Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
Sqoop >> mail # user >> sqoop import into secure Hbase with kerberos


+
Suhas Satish 2013-08-05, 19:15
+
Abraham Elmahrek 2013-08-05, 19:52
+
Suhas Satish 2013-08-05, 20:53
Copy link to this message
-
Re: sqoop import into secure Hbase with kerberos
There should be a password. You should have a keytab associated with that
principal, which would allow you to authenticate as that principal. See
http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/CDH4-Security-Guide.htmlfor
more details on how that works.

A couple of things...
1. You need to make your kerberos credentials renewable. Right now it seems
like you cannot renew. See
http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/cdh4sg_topic_17.html
.
2. AES256 encryption is not inherently supported. Did you install support
for AES256?

-Abe
On Mon, Aug 5, 2013 at 1:53 PM, Suhas Satish <[EMAIL PROTECTED]> wrote:

> klist -e -v
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [EMAIL PROTECTED]
>
> Valid starting     Expires            Service principal
> 08/05/13 12:34:42  08/05/13 22:34:42  krbtgt/[EMAIL PROTECTED]
> renew until 08/05/13 12:34:42, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
> aes256-cts-hmac-sha1-96
>
> Kerberos 5 version 1.10.3
>
> The principal in hbase-site.xml is
> hbase/[EMAIL PROTECTED]
>
> How do I create a credential using kinit matching that in hbase-site.xml?
>  kinit  hbase/qa-node133.qa.lab   throws an error msg
> *kinit: Password incorrect while getting initial credentials*
> *although I know that there is no password for that principal. *
> *
> *
> *
> *
>
> Cheers,
> Suhas.
>
>
> On Mon, Aug 5, 2013 at 12:52 PM, Abraham Elmahrek <[EMAIL PROTECTED]>wrote:
>
>> Hi there,
>>
>> It seems like your client isn't authenticated in both cases. You seem to
>> be receiving errors from HBase and Sqoop. Sqoop 1.4.3 should simply work if
>> your user is already authenticated. Internally, Sqoop is generating
>> delegation tokens to communicate with HBase. It cannot do that without
>> being properly authenticated first though.
>>
>> Could you provide the output of the following command:
>> "klist -e -v"
>>
>> -Abe
>>
>>
>> On Mon, Aug 5, 2013 at 12:15 PM, Suhas Satish <[EMAIL PROTECTED]>wrote:
>>
>>> I have configured hbase 94.9  with kerberos successfully for
>>> authentication and authorization as mentioned in the CDH security docs. I
>>> am using sqoop 1.4.3. Is there any configuration required from the sqoop
>>> client side for kerberos?
>>>
>>> I have the following permissions on hbase tables -
>>> hbase(main):003:0> grant 'kuser1', 'RWXCA', 'demo'
>>> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
>>> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
>>> permissions (user=kuser1, scope=demo, family=, qualifer=, action=ADMIN)
>>>
>>>
>>> bin/sqoop import --connect jdbc:mysql://10.10.1.10/TestDB    --table t1
>>>  --hbase-table  t1  --column-family world
>>>
>>>
>>> When I try to import into it using sqoop with the above cmd, I get the
>>> following error -
>>>
>>>
>>> 2013-08-05 11:59:33,121 ERROR
>>> org.apache.hadoop.hbase.regionserver.HRegionServer:
>>> org.apache.hadoop.hbase.security.AccessDeniedException: Token generation
>>> only allowed for Kerberos authenticated clients
>>> at
>>> org.apache.hadoop.hbase.security.token.TokenProvider.getAuthenticationToken(TokenProvider.java:87)
>>>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>  at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>  at org.apache.hadoop.hbase.regionserver.HRegion.exec(HRegion.java:5576)
>>> at
>>> org.apache.hadoop.hbase.regionserver.HRegionServer.execCoprocessor(HRegionServer.java:3868)
>>>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>  at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>> at java.lang.reflect.Method.invoke(Method.java:597)
+
Suhas Satish 2013-08-05, 22:55
+
Abraham Elmahrek 2013-08-05, 23:48
+
Suhas Satish 2013-08-06, 17:31
+
Suhas Satish 2013-08-06, 18:09
+
Abraham Elmahrek 2013-08-06, 18:13
+
Abraham Elmahrek 2013-08-06, 18:23
+
Suhas Satish 2013-08-06, 20:30
+
Jarek Jarcec Cecho 2013-08-11, 20:10
+
Suhas Satish 2013-08-11, 23:10