Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Sqoop >> mail # user >> sqoop import into secure Hbase with kerberos


Copy link to this message
-
Re: sqoop import into secure Hbase with kerberos
User,

Could you please provide your KDC logs around the time you tried to
authenticate?

Note: A kerberos client will negotiate the encryption algorithm it can/will
use with the KDC. It may choose AES-256.

-Abe
On Mon, Aug 5, 2013 at 3:55 PM, Suhas Satish <[EMAIL PROTECTED]> wrote:

> I generated a keytab with the following cmd and it supports multiple
> encryption types other than aes256 as listed below.
> But I still get the same error from sqoop import tool because the
> sqoop.keytab is not being read (sqoop being the hbase client in this case).
>
> kadmin:  ktadd -k sqoop.keytab kuser1
> Entry for principal kuser1 with kvno 2, encryption type
> aes256-cts-hmac-sha1-96 added to keytab WRFILE:sqoop.keytab.
> Entry for principal kuser1 with kvno 2, encryption type
> aes128-cts-hmac-sha1-96 added to keytab WRFILE:sqoop.keytab.
> Entry for principal kuser1 with kvno 2, encryption type des3-cbc-sha1
> added to keytab WRFILE:sqoop.keytab.
> Entry for principal kuser1 with kvno 2, encryption type arcfour-hmac added
> to keytab WRFILE:sqoop.keytab.
> Entry for principal kuser1 with kvno 2, encryption type des-hmac-sha1
> added to keytab WRFILE:sqoop.keytab.
> Entry for principal kuser1 with kvno 2, encryption type des-cbc-md5 added
> to keytab WRFILE:sqoop.keytab.
>
> Here are some more debug logs I obtained from kerberos -
>
> *kadmin:  getprinc kuser1*
> Principal: [EMAIL PROTECTED]
> Expiration date: [never]
> Last password change: Mon Aug 05 15:40:30 PDT 2013
> Password expiration date: [none]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Mon Aug 05 15:40:30 PDT 2013 (mapr/[EMAIL PROTECTED])
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 6
> Key: vno 2, aes256-cts-hmac-sha1-96, no salt
> Key: vno 2, aes128-cts-hmac-sha1-96, no salt
> Key: vno 2, des3-cbc-sha1, no salt
> Key: vno 2, arcfour-hmac, no salt
> Key: vno 2, des-hmac-sha1, no salt
> Key: vno 2, des-cbc-md5, no salt
> MKey: vno 1
> Attributes:
> Policy: [none]
>
> *getprinc hbase/qa-node133.qa.lab*
> Principal: hbase/[EMAIL PROTECTED]
> Expiration date: [never]
> Last password change: Mon Jul 29 19:17:46 PDT 2013
> Password expiration date: [none]
> Maximum ticket life: 0 days 10:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Mon Jul 29 19:17:46 PDT 2013 (kuser1/[EMAIL PROTECTED])
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 6
> Key: vno 2, aes256-cts-hmac-sha1-96, no salt
> Key: vno 2, aes128-cts-hmac-sha1-96, no salt
> Key: vno 2, des3-cbc-sha1, no salt
> Key: vno 2, arcfour-hmac, no salt
> Key: vno 2, des-hmac-sha1, no salt
> Key: vno 2, des-cbc-md5, no salt
> MKey: vno 1
> Attributes:
> Policy: [none]
>
>
> Thanks,
> Suhas.
>
>
> On Mon, Aug 5, 2013 at 2:29 PM, Abraham Elmahrek <[EMAIL PROTECTED]> wrote:
>
>> There should be a password. You should have a keytab associated with that
>> principal, which would allow you to authenticate as that principal. See
>> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/CDH4-Security-Guide.htmlfor more details on how that works.
>>
>> A couple of things...
>> 1. You need to make your kerberos credentials renewable. Right now it
>> seems like you cannot renew. See
>> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/cdh4sg_topic_17.html
>> .
>> 2. AES256 encryption is not inherently supported. Did you install support
>> for AES256?
>>
>> -Abe
>>
>>
>> On Mon, Aug 5, 2013 at 1:53 PM, Suhas Satish <[EMAIL PROTECTED]>wrote:
>>
>>> klist -e -v
>>>
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: [EMAIL PROTECTED]
>>>
>>> Valid starting     Expires            Service principal
>>> 08/05/13 12:34:42  08/05/13 22:34:42  krbtgt/[EMAIL PROTECTED]
>>> renew until 08/05/13 12:34:42, Etype (skey, tkt):
>>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96