Issues with Kerberos authentication through Keytab in Java

Question

I'm trying to a kerberos-secured Hