Have you added the proxy.***.hosts to hadoop config ? Check this: https://hadoop.apache.org/docs/r2.8.0/hadoop-project-dist/hadoop-common/Superusers.html <https://hadoop.apache.org/docs/r2.8.0/hadoop-project-dist/hadoop-common/Superusers.html>
Jorge Machado www.jmachado.me > On 26 Jan 2018, at 14:57, Bear Giles <[email protected]> wrote: > > Thanks all. > > I've made the changes but am still getting an error. Notably it's not a "user > X cannot impersonate Y" error. > > exc: Caused by: org.apache.hadoop.security.AccessControlException: Client > cannot authenticate via:[TOKEN, KERBEROS] > exc: at > org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:172) > exc: at > org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:396) > exc: at > org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:555) > exc: at > org.apache.hadoop.ipc.Client$Connection.access$1800(Client.java:370) > exc: at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:724) > exc: at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:720) > exc: at java.security.AccessController.doPrivileged(Native Method) > exc: at javax.security.auth.Subject.doAs(Subject.java:422) > exc: at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657) > exc: at > org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:720) > exc: ... 33 more > > I don't understand this since the Kerberos user authenticates without a > problem after loading the keytab file. But when I use that UGI in a > UserGroupInformation.createProxyUser() call I get this error. > > I seem to recall coming across something on SASL and Kerberos user > impersonation having problems but can't find it now. > > Thanks, > > Bear > > On Thu, Jan 25, 2018 at 9:53 AM, Wei-Chiu Chuang <[email protected] > <mailto:[email protected]>> wrote: > Hi Near, > > Try setting proxyuser using with following doc: > https://www.cloudera.com/documentation/enterprise/latest/topics/admin_hdfs_proxy_users.html > > <https://www.cloudera.com/documentation/enterprise/latest/topics/admin_hdfs_proxy_users.html> > > A while ago I helped a customer of us to configure proxy user. If you have > at-rest encryption in the cluster, you'd also need to configure KMS proxyuser > as well. > https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_kms_security.html > > <https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_kms_security.html> > It isn't that obvious from CDH documentation nor Apache Hadoop doc. > > > On Thu, Jan 25, 2018 at 7:24 AM, Bear Giles <[email protected] > <mailto:[email protected]>> wrote: > Hi, kerberos auth question here. > > We need to have Kerberos authentication with user impersonation. I know we > had it working on one of our test clusters earlier but nobody can remember > which one or how it was configured. :-( > > From my research I have the following items: > > 1. There is are Kerberos users alice@REALM and bob@REALM. > > 2. 'alice' is in the 'supergroup' group on the HDFS node I access. > > 3. The server has hadoop.proxyuser.alice.users = * set in core-site.xml. (see > note) > > 4. I can connect using alice@REALM. > > 5. When I try to connect using UGI.createProxyUser("bob", alice) I get a > "Client cannot authenticate via:[TOKEN, KERBEROS]" error. > > 6. I didn't have success with "bob@REALM" earlier but I've change the > configuration since then so I might have missed something. > > Do I need to create an additional principal for alice? Something like > alice/hdfs@REALM? alice/supergroup@REALM? > > Is there > > (note: We're using CDH and I'm setting this on the 'advanced configuration > snippets' page. I saved the settings and restarted the servers but I'm not > sure that the files are actually being updated. I've also changed the > configuration files manually.) > > -- > > Bear Giles > > Sr. Java Application Engineer > [email protected] <mailto:[email protected]> > Mobile: 720-749-7876 <tel:(720)%20749-7876> > > <http://www.snaplogic.com/about-us/jobs> > > > SnapLogic Inc | 929 Pearl St #200 > <https://maps.google.com/?q=929+Pearl+St+%23200&entry=gmail&source=g> | 80303 > CO 80302 | USA > > SnapLogic Inc | 2 W 5th Avenue 4th Floor | San Mateo CA 94402 | USA > <https://maps.google.com/?q=2+W+5th+Avenue+4th+Floor+%7C+San+Mateo+CA+94402+%7C+USA&entry=gmail&source=g> > > > This message is confidential. It may also be privileged or otherwise > protected by work product immunity or other legal rules. If you have received > it by mistake, please let us know by e-mail reply and delete it from your > system; you may not copy this message or disclose its contents to anyone. The > integrity and security of this message cannot be guaranteed on the Internet. > > > > > -- > A very happy Hadoop contributor > > > > -- > > Bear Giles > > Sr. Java Application Engineer > [email protected] <mailto:[email protected]> > Mobile: 720-749-7876 > > > <http://www.snaplogic.com/about-us/jobs> > > > SnapLogic Inc | 929 Pearl St #200 | 80303 CO 80302 | USA > > SnapLogic Inc | 2 W 5th Avenue 4th Floor | San Mateo CA 94402 | USA > > > This message is confidential. It may also be privileged or otherwise > protected by work product immunity or other legal rules. If you have received > it by mistake, please let us know by e-mail reply and delete it from your > system; you may not copy this message or disclose its contents to anyone. The > integrity and security of this message cannot be guaranteed on the Internet. >
