You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@storm.apache.org by "Rick Kellogg (JIRA)" <ji...@apache.org> on 2015/10/05 03:16:26 UTC

[jira] [Closed] (STORM-771) Authentication with Kerberos

     [ https://issues.apache.org/jira/browse/STORM-771?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rick Kellogg closed STORM-771.
------------------------------
    Resolution: Invalid

> Authentication with Kerberos
> ----------------------------
>
>                 Key: STORM-771
>                 URL: https://issues.apache.org/jira/browse/STORM-771
>             Project: Apache Storm
>          Issue Type: Question
>          Components: storm-core
>    Affects Versions: 0.9.1-incubating
>            Reporter: robinlin
>
> I am using Storm in a Kerberized Cluster. 
> There is an user "Robin" in the Storm server. And I follow the steps below to generate keytab for Robin.
> {noformat}
> # /usr/sbin/kadmin.local
> # kadmin.local: addprinc -randkey Robin@EXAMPLE.COM
> # kadmin.local: xst -norandkey -k Robin.keytab Robin
> # scp Robin.keytab Robin@storm_server:/home/Robin
> {noformat}
> After these, I login the Storm server as Robin. And authenticate Robin with his own keytab(Robin.keytab)
> {noformat}
> # kinit -k -t Robin.keytab Robin
> {noformat}
> The output of klist is
> {noformat}
> Ticket cache: FILE:/tmp/krb5cc_1006
> Default principal: Robin@EXAMPLE.COM
> Valid starting     Expires            Service principal
> 04/15/15 11:34:19  04/16/15 11:34:19  krbtgt/EXAMPLE.COM@EXAMPLE.COM
>         renew until 04/15/15 11:34:19
> {noformat}
> But there was an authentication error occurred when I executed 
> {noformat}
> #storm list
> {noformat}
> The error was
> {noformat}
> Exception in thread "main" java.lang.RuntimeException: javax.security.auth.login.LoginException: No password provided
>         at backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin.connect(KerberosSaslTransportPlugin.java:108)
>         at backtype.storm.security.auth.TBackoffConnect.doConnectWithRetry(TBackoffConnect.java:48)
>         at backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:97)
>         at backtype.storm.security.auth.ThriftClient.<init>(ThriftClient.java:66)
>         at backtype.storm.utils.NimbusClient.<init>(NimbusClient.java:47)
>         at backtype.storm.thrift$nimbus_client_and_conn.invoke(thrift.clj:71)
>         at backtype.storm.command.list$_main.invoke(list.clj:22)
>         at clojure.lang.AFn.applyToHelper(AFn.java:159)
>         at clojure.lang.AFn.applyTo(AFn.java:151)
>         at backtype.storm.command.list.main(Unknown Source)
> Caused by: javax.security.auth.login.LoginException: No password provided
>         at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:878)
>         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)
> {noformat}
> Here is my Kerberos settings in "storm.yaml"
> {noformat}
> storm.principal.tolocal: "backtype.storm.security.auth.KerberosPrincipalToLocal"
> storm.zookeeper.superACL: "sasl:storm"
> java.security.auth.login.config: "/etc/storm/conf/storm_jaas.conf"
> nimbus.admins:
>   - "storm"
> nimbus.supervisor.users:
>   - "storm"
> nimbus.authorizer: "backtype.storm.security.auth.authorizer.SimpleACLAuthorizer"
> drpc.authorizer: "backtype.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer"
> ui.filter: "org.apache.hadoop.security.authentication.server.AuthenticationFilter"
> ui.filter.params:
>   "type": "kerberos"
>   "kerberos.principal": "HTTP/slave"
>   "kerberos.keytab": "/etc/security/keytabs/spnego.service.keytab"
>   "kerberos.name.rules": "DEFAULT"
> supervisor.enable: true
> {noformat}
> And "storm_jaas.conf"
> {noformat}
> StormServer {
>    com.sun.security.auth.module.Krb5LoginModule required
>    useKeyTab=true
>    keyTab="/etc/security/keytabs/nimbus.service.keytab"
>    storeKey=true
>    useTicketCache=false
>    principal="nimbus/slave@EXAMPLE.COM";
> };
> StormClient {
>    com.sun.security.auth.module.Krb5LoginModule required
>    useKeyTab=true
>    keyTab="/etc/security/keytabs/storm.service.keytab"
>    storeKey=true
>    useTicketCache=false
>    serviceName="nimbus"
>    principal="storm@EXAMPLE.COM";
> };
> Client {
>    com.sun.security.auth.module.Krb5LoginModule required
>    useKeyTab=true
>    keyTab="/etc/security/keytabs/storm.service.keytab"
>    storeKey=true
>    useTicketCache=false
>    serviceName="zookeeper"
>    principal="storm@EXAMPLE.COM";
> };
> {noformat}
> By the way, the cluster is installed via Ambari 1.7.
> Thanks in advanced.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)