Still cannot configure Cloudera Hadoop Security Now its kinit and principal

Question

I am still stuck with cloudera security. I followed all step and configure security including installing Kerberos. At end i created hdfs user in Kerberos using kadmin. i can do kinit hdfs and verified that there is ticket. My cluster is running in Cloudera quick start VM.

then i issue hdfs dfs -ls / command and i gave me errors

16/07/12 02:18:50 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "quickstart.cloudera/127.0.0.1"; destination host is: "quickstart.cloudera":8020;

I search internet and came across this post http://www.cloudera.com/documentation/archive/cdh/3-x/3u6/CDH3-Security-Guide/cdh3sg_topic_14_2.html which indicate some problems with Kerbrose. it says first create ticket using kinit hdfs and then renew ticket using kinit -R but NOW this command is also giving error kinit: Ticket expired while renewing credentials. I again searched internet and found this link https://blog.godatadriven.com/kerberos_kdc_install.html which indicate to modify principal's maxrenewlife setting that i did and verified. but still kinit -R giving the same error.

Note the OS CentOS on Cloudera QuickStart. Stuck on this point of setting security for last 1 week so a help will be my life saver.

Regards Shahzad Aslam

After kinit, run a klist to check what are the actual "lifetime" (usually 10h) and "renewable lifetime" (usually 7 days) of your ticket. If you are under "lifetime" then you can renew without a password (kinit -R) to get another "lifetime" -- until you finally hit "renewable lifetime". — Samson Scharfrichter
Note that the actual "lifetime" is MIN(client setting, KDC setting) so check your KDC configuration... — Samson Scharfrichter
While reviewing the klist for current principal (hdfs) i notice that renew until is exactly same when ticket was issued. So that means i cannot renew. in kdc5.conf the renew_lifetime is 7d and ticket_lifetime is 24h. is it relevant ? Please suggest what setting should i configure ? — Shahzad Aslam
RTFM - web.mit.edu/kerberos/krb5-1.13/doc/admin/conf_files/… >> [libdefaults] renew_lifetime Sets the default renewable lifetime for initial ticket requests. The default value is 0 — Samson Scharfrichter
Setting ticket_lifetime = 86400and renew_lifetime = 604800 will enforce, on client side, the usual MAX values set on KDC side, i.e. 10h and 7d — Samson Scharfrichter

saranicole saranicole · Accepted Answer · 2016-09-26T16:07:21

I wrote up a guide to troubleshooting Kerberized CDH at Running any Hadoop command fails after enabling security. . Same content posted at http://sarastreeter.com/2016/09/26/resolving-hadoop-problems-on-kerberized-cdh-5-x/

Still cannot configure Cloudera Hadoop Security Now its kinit and principal

1 Answers