Hi Bear, I have spend quite a time about this topics, actually if you just set the HADOOP_PROXY_USER and then just use loginUserFromKeytab or loginfromSubject it will create a proxy for you. have you set the hadoop.proxyuse.<user>.hosts ? that is important could be your error to.
Jorge Machado www.jmachado.me > On 25 Jan 2018, at 15:24, Bear Giles <[email protected]> wrote: > > Hi, kerberos auth question here. > > We need to have Kerberos authentication with user impersonation. I know we > had it working on one of our test clusters earlier but nobody can remember > which one or how it was configured. :-( > > From my research I have the following items: > > 1. There is are Kerberos users alice@REALM and bob@REALM. > > 2. 'alice' is in the 'supergroup' group on the HDFS node I access. > > 3. The server has hadoop.proxyuser.alice.users = * set in core-site.xml. (see > note) > > 4. I can connect using alice@REALM. > > 5. When I try to connect using UGI.createProxyUser("bob", alice) I get a > "Client cannot authenticate via:[TOKEN, KERBEROS]" error. > > 6. I didn't have success with "bob@REALM" earlier but I've change the > configuration since then so I might have missed something. > > Do I need to create an additional principal for alice? Something like > alice/hdfs@REALM? alice/supergroup@REALM? > > Is there > > (note: We're using CDH and I'm setting this on the 'advanced configuration > snippets' page. I saved the settings and restarted the servers but I'm not > sure that the files are actually being updated. I've also changed the > configuration files manually.) > > -- > > Bear Giles > > Sr. Java Application Engineer > [email protected] <mailto:[email protected]> > Mobile: 720-749-7876 > > > <http://www.snaplogic.com/about-us/jobs> > > > SnapLogic Inc | 929 Pearl St #200 | 80303 CO 80302 | USA > > SnapLogic Inc | 2 W 5th Avenue 4th Floor | San Mateo CA 94402 | USA > > > This message is confidential. It may also be privileged or otherwise > protected by work product immunity or other legal rules. If you have received > it by mistake, please let us know by e-mail reply and delete it from your > system; you may not copy this message or disclose its contents to anyone. The > integrity and security of this message cannot be guaranteed on the Internet. >
