Re: submitting spark job with kerberized Hadoop issue

Sun, 07 Aug 2016 23:23:20 -0700 

Thanks Saisai and Ted,

I have already configured HBase security and it's working fine. I have also
done kinit before submitting job. Following is the code i'm trying to use


 System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
 System.setProperty("java.security.auth.login.config",
"/etc/hbase/conf/zk-jaas.conf");

  val hconf = HBaseConfiguration.create()
  val tableName = "emp"
  hconf.set("hbase.zookeeper.quorum", "hadoop-master")
  hconf.set(TableInputFormat.INPUT_TABLE, tableName)
  hconf.set("hbase.zookeeper.property.clientPort", "2181")
  hconf.set("hadoop.security.authentication", "kerberos")
  hconf.set("hbase.security.authentication", "kerberos")
  hconf.addResource(new Path("/etc/hbase/conf/core-site.xml"))
  hconf.addResource(new Path("/etc/hbase/conf/hbase-site.xml"))
  UserGroupInformation.setConfiguration(hconf)
  val keyTab = "/etc/hadoop/conf/spark.keytab"
  val ugi =
UserGroupInformation.loginUserFromKeytabAndReturnUGI("spark/hadoop-master@platalyticsrealm",
keyTab)
  UserGroupInformation.setLoginUser(ugi)
  ugi.doAs(new PrivilegedExceptionAction[Void]() {
   override def run(): Void = {
    val conf = new SparkConf
    val sc = new SparkContext(conf)
    sc.addFile(keyTab)
    var hBaseRDD = sc.newAPIHadoopRDD(hconf, classOf[TableInputFormat],
     classOf[org.apache.hadoop.hbase.io.ImmutableBytesWritable],
     classOf[org.apache.hadoop.hbase.client.Result])
    println("Number of Records found : " + hBaseRDD.count())
    hBaseRDD.foreach(x => {
     println(new String(x._2.getRow()))
    })
    sc.stop()
    return null
   }
  })

Please have a look.

Thanks

On Mon, Aug 8, 2016 at 9:34 AM, Ted Yu <[email protected]> wrote:

> The link in Jerry's response was quite old.
>
> Please see:
> http://hbase.apache.org/book.html#security
>
> Thanks
>
> On Sun, Aug 7, 2016 at 6:55 PM, Saisai Shao <[email protected]>
> wrote:
>
>> 1. Standalone mode doesn't support accessing kerberized Hadoop, simply
>> because it lacks the mechanism to distribute delegation tokens via cluster
>> manager.
>> 2. For the HBase token fetching failure, I think you have to do kinit to
>> generate tgt before start spark application (
>> http://hbase.apache.org/0.94/book/security.html).
>>
>> On Mon, Aug 8, 2016 at 12:05 AM, Aneela Saleem <[email protected]>
>> wrote:
>>
>>> Thanks Wojciech and Jacek!
>>>
>>> I tried with Spark on Yarn with kerberized cluster it works fine now.
>>> But now when i try to access Hbase through spark i get the following error:
>>>
>>> 2016-08-07 20:43:57,617 WARN  
>>> [hconnection-0x24b5fa45-metaLookup-shared--pool2-t1] ipc.RpcClientImpl: 
>>> Exception encountered while connecting to the server : 
>>> javax.security.sasl.SaslException: GSS initiate failed [Caused by 
>>> GSSException: No valid credentials provided (Mechanism level: Failed to 
>>> find any Kerberos tgt)]
>>> 2016-08-07 20:43:57,619 ERROR 
>>> [hconnection-0x24b5fa45-metaLookup-shared--pool2-t1] ipc.RpcClientImpl: 
>>> SASL authentication failed. The most likely cause is missing or invalid 
>>> credentials. Consider 'kinit'.
>>> javax.security.sasl.SaslException: GSS initiate failed [Caused by 
>>> GSSException: No valid credentials provided (Mechanism level: Failed to 
>>> find any Kerberos tgt)]
>>>     at 
>>> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
>>>     at 
>>> org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:179)
>>>     at 
>>> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:617)
>>>     at 
>>> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$700(RpcClientImpl.java:162)
>>>     at 
>>> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:743)
>>>     at 
>>> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:740)
>>>     at java.security.AccessController.doPrivileged(Native Method)
>>>     at javax.security.auth.Subject.doAs(Subject.java:415)
>>>     at 
>>> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1657)
>>>     at 
>>> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:740)
>>>     at 
>>> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.writeRequest(RpcClientImpl.java:906)
>>>     at 
>>> org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.tracedWriteRequest(RpcClientImpl.java:873)
>>>     at 
>>> org.apache.hadoop.hbase.ipc.RpcClientImpl.call(RpcClientImpl.java:1241)
>>>     at 
>>> org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:227)
>>>     at 
>>> org.apache.hadoop.hbase.ipc.AbstractRpcClient$BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:336)
>>>     at 
>>> org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingStub.scan(ClientProtos.java:34094)
>>>     at 
>>> org.apache.hadoop.hbase.client.ClientSmallScanner$SmallScannerCallable.call(ClientSmallScanner.java:201)
>>>     at 
>>> org.apache.hadoop.hbase.client.ClientSmallScanner$SmallScannerCallable.call(ClientSmallScanner.java:180)
>>>     at 
>>> org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithoutRetries(RpcRetryingCaller.java:210)
>>>     at 
>>> org.apache.hadoop.hbase.client.ScannerCallableWithReplicas$RetryingRPC.call(ScannerCallableWithReplicas.java:360)
>>>     at 
>>> org.apache.hadoop.hbase.client.ScannerCallableWithReplicas$RetryingRPC.call(ScannerCallableWithReplicas.java:334)
>>>     at 
>>> org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithRetries(RpcRetryingCaller.java:136)
>>>     at 
>>> org.apache.hadoop.hbase.client.ResultBoundedCompletionService$QueueingFuture.run(ResultBoundedCompletionService.java:65)
>>>     at 
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>>     at 
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>>     at java.lang.Thread.run(Thread.java:745)
>>> Caused by: GSSException: No valid credentials provided (Mechanism level: 
>>> Failed to find any Kerberos tgt)
>>>     at 
>>> sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
>>>     at 
>>> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:121)
>>>     at 
>>> sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
>>>     at 
>>> sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:223)
>>>     at 
>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
>>>     at 
>>> sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
>>>     at 
>>> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:193)
>>>     ... 25 more
>>>
>>>
>>
>

Reply via email to