Unable to connect to Hbase when Kerberos Enabled

[horaamit <ho...@gmail.com>]

I enabled Kerberos to secure hadoop and generated key tab for principal
test@EXAMPLE.COM and provided test user RX (read execute) permission using
hbase shell -grant command when i do kinit -k -t test.keytab
test@EXAMPLE.COM

everything works fine .I am trying to do the same thing like reading table
via Java code/Java Client using below code

     System.setProperty("java.security.krb5.realm", "EXAMPLE.COM");
        System.setProperty("java.security.krb5.kdc", "D-9539.kpit.com");
        //System.setProperty("sun.security.krb5.debug", "true");

    Configuration config = HBaseConfiguration.create();
    config.set("hadoop.security.authentication", "Kerberos");
    config.set("hbase.security.authentication", "kerberos");
    UserGroupInformation.setConfiguration(config);
    config.set("hbase.zookeeper.quorum", "D-9539.kpit.com");
    config.setInt("zookeeper.recovery.retry",1);
    config.set("zookeeper.znode.parent","/hbase-secure");
    config.set("hbase.client.retries.number", Integer.toString(2));
    config.set("zookeeper.session.timeout", Integer.toString(60000));
      UserGroupInformation userGroupInformation =
UserGroupInformation.loginUserFromKeytabAndReturnUGI("mohanv@EXAMPLE.COM",
"D:\\mohanv.keytab" );
      //UserGroupInformation userGroupInformation =
UserGroupInformation.loginUserFromKeytabAndReturnUGI("hbase-D9539@EXAMPLE.COM",
"/Users/guest/Work/workspace/hbase.headless.keytab" );
    UserGroupInformation.setLoginUser(userGroupInformation);
    Connection conn = ConnectionFactory.createConnection(config);
    TableName tablename=TableName.valueOf("tweetTest2");
    Table table = conn.getTable(tablename);
    Get get=new Get(Bytes.toBytes("row1")) ;
    get.addFamily(Bytes.toBytes("twt"));

    System.out.println(Bytes.toString(table.get(get).getRow()));
But getting

*org.apache.hadoop.hbase.client.RetriesExhaustedException:*
and then

*clientClosingConnectionException*



--
View this message in context: http://apache-hbase.679495.n3.nabble.com/Unable-to-connect-to-Hbase-when-Kerberos-Enabled-tp4079897.html
Sent from the HBase User mailing list archive at Nabble.com.

Re: Unable to connect to Hbase when Kerberos Enabled

[Ted Yu <yu...@gmail.com>]

Looks like there were pictures in the second email which didn't go through.

Please paste text.

Cheers

On Tue, May 10, 2016 at 12:13 AM, horaamit <ho...@gmail.com> wrote:

> After making few changes to my code
>
>
>
> I am getting exception ,please find below stack trace
>
>
>
>
> --
> View this message in context:
> http://apache-hbase.679495.n3.nabble.com/Unable-to-connect-to-Hbase-when-Kerberos-Enabled-tp4079897p4079901.html
> Sent from the HBase User mailing list archive at Nabble.com.
>

Re: Unable to connect to Hbase when Kerberos Enabled

[horaamit <ho...@gmail.com>]

After making few changes to my code 



I am getting exception ,please find below stack trace




--
View this message in context: http://apache-hbase.679495.n3.nabble.com/Unable-to-connect-to-Hbase-when-Kerberos-Enabled-tp4079897p4079901.html
Sent from the HBase User mailing list archive at Nabble.com.

Re: Unable to connect to Hbase when Kerberos Enabled

[horaamit <ho...@gmail.com>]

After enabling debug logs i am getting below warning
*2016-05-10 11:29:18 WARN  AbstractRpcClient:695 - Couldn't setup connection
for mohanv@EXAMPLE.COM to null*

