Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Plain View
Sqoop >> mail # user >> sqoop import into secure Hbase with kerberos


+
Suhas Satish 2013-08-05, 19:15
+
Abraham Elmahrek 2013-08-05, 19:52
+
Suhas Satish 2013-08-05, 20:53
Copy link to this message
-
Re: sqoop import into secure Hbase with kerberos
There should be a password. You should have a keytab associated with that
principal, which would allow you to authenticate as that principal. See
http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/CDH4-Security-Guide.htmlfor
more details on how that works.

A couple of things...
1. You need to make your kerberos credentials renewable. Right now it seems
like you cannot renew. See
http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/latest/CDH4-Security-Guide/cdh4sg_topic_17.html
.
2. AES256 encryption is not inherently supported. Did you install support
for AES256?

-Abe
On Mon, Aug 5, 2013 at 1:53 PM, Suhas Satish <[EMAIL PROTECTED]> wrote:

> klist -e -v
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [EMAIL PROTECTED]
>
> Valid starting     Expires            Service principal
> 08/05/13 12:34:42  08/05/13 22:34:42  krbtgt/[EMAIL PROTECTED]
> renew until 08/05/13 12:34:42, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
> aes256-cts-hmac-sha1-96
>
> Kerberos 5 version 1.10.3
>
> The principal in hbase-site.xml is
> hbase/[EMAIL PROTECTED]
>
> How do I create a credential using kinit matching that in hbase-site.xml?
>  kinit  hbase/qa-node133.qa.lab   throws an error msg
> *kinit: Password incorrect while getting initial credentials*
> *although I know that there is no password for that principal. *
> *
> *
> *
> *
>
> Cheers,
> Suhas.
>
>
> On Mon, Aug 5, 2013 at 12:52 PM, Abraham Elmahrek <[EMAIL PROTECTED]>wrote:
>
>> Hi there,
>>
>> It seems like your client isn't authenticated in both cases. You seem to
>> be receiving errors from HBase and Sqoop. Sqoop 1.4.3 should simply work if
>> your user is already authenticated. Internally, Sqoop is generating
>> delegation tokens to communicate with HBase. It cannot do that without
>> being properly authenticated first though.
>>
>> Could you provide the output of the following command:
>> "klist -e -v"
>>
>> -Abe
>>
>>
>> On Mon, Aug 5, 2013 at 12:15 PM, Suhas Satish <[EMAIL PROTECTED]>wrote:
>>
>>> I have configured hbase 94.9  with kerberos successfully for
>>> authentication and authorization as mentioned in the CDH security docs. I
>>> am using sqoop 1.4.3. Is there any configuration required from the sqoop
>>> client side for kerberos?
>>>
>>> I have the following permissions on hbase tables -
>>> hbase(main):003:0> grant 'kuser1', 'RWXCA', 'demo'
>>> ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
>>> org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
>>> permissions (user=kuser1, scope=demo, family=, qualifer=, action=ADMIN)
>>>
>>>
>>> bin/sqoop import --connect jdbc:mysql://10.10.1.10/TestDB    --table t1
>>>  --hbase-table  t1  --column-family world
>>>
>>>
>>> When I try to import into it using sqoop with the above cmd, I get the
>>> following error -
>>>
>>>
>>> 2013-08-05 11:59:33,121 ERROR
>>> org.apache.hadoop.hbase.regionserver.HRegionServer:
>>> org.apache.hadoop.hbase.security.AccessDeniedException: Token generation
>>> only allowed for Kerberos authenticated clients
>>> at
>>> org.apache.hadoop.hbase.security.token.TokenProvider.getAuthenticationToken(TokenProvider.java:87)
>>>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>  at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>  at org.apache.hadoop.hbase.regionserver.HRegion.exec(HRegion.java:5576)
>>> at
>>> org.apache.hadoop.hbase.regionserver.HRegionServer.execCoprocessor(HRegionServer.java:3868)
>>>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>  at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>> at java.lang.reflect.Method.invoke(Method.java:597)
+
Suhas Satish 2013-08-05, 22:55
+
Abraham Elmahrek 2013-08-05, 23:48
+
Suhas Satish 2013-08-06, 17:31
+
Suhas Satish 2013-08-06, 18:09
+
Abraham Elmahrek 2013-08-06, 18:13
+
Abraham Elmahrek 2013-08-06, 18:23
+
Suhas Satish 2013-08-06, 20:30
+
Jarek Jarcec Cecho 2013-08-11, 20:10
+
Suhas Satish 2013-08-11, 23:10
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB