Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Threaded View
Sqoop >> mail # user >> sqoop import into secure Hbase with kerberos


Copy link to this message
-
Re: sqoop import into secure Hbase with kerberos
User,

Could you please provide your KDC logs around the time you tried to
authenticate?

Note: A kerberos client will negotiate the encryption algorithm it can/will
use with the KDC. It may choose AES-256.

-Abe
On Mon, Aug 5, 2013 at 3:55 PM, Suhas Satish <[EMAIL PROTECTED]> wrote:

> I generated a keytab with the following cmd and it supports multiple
> encryption types other than aes256 as listed below.
> But I still get the same error from sqoop import tool because the
> sqoop.keytab is not being read (sqoop being the hbase client in this case).
>
> kadmin:  ktadd -k sqoop.keytab kuser1
> Entry for principal kuser1 with kvno 2, encryption type
> aes256-cts-hmac-sha1-96 added to keytab WRFILE:sqoop.keytab.
> Entry for principal kuser1 with kvno 2, encryption type
> aes128-cts-hmac-sha1-96 added to keytab WRFILE:sqoop.keytab.
> Entry for principal kuser1 with kvno 2, encryption type des3-cbc-sha1
> added to keytab WRFILE:sqoop.keytab.
> Entry for principal kuser1 with kvno 2, encryption type arcfour-hmac added
> to keytab WRFILE:sqoop.keytab.
> Entry for principal kuser1 with kvno 2, encryption type des-hmac-sha1
> added to keytab WRFILE:sqoop.keytab.
> Entry for principal kuser1 with kvno 2, encryption type des-cbc-md5 added
> to keytab WRFILE:sqoop.keytab.
>
> Here are some more debug logs I obtained from kerberos -
>
> *kadmin:  getprinc kuser1*
> Principal: [EMAIL PROTECTED]
> Expiration date: [never]
> Last password change: Mon Aug 05 15:40:30 PDT 2013
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Mon Aug 05 15:40:30 PDT 2013 (mapr/[EMAIL PROTECTED])
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 6
> Key: vno 2, aes256-cts-hmac-sha1-96, no salt
> Key: vno 2, aes128-cts-hmac-sha1-96, no salt
> Key: vno 2, des3-cbc-sha1, no salt
> Key: vno 2, arcfour-hmac, no salt
> Key: vno 2, des-hmac-sha1, no salt
> Key: vno 2, des-cbc-md5, no salt
> MKey: vno 1
> Attributes:
> Policy: [none]
>
> *getprinc hbase/qa-node133.qa.lab*
> Principal: hbase/[EMAIL PROTECTED]
> Expiration date: [never]
> Last password change: Mon Jul 29 19:17:46 PDT 2013
> Password expiration date: [none]
> Maximum ticket life: 0 days 10:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Mon Jul 29 19:17:46 PDT 2013 (kuser1/[EMAIL PROTECTED])
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 6
> Key: vno 2, aes256-cts-hmac-sha1-96, no salt
> Key: vno 2, aes128-cts-hmac-sha1-96, no salt
> Key: vno 2, des3-cbc-sha1, no salt
> Key: vno 2, arcfour-hmac, no salt
> Key: vno 2, des-hmac-sha1, no salt
> Key: vno 2, des-cbc-md5, no salt
> MKey: vno 1
> Attributes:
> Policy: [none]
>
>
> Thanks,
> Suhas.
>
>
> On Mon, Aug 5, 2013 at 2:29 PM, Abraham Elmahrek <[EMAIL PROTECTED]> wrote:
>
>> There should be a password. You should have a keytab associated with that
>> principal, which would allow you to authenticate as that principal. See
>> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/CDH4-Security-Guide.htmlfor more details on how that works.
>>
>> A couple of things...
>> 1. You need to make your kerberos credentials renewable. Right now it
>> seems like you cannot renew. See
>> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/cdh4sg_topic_17.html
>> .
>> 2. AES256 encryption is not inherently supported. Did you install support
>> for AES256?
>>
>> -Abe
>>
>>
>> On Mon, Aug 5, 2013 at 1:53 PM, Suhas Satish <[EMAIL PROTECTED]>wrote:
>>
>>> klist -e -v
>>>
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: [EMAIL PROTECTED]
>>>
>>> Valid starting     Expires            Service principal
>>> 08/05/13 12:34:42  08/05/13 22:34:42  krbtgt/[EMAIL PROTECTED]
>>> renew until 08/05/13 12:34:42, Etype (skey, tkt):
>>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB