha1 > added to keytab WRFILE:sqoop.keytab. > Entry for principal kuser1 with kvno 2, encryption type arcfour-hmac added > to keytab WRFILE:sqoop.keytab. > Entry for principal kuser1 with kvno 2, encryption type des-hmac-sha1 > added to keytab WRFILE:sqoop.keytab. > Entry for principal kuser1 with kvno 2, encryption type des-cbc-md5 added > to keytab WRFILE:sqoop.keytab. > > Here are some more debug logs I obtained from kerberos - > > *kadmin: getprinc kuser1* > Principal: [email protected] > Expiration date: [never] > Last password change: Mon Aug 05 15:40:30 PDT 2013 > Password expiration date: [none] > Maximum ticket life: 1 day 00:00:00 > Maximum renewable life: 0 days 00:00:00 > Last modified: Mon Aug 05 15:40:30 PDT 2013 (mapr/[email protected]) > Last successful authentication: [never] > Last failed authentication: [never] > Failed password attempts: 0 > Number of keys: 6 > Key: vno 2, aes256-cts-hmac-sha1-96, no salt > Key: vno 2, aes128-cts-hmac-sha1-96, no salt > Key: vno 2, des3-cbc-sha1, no salt > Key: vno 2, arcfour-hmac, no salt > Key: vno 2, des-hmac-sha1, no salt > Key: vno 2, des-cbc-md5, no salt > MKey: vno 1 > Attributes: > Policy: [none] > > *getprinc hbase/qa-node133.qa.lab* > Principal: hbase/[email protected] > Expiration date: [never] > Last password change: Mon Jul 29 19:17:46 PDT 2013 > Password expiration date: [none] > Maximum ticket life: 0 days 10:00:00 > Maximum renewable life: 7 days 00:00:00 > Last modified: Mon Jul 29 19:17:46 PDT 2013 (kuser1/[email protected]) > Last successful authentication: [never] > Last failed authentication: [never] > Failed password attempts: 0 > Number of keys: 6 > Key: vno 2, aes256-cts-hmac-sha1-96, no salt > Key: vno 2, aes128-cts-hmac-sha1-96, no salt > Key: vno 2, des3-cbc-sha1, no salt > Key: vno 2, arcfour-hmac, no salt > Key: vno 2, des-hmac-sha1, no salt > Key: vno 2, des-cbc-md5, no salt > MKey: vno 1 > Attributes: > Policy: [none] > > > Thanks, > Suhas. > > > On Mon, Aug 5, 2013 at 2:29 PM, Abraham Elmahrek <[email protected]> wrote: > >> There should be a password. You should have a keytab associated with that >> principal, which would allow you to authenticate as that principal. See >> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/CDH4-Security-Guide.htmlfor >> more details on how that works. >> >> A couple of things... >> 1. You need to make your kerberos credentials renewable. Right now it >> seems like you cannot renew. See >> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/cdh4sg_topic_17.html >> . >> 2. AES256 encryption is not inherently supported. Did you install support >> for AES256? >> >> -Abe >> >> >> On Mon, Aug 5, 2013 at 1:53 PM, Suhas Satish <[email protected]>wrote: >> >>> klist -e -v >>> >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: [email protected] >>> >>> Valid starting Expires Service principal >>> 08/05/13 12:34:42 08/05/13 22:34:42 krbtgt/[email protected] >>> renew until 08/05/13 12:34:42, Etype (skey, tkt): >>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >>> >>> Kerberos 5 version 1.10.3 >>> >>> The principal in hbase-site.xml is >>> hbase/[email protected] >>> >>> How do I create a credential using kinit matching that in >>> hbase-site.xml? kinit hbase/qa-node133.qa.lab throws an error msg >>> *kinit: Password incorrect while getting initial credentials* >>> *although I know that there is no password for that principal. * >>> * >>> * >>> * >>> * >>> >>> Cheers, >>> Suhas. >>> >>> >>> On Mon, Aug 5, 2013 at 12:52 PM, Abraham Elmahrek <[email protected]>wrote: >>> >>>> Hi there, >>>> >>>> It seems like your client isn't authenticated in both cases. You seem >>>> to be receiving errors from HBase and Sqoop. Sqoop 1.4.3 should simply work >>>> if your user is already authenticated. Internally, Sqoop is generating >>>> delegation tokens to communicate with HBase. It cannot do that without >>>> being properly authenticated first though. >>>> >>>> Could you provide the output of the following command: >>>> "klist -e -v" >>>> >>>> -Abe >>>> >>>> >>>> On Mon, Aug 5, 2013 at 12:15 PM, Suhas Satish >>>> <[email protected]>wrote: >>>> >>>>> I have configured hbase 94.9 with kerberos successfully for >>>>> authentication and authorization as mentioned in the CDH security docs. I >>>>> am using sqoop 1.4.3. Is there any configuration required from the sqoop >>>>> client side for kerberos? >>>>> >>>>> I have the following permissions on hbase tables - >>>>> hbase(main):003:0> grant 'kuser1', 'RWXCA', 'demo' >>>>> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: >>>>> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient >>>>> permissions (user=kuser1, scope=demo, family=, qualifer=, action=ADMIN) >>>>> >>>>> >>>>> bin/sqoop import --connect jdbc:mysql://10.10.1.10/TestDB --table >>>>> t1 --hbase-table t1 --column-family world >>>>> >>>>> >>>>> When I try to import into it using sqoop with the above cmd, I get the >>>>> following error - >>>>> >>>>> >>>>> 2013-08-05 11:59:33,121 ERROR >>>>> org.apache.hadoop.hbase.regionserver.HRegionServer: >>>>> org.apache.hadoop.hbase.security.AccessDeniedException: Token >>>>> generation only allowed for Kerberos authenticated clients >>>>> at >>>>> org.apache.hadoop.hbase.security.token.TokenProvider.getAuthenticationToken(TokenProvider.java:87) >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>> at >>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>>> at >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>>> at >>>>> org.apache.hadoop.hbase.regionserver.HRegion.exec(HRegion.java:5576) >>>>> at >>>>> org.apache.hadoop.hbase.regionserver.HRegionServer.execCoprocessor(HRegionServer.java:3868) >>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>> at >>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>>> at >>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>>> at >>>>> org.apache.hadoop.hbase.ipc.SecureRpcEngine$Server.call(SecureRpcEngine.java:308) >>>>> at >>>>> org.apache.hadoop.hbase.ipc.HBaseServer$Handler.run(HBaseServer.java:1426) >>>>> >>>>> >>>>> Cheers, >>>>> Suhas. >>>>> >>>> >>>> >>> >> >
