Kerberos Development Note – No valid credentials provided

I prefer to record the errors occur during the development and later introduce the development details and the principles.

  • Exception: java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any kerberos tgt)];

The error above which has troubled us for a long time and it is necessary for me to record it and share it for my partners.

First we will think of it is caused by config missing, such as profiles related with hadoop or krb5.conf, so we loaded the profiles all may be needed and based on to call the UserGroupInformation to do login operation. For a clearer explanation: see some core codes.

private final String HADOOP_CONFIG_LC = configurationService.getHadoopConfigLc(); // "/etc/hadoop/conf"
private final String KRB_CONFIG_LC = configurationService.getKrbConfigLc(); // "azkaban", used to communicate with keytab to get tgt from kdc.
...
private UserGroupInformation loginUser = null;
...
Configuration conf = new Configuration();
List<URL> urls = new ArrayList<URL>();
urls.add(new File(HADOOP_CONFIG_LC).toURI().toURL());
urls.add(new File(KRB_CONFIG_LC).toURI().toURL());
conf.setClassLoader(new URLClassLoader(urls.toArray(new URL[urls.size()])));
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(krbPrinciple, keytabLocation);
loginUser = UserGroupInformation.getLoginUser();

For more detailed inform on the console, better to open the krb information via HADOOP_OPT in /etc/hadoop/conf/hadoop-env.sh (the position based on CDH-5.7.0)

export HADOOP_OPTS=&quot;-Djava.net.preferIPv4Stack=true -Dsun.security.krb5.debug=true ${HADOOP_OPTS}&quot;

and details shows as :

 

02-04-2017 12:13:26 CST sqoop-sample INFO – Native config name: /etc/krb5.conf

02-04-2017 12:13:26 CST sqoop-sample INFO – Loaded from native config

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream>  client principal is azkaban@EBSCNCDH.COM

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream> server principal is krbtgt/EBSCNCDH.COM@EBSCNCDH.COM

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream> key type: 18

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream> auth time: Sun Apr 02 12:14:45 CST 2017

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream> start time: Sun Apr 02 12:14:45 CST 2017

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream> end time: Mon Apr 03 12:13:22 CST 2017

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream> renew_till time: Sun Apr 09 12:13:22 CST 2017

02-04-2017 12:13:26 CST sqoop-sample INFO – >>> CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream>  client principal is azkaban@EBSCNCDH.COM

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/EBSCNCDH.COM@EBSCNCDH.COM@EBSCNCDH.COM

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream> key type: 0

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream> auth time: Thu Jan 01 08:00:00 CST 1970

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream> start time: null

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream> end time: Thu Jan 01 08:00:00 CST 1970

02-04-2017 12:13:26 CST sqoop-sample INFO – >>>DEBUG <CCacheInputStream> renew_till time: null

02-04-2017 12:13:26 CST sqoop-sample INFO – >>> CCacheInputStream: readFlags()

02-04-2017 12:13:26 CST sqoop-sample INFO – >>> unsupported key type found the default TGT: 18

 

It is quite obvious that client principal and server principal both right while loading from  native config /etc/krb5.conf, but coming to jvm, the principle (it is AES256 encryption which the origin jce does not support) could not be recognized.

Download the jce from this page (for jdk 8) and re-install it on ${JAVA_HOME}/jre/lib/security/ .

 

Refer to:

https://discuss.pivotal.io/hc/en-us/articles/202210763-The-Secure-HDFS-Error-No-valid-credentials-provided-Displays-when-Running-HDFS-DFS-or-Hadoop-FS

 

 

 

 

 

 

 

 

 

 

 

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注

您可以使用这些HTML标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>