Hi Near, Try setting proxyuser using with following doc: https://www.cloudera.com/documentation/enterprise/latest/topics/admin_hdfs_proxy_users.html
A while ago I helped a customer of us to configure proxy user. If you have at-rest encryption in the cluster, you'd also need to configure KMS proxyuser as well. https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_kms_security.html It isn't that obvious from CDH documentation nor Apache Hadoop doc. On Thu, Jan 25, 2018 at 7:24 AM, Bear Giles <[email protected]> wrote: > Hi, kerberos auth question here. > > We need to have Kerberos authentication with user impersonation. I know we > had it working on one of our test clusters earlier but nobody can remember > which one or how it was configured. :-( > > From my research I have the following items: > > 1. There is are Kerberos users alice@REALM and bob@REALM. > > 2. 'alice' is in the 'supergroup' group on the HDFS node I access. > > 3. The server has hadoop.proxyuser.alice.users = * set in core-site.xml. > (see note) > > 4. I can connect using alice@REALM. > > 5. When I try to connect using UGI.createProxyUser("bob", alice) I get a > "Client cannot authenticate via:[TOKEN, KERBEROS]" error. > > 6. I didn't have success with "bob@REALM" earlier but I've change the > configuration since then so I might have missed something. > > Do I need to create an additional principal for alice? Something like > alice/hdfs@REALM? alice/supergroup@REALM? > > Is there > > (note: We're using CDH and I'm setting this on the 'advanced configuration > snippets' page. I saved the settings and restarted the servers but I'm not > sure that the files are actually being updated. I've also changed the > configuration files manually.) > > -- > > Bear Giles > > Sr. Java Application Engineer > [email protected] > Mobile: 720-749-7876 <(720)%20749-7876> > > > <http://www.snaplogic.com/about-us/jobs> > > > > *SnapLogic Inc | 929 Pearl St #200 > <https://maps.google.com/?q=929+Pearl+St+%23200&entry=gmail&source=g> | > 80303 CO 80302 | USA* > > *SnapLogic Inc | 2 W 5th Avenue 4th Floor | San Mateo CA 94402 | USA > <https://maps.google.com/?q=2+W+5th+Avenue+4th+Floor+%7C+San+Mateo+CA+94402+%7C+USA&entry=gmail&source=g> > * > > This message is confidential. It may also be privileged or otherwise > protected by work product immunity or other legal rules. If you have > received it by mistake, please let us know by e-mail reply and delete it > from your system; you may not copy this message or disclose its contents to > anyone. The integrity and security of this message cannot be guaranteed on > the Internet. > -- A very happy Hadoop contributor
