Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
Hadoop, mail # user - Cannot start name node after turning on hadoop security


+
Allan Yan 2012-06-04, 17:37
Copy link to this message
-
Re: Cannot start name node after turning on hadoop security
Allan Yan 2012-06-06, 02:15
Figured it out. Kerberos key is not created properly.

thanks
allan

On Mon, Jun 4, 2012 at 1:05 PM, Allan Yan <[EMAIL PROTECTED]> wrote:

> Sorry, the links should be:
>
>
> http://mail-archives.apache.org/mod_mbox/hadoop-common-user/201202.mbox/%[EMAIL PROTECTED]%3E
>
>
> http://lucene.472066.n3.nabble.com/Starting-datanode-in-secure-mode-td3297090.html
>
> -Hailun Yan
>
> ---------- Forwarded message ----------
> From: Allan Yan <[EMAIL PROTECTED]>
> Date: Mon, Jun 4, 2012 at 12:07 PM
> Subject: Fwd: Cannot start name node after turning on hadoop security
> To: [EMAIL PROTECTED]
>
>
> I found these two threads from mailing list:
>
>
> http://mail-archives.apache.org/mod_mbox/hadoop-common-user/201202.mbox/browser
>
> http://mail-archives.apache.org/mod_mbox/hadoop-common-user/201108.mbox/browser
>
> At least they were able to get name node up. Can someone please pointing
> out why I am getting that error?
>
> Thanks,
> allan
>
> ---------- Forwarded message ----------
> From: Allan Yan <[EMAIL PROTECTED]>
> Date: Mon, Jun 4, 2012 at 10:37 AM
> Subject: Cannot start name node after turning on hadoop security
> To: [EMAIL PROTECTED]
>
>
> My local environment: single ubuntu 11.10 desktop version, oracle jdk
> 7.0_04, MIT kerberos 5, apache hadoop-1.0.2.
>
> I am able to get kerberos working, here is my key:
>
> ------------------------------------------------------------------------------------------------------------------------------------------
> allan@localhost:~/tools/UnlimitedJCEPolicy$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: allan/admin@LOCALDOMAIN
>
> Valid starting     Expires            Service principal
> 06/03/12 22:55:30  06/04/12 08:55:30  krbtgt/LOCALDOMAIN@LOCALDOMAIN
> renew until 06/10/12 22:55:28, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
> aes256-cts-hmac-sha1-96
>
> ------------------------------------------------------------------------------------------------------------------------------------------
>
> However, after turning on hadoop security, I am not able to start name
> node. I turned on java security debug, here is the debug log and error
> message while trying to start NN:
>
> ------------------------------------------------------------------------------------------------------------------------------------------
> starting namenode, logging to
> /usr/local/hadoop-1.0.2/libexec/../logs/hadoop-allan-namenode-localhost.localdomain.out
> Config name: /etc/krb5.conf
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
> localhost: starting datanode, logging to
> /usr/local/hadoop-1.0.2/libexec/../logs/hadoop-allan-datanode-localhost.localdomain.out
> localhost: Config name: /etc/krb5.conf
> localhost: >>>KinitOptions cache name is /tmp/krb5cc_1000
> localhost: >>>DEBUG <CCacheInputStream>  client principal is
> allan/admin@LOCALDOMAIN
> localhost: >>>DEBUG <CCacheInputStream> server principal is
> krbtgt/LOCALDOMAIN@LOCALDOMAIN
> localhost: >>>DEBUG <CCacheInputStream> key type: 18
> localhost: >>>DEBUG <CCacheInputStream> auth time: Sun Jun 03 22:17:13 PDT
> 2012
> localhost: >>>DEBUG <CCacheInputStream> start time: Sun Jun 03 22:17:18
> PDT 2012
> localhost: >>>DEBUG <CCacheInputStream> end time: Mon Jun 04 08:17:18 PDT
> 2012
> localhost: >>>DEBUG <CCacheInputStream> renew_till time: Sun Jun 10
> 22:17:08 PDT 2012
> localhost: >>> CCacheInputStream: readFlags()  FORWARDABLE; RENEWABLE;
> INITIAL; PRE_AUTH;
> localhost: starting secondarynamenode, logging to
> /usr/local/hadoop-1.0.2/libexec/../logs/hadoop-allan-secondarynamenode-localhost.localdomain.out
>
> ------------------------------------------------------------------------------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------------------