You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-dev@hadoop.apache.org by "Jakob Homan (JIRA)" <ji...@apache.org> on 2012/05/04 03:22:52 UTC
[jira] [Created] (HDFS-3367) WebHDFS doesn't use the logged in user
when opening connections
Jakob Homan created HDFS-3367:
---------------------------------
Summary: WebHDFS doesn't use the logged in user when opening connections
Key: HDFS-3367
URL: https://issues.apache.org/jira/browse/HDFS-3367
Project: Hadoop HDFS
Issue Type: Bug
Affects Versions: 1.0.2
Reporter: Jakob Homan
Something along the lines of
{noformat}
UserGroupInformation.loginUserFromKeytab(<blah blah>)
Filesystem fs = FileSystem.get(new URI("webhdfs://blah"), conf)
{noformat}
doesn't work as webhdfs doesn't use the correct context and the user shows up to the spnego filter without kerberos credentials:
{noformat}Exception in thread "main" java.io.IOException: Authentication failed, url=http://<NN>:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN&user.name=<USER>
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:337)
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.httpConnect(WebHdfsFileSystem.java:347)
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.run(WebHdfsFileSystem.java:403)
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getDelegationToken(WebHdfsFileSystem.java:675)
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initDelegationToken(WebHdfsFileSystem.java:176)
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.initialize(WebHdfsFileSystem.java:160)
at org.apache.hadoop.fs.FileSystem.createFileSystem(FileSystem.java:1386)
...
Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:232)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:141)
at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:217)
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.getHttpUrlConnection(WebHdfsFileSystem.java:332)
... 16 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
...{noformat}
Explicitly getting the current user's context via a doAs block works, but this should be done by webhdfs.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira