You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@storm.apache.org by "Rick Kellogg (JIRA)" <ji...@apache.org> on 2015/10/05 03:15:27 UTC
[jira] [Reopened] (STORM-771) Authentication with Kerberos
[ https://issues.apache.org/jira/browse/STORM-771?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rick Kellogg reopened STORM-771:
--------------------------------
> Authentication with Kerberos
> ----------------------------
>
> Key: STORM-771
> URL: https://issues.apache.org/jira/browse/STORM-771
> Project: Apache Storm
> Issue Type: Question
> Components: storm-core
> Affects Versions: 0.9.1-incubating
> Reporter: robinlin
>
> I am using Storm in a Kerberized Cluster.
> There is an user "Robin" in the Storm server. And I follow the steps below to generate keytab for Robin.
> {noformat}
> # /usr/sbin/kadmin.local
> # kadmin.local: addprinc -randkey Robin@EXAMPLE.COM
> # kadmin.local: xst -norandkey -k Robin.keytab Robin
> # scp Robin.keytab Robin@storm_server:/home/Robin
> {noformat}
> After these, I login the Storm server as Robin. And authenticate Robin with his own keytab(Robin.keytab)
> {noformat}
> # kinit -k -t Robin.keytab Robin
> {noformat}
> The output of klist is
> {noformat}
> Ticket cache: FILE:/tmp/krb5cc_1006
> Default principal: Robin@EXAMPLE.COM
> Valid starting Expires Service principal
> 04/15/15 11:34:19 04/16/15 11:34:19 krbtgt/EXAMPLE.COM@EXAMPLE.COM
> renew until 04/15/15 11:34:19
> {noformat}
> But there was an authentication error occurred when I executed
> {noformat}
> #storm list
> {noformat}
> The error was
> {noformat}
> Exception in thread "main" java.lang.RuntimeException: javax.security.auth.login.LoginException: No password provided
> at backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin.connect(KerberosSaslTransportPlugin.java:108)
> at backtype.storm.security.auth.TBackoffConnect.doConnectWithRetry(TBackoffConnect.java:48)
> at backtype.storm.security.auth.ThriftClient.reconnect(ThriftClient.java:97)
> at backtype.storm.security.auth.ThriftClient.<init>(ThriftClient.java:66)
> at backtype.storm.utils.NimbusClient.<init>(NimbusClient.java:47)
> at backtype.storm.thrift$nimbus_client_and_conn.invoke(thrift.clj:71)
> at backtype.storm.command.list$_main.invoke(list.clj:22)
> at clojure.lang.AFn.applyToHelper(AFn.java:159)
> at clojure.lang.AFn.applyTo(AFn.java:151)
> at backtype.storm.command.list.main(Unknown Source)
> Caused by: javax.security.auth.login.LoginException: No password provided
> at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:878)
> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)
> {noformat}
> Here is my Kerberos settings in "storm.yaml"
> {noformat}
> storm.principal.tolocal: "backtype.storm.security.auth.KerberosPrincipalToLocal"
> storm.zookeeper.superACL: "sasl:storm"
> java.security.auth.login.config: "/etc/storm/conf/storm_jaas.conf"
> nimbus.admins:
> - "storm"
> nimbus.supervisor.users:
> - "storm"
> nimbus.authorizer: "backtype.storm.security.auth.authorizer.SimpleACLAuthorizer"
> drpc.authorizer: "backtype.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer"
> ui.filter: "org.apache.hadoop.security.authentication.server.AuthenticationFilter"
> ui.filter.params:
> "type": "kerberos"
> "kerberos.principal": "HTTP/slave"
> "kerberos.keytab": "/etc/security/keytabs/spnego.service.keytab"
> "kerberos.name.rules": "DEFAULT"
> supervisor.enable: true
> {noformat}
> And "storm_jaas.conf"
> {noformat}
> StormServer {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> keyTab="/etc/security/keytabs/nimbus.service.keytab"
> storeKey=true
> useTicketCache=false
> principal="nimbus/slave@EXAMPLE.COM";
> };
> StormClient {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> keyTab="/etc/security/keytabs/storm.service.keytab"
> storeKey=true
> useTicketCache=false
> serviceName="nimbus"
> principal="storm@EXAMPLE.COM";
> };
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> keyTab="/etc/security/keytabs/storm.service.keytab"
> storeKey=true
> useTicketCache=false
> serviceName="zookeeper"
> principal="storm@EXAMPLE.COM";
> };
> {noformat}
> By the way, the cluster is installed via Ambari 1.7.
> Thanks in advanced.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)