Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
MapReduce >> mail # user >> How to create UserGroupInformation from ticket cache in hadoop 1.2


Copy link to this message
-
How to create UserGroupInformation from ticket cache in hadoop 1.2
I am getting some difficulties when trying to login to secure hadoop
cluster from ticket cache.
In UserGroupInformation java class, there is a method called
loginUserFromKeytab(), I can use this method to login with keytab files,
and later do some HDFS/hcatalog api calls.

But we don't know how to login from ticket cache and create UGI with this
loginContext.

I have tried these steps:
1. login as this user: A
2. run kinit, make sure ticket cache is avaiable under this ticket cache
path: /tmp/krb5cc_uid-number
3. export KRB5CCNAME=/tmp/krb5cc_uid-number
4. run my java program, which has this code stub below
{
...
Configuration conf = new Configuration();
// set a bunch of configuration properties
conf.set("hadoop.security.authentication", "kerberos");
conf.set("hadoop.security.authorization", "true");
...
UserGroupInformation.setConfiguration(conf);

// instead of calling loginUserFromKeytab(). I just called getLoginUser(),
which I assume will do
// login and create a new UGI with this loginContext
UserGroupInformation loginUser = UserGroupInformation.getLoginUser();

//same hdfs filesystem api calls as what I did when using login from keytab

//FileSystem.get(new URI(hdfsUri), conf)

}

So far, this approach is not successful. I always get some exceptions:
Caused by: GSSException: No valid credentials provided (Mechanism level:
Attempt to obtain new INITIATE credentials failed! (null))
        at
sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:333)
        at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128)
        at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
        at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
        at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
        at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
        at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
        at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
        ... 31 more
Caused by: javax.security.auth.login.LoginException: No LoginModules
configured for
        at
javax.security.auth.login.LoginContext.init(LoginContext.java:256)
        at
javax.security.auth.login.LoginContext.<init>(LoginContext.java:499)
        at sun.security.jgss.GSSUtil.login(GSSUtil.java:244)
        at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136)
        at
sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:328)
        at java.security.AccessController.doPrivileged(Native Method)
        at
sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:325)
        ... 38 more
I noticed that In Hadoop 2.0.3, there is a new api called
getUGIFromTicketCache(String
ticketCache, String user) to pass the ticket cache to UGI.
But in hadoop1.2, there is no such method.
Does any one know how to use ticket cache to create UserGroupInformation?

Thanks a lot.
Lin
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB