You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hadoop.apache.org by Lin Shao <mo...@gmail.com> on 2013/06/29 07:44:10 UTC

How to create UserGroupInformation from ticket cache in hadoop 1.2

I am getting some difficulties when trying to login to secure hadoop
cluster from ticket cache.
In UserGroupInformation java class, there is a method called
loginUserFromKeytab(), I can use this method to login with keytab files,
and later do some HDFS/hcatalog api calls.

But we don't know how to login from ticket cache and create UGI with this
loginContext.

I have tried these steps:
1. login as this user: A
2. run kinit, make sure ticket cache is avaiable under this ticket cache
path: /tmp/krb5cc_uid-number
3. export KRB5CCNAME=/tmp/krb5cc_uid-number
4. run my java program, which has this code stub below
{
...
Configuration conf = new Configuration();
// set a bunch of configuration properties
conf.set("hadoop.security.authentication", "kerberos");
conf.set("hadoop.security.authorization", "true");
...
UserGroupInformation.setConfiguration(conf);

// instead of calling loginUserFromKeytab(). I just called getLoginUser(),
which I assume will do
// login and create a new UGI with this loginContext
UserGroupInformation loginUser = UserGroupInformation.getLoginUser();

//same hdfs filesystem api calls as what I did when using login from keytab

//FileSystem.get(new URI(hdfsUri), conf)

}

So far, this approach is not successful. I always get some exceptions:
Caused by: GSSException: No valid credentials provided (Mechanism level:
Attempt to obtain new INITIATE credentials failed! (null))
        at
sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:333)
        at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128)
        at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
        at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
        at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
        at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
        at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
        at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
        ... 31 more
Caused by: javax.security.auth.login.LoginException: No LoginModules
configured for
        at
javax.security.auth.login.LoginContext.init(LoginContext.java:256)
        at
javax.security.auth.login.LoginContext.<init>(LoginContext.java:499)
        at sun.security.jgss.GSSUtil.login(GSSUtil.java:244)
        at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136)
        at
sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:328)
        at java.security.AccessController.doPrivileged(Native Method)
        at
sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:325)
        ... 38 more


I noticed that In Hadoop 2.0.3, there is a new api called
getUGIFromTicketCache(String
ticketCache, String user) to pass the ticket cache to UGI.
But in hadoop1.2, there is no such method.
Does any one know how to use ticket cache to create UserGroupInformation?

Thanks a lot.
Lin