below is the full log

2016-05-10 11:29:06 DEBUG ZooKeeperSaslClient:222 - JAAS loginContext is:
Client
Looking for keys for: guest@EXAMPLE.COM
2016-05-10 11:29:06 WARN  ZooKeeperSaslClient:492 - Could not login: the
client is being asked for a password, but the Zookeeper client code does not
currently support obtaining a password from the user. Make sure that the
client is configured to use a ticket cache (using the JAAS configuration
setting 'useTicketCache=true)' and restart the client. If you still get this
message after that, the TGT in the ticket cache has expired and must be
manually refreshed. To do so, first determine if you are using a password or
a keytab. If the former, run kinit in a Unix shell in the environment of the
user who is running this Zookeeper client using the command 'kinit <princ>'
(where <princ> is the name of the client's Kerberos principal). If the
latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of the
Kerberos principal, and <keytab> is the location of the keytab file). After
manually refreshing your cache, restart this client. If you continue to see
this message after manually refreshing your cache, ensure that your KDC
host's clock is in sync with this host's clock.
2016-05-10 11:29:06 WARN  ClientCnxn:957 - SASL configuration failed:
javax.security.auth.login.LoginException: No password provided Will continue
connection to Zookeeper server without SASL authentication, if Zookeeper
server allows it.
2016-05-10 11:29:06 INFO  ClientCnxn:975 - Opening socket connection to
server 10.10.167.160/10.10.167.160:2181
2016-05-10 11:29:06 INFO  ClientCnxn:852 - Socket connection established to
10.10.167.160/10.10.167.160:2181, initiating session
2016-05-10 11:29:06 DEBUG ClientCnxn:892 - Session establishment request
sent on 10.10.167.160/10.10.167.160:2181
2016-05-10 11:29:06 INFO  ClientCnxn:1235 - Session establishment complete
on server 10.10.167.160/10.10.167.160:2181, sessionid = 0x154942b617f0091,
negotiated timeout = 40000
2016-05-10 11:29:06 DEBUG ClientCnxn:818 - Reading reply
sessionid:0x154942b617f0091, packet:: clientPath:null serverPath:null
finished:false header:: 1,3  replyHeader:: 1,1071,0  request::
'/hbase-secure/hbaseid,F  response::
s{366,704,1462520624801,1462777191424,1,0,0,0,67,0,366} 
2016-05-10 11:29:06 DEBUG ClientCnxn:818 - Reading reply
sessionid:0x154942b617f0091, packet:: clientPath:null serverPath:null
finished:false header:: 2,4  replyHeader:: 2,1071,0  request::
'/hbase-secure/hbaseid,F  response::
#ffffffff000146d61737465723a3136303030ffffffe2249ffffff9bfffffffa4182c50425546a2465663763396261312d353931612d343337322d616462322d666234316437346261383837,s{366,704,1462520624801,1462777191424,1,0,0,0,67,0,366} 
2016-05-10 11:29:06 DEBUG ClientCnxn:818 - Reading reply
sessionid:0x154942b617f0091, packet:: clientPath:null serverPath:null
finished:false header:: 3,8  replyHeader:: 3,1071,0  request::
'/hbase-secure,F  response::
v{'replication,'meta-region-server,'rs,'splitWAL,'backup-masters,'table-lock,'flush-table-proc,'region-in-transition,'online-snapshot,'acl,'master,'running,'recovering-regions,'tokenauth,'draining,'namespace,'hbaseid,'table} 
2016-05-10 11:29:06 DEBUG ClientCnxn:818 - Reading reply
sessionid:0x154942b617f0091, packet:: clientPath:null serverPath:null
finished:false header:: 4,4  replyHeader:: 4,1071,0  request::
'/hbase-secure/meta-region-server,F  response::
#ffffffff0001a726567696f6e7365727665723a3136303230ffffffffffffff80ffffffa619062791e50425546a1baf442d393533392e6b7069742e636f6d10ffffff947d18ffffffacffffffa9fffffff4ffffffa1ffffffc92a100183,s{720,720,1462777203232,1462777203232,0,0,0,0,68,0,720} 
>>>KinitOptions cache name is /tmp/krb5cc_501
>> Acquire default native Credentials
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
>>> Found no TGT's in LSA
2016-05-10 11:29:08 WARN  UserGroupInformation:1113 - Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
2016-05-10 11:29:12 WARN  UserGroupInformation:1113 - Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
2016-05-10 11:29:15 WARN  UserGroupInformation:1113 - Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
2016-05-10 11:29:17 WARN  UserGroupInformation:1113 - Not attempting to
re-login since the last re-login was attempted less than 600 seconds before.
2016-05-10 11:29:18 *WARN  AbstractRpcClient:695 - Couldn't setup connection
for mohanv@EXAMPLE.COM to null*



--
View this message in context: http://apache-hbase.679495.n3.nabble.com/Unable-to-connect-to-Hbase-when-Kerberos-Enabled-tp4079897p4079899.html
Sent from the HBase User mailing list archive at Nabble.com.