Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Kerberos Authentication Error - When loading Hadoop Config Files from SharedPath

Tags:

java

hadoop

kerberos

I am developing an Java Application and this application is saving a result data to HDFS. The java Application should run in my windows machine.

We using Kerberos Authentication and we placed a keytab file in NAS drive. And we saved Hadoop config Files in the same NAS drive.

My issues is when I load the Hadoop config files from NAS drive, Its throwing me some Authetication error, But my application is running fine if I load the config files from my local File System (I also saved the config files inside C:\Hadoop)

Below is my working code snippet. (keytab file in NAS, Hadoop config files in local file system)

static String KeyTabPath = "\\\\path\\2\\keytabfile\\name.keytab"
Configuration config = new Configuration();
        config.set("fs.defaultFS", "hdfs://xxx.xx.xx.com:8020");
        config.addResource(new Path("C:\\Hadoop\\core-site.xml"));
        config.addResource(new Path("C:\\Hadoop\\hdfs-site.xml"));
        config.addResource(new Path("C:\\Hadoop\\mapred-site.xml"));
        config.addResource(new Path("C:\\Hadoop\\yarn-site.xml"));
        config.set("fs.hdfs.impl", org.apache.hadoop.hdfs.DistributedFileSystem.class.getName());
        config.set("fs.file.impl",org.apache.hadoop.fs.LocalFileSystem.class.getName());
        // Kerberos Authentication
        config.set("hadoop.security.authentication", "Kerberos");
        UserGroupInformation.setConfiguration(config);
        UserGroupInformation.loginUserFromKeytab("[email protected]",KeyTabPath);

I tried loading config files also from the NAS drive but getting kerberos authentication error. Below is the code snippet which throwing error (Keytab file in NAS and Hadoop config files also in NAS)

static String KeyTabPath = "\\\\path\\2\\keytabfile\\name.keytab"
Configuration config = new Configuration();
        config.set("fs.defaultFS", "hdfs://xxx.xx.xx.com:8020");
        config.addResource(new Path("\\\\NASDrive\\core-site.xml"));
        config.addResource(new Path("\\\\NASDrive\\hdfs-site.xml"));
        config.addResource(new Path("\\\\NASDrive\\mapred-site.xml"));
        config.addResource(new Path("\\\\NASDrive\\yarn-site.xml"));
        config.set("fs.hdfs.impl", org.apache.hadoop.hdfs.DistributedFileSystem.class.getName());
        config.set("fs.file.impl",org.apache.hadoop.fs.LocalFileSystem.class.getName());
        // Kerberos Authentication
        config.set("hadoop.security.authentication", "Kerberos");
        UserGroupInformation.setConfiguration(config);
        UserGroupInformation.loginUserFromKeytab("[email protected]",KeyTabPath);

Below is the Error Message

java.io.IOException: Login failure for [email protected] from keytab \\NASdrive\name.keytab: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name [email protected]: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to [email protected]
    at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:962)
    at Appname.ldapLookupLoop(Appname.java:111)
    at Appname.main(Appname.java:70)
Caused by: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name [email protected]: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to [email protected]
    at org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:199)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:953)
    ... 2 more
Caused by: java.lang.IllegalArgumentException: Illegal principal name [email protected]: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to [email protected]
    at org.apache.hadoop.security.User.<init>(User.java:51)
    at org.apache.hadoop.security.User.<init>(User.java:43)
    at org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:197)
    ... 14 more
Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to [email protected]
    at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:389)
    at org.apache.hadoop.security.User.<init>(User.java:48)
    ... 16 more
Jul 06, 2016 4:29:14 PM com.XX.it.logging.JdkMapper info
INFO:  IO Exception occured: java.io.IOException: Login failure for [email protected] from keytab \\NASdrive\name.keytab: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name [email protected]: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to [email protected]

So issues seems to be loading the config file. My application reading the keytab file fine from NAS drive, but not the Hadoop config files. What could be the issue. I checked all the NAS Drive permissions and file permissions. Everthing is fine. I dont know where the issue is. please anyone help me to find out the issue.

like image 446
Padmanabhan Vijendran Avatar asked Jul 06 '16 11:07

Padmanabhan Vijendran

1 Answers

You're missing "DEFAULT" rule for auth_to_local kerberos principal name transformation.

org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to

See example here -

https://hadoop.apache.org/docs/current/hadoop-project-dist/hadoop-common/SecureMode.html#Mapping_from_Kerberos_principals_to_OS_user_accounts

so basically just add word "DEFAULT" at the very end of hadoop.security.auth_to_local in your core-site.xml.

Also check auth_to_local in Kerberos documentation .

PS. Here's where this exception happens in Hadoop codebase, in case if you're interested to dig deeper on this subject.

like image 74
Tagar Avatar answered Nov 04 '22 22:11

Tagar
Sign in to Comment

Related questions

Maven - maven-war-plugin change destination directory (other than webapp)
Unexpected results using Repast Simphony
Syntax with missed Expression for basic for-loop
Gson: serializing a java.nio.Path causes a StackOverflowError
Exception java.util.LinkedHashMap cannot be cast to java.util.List
Can Java's JConsole be used to automatically configure memory?
Hibernate Composite key Criteria Join
Excluding configuration in test classes from @ComponentScan
Emoji unicode issue with java .jar
Android: set fixed item on RecyclerView
How do I display emoji in JavaFX on OS X?
Spring mongorepository save throws duplicate key exception
Spock difference between Mock() vs Spy() vs Stub()
Deserializing Polymorphic Types with @JsonUnwrapped using Jackson
How to identify if a process is java or c or c++ process in linux?
How to open a web page in Google chrome incognito from android app
Full text search and variable binding using postgres and jOOQ not working
Why one should try throw unchecked exception over checked exception? [duplicate]
Spring JavaConfig and Tomcat 8
Pass ownership of method argument to 'try with resources' block

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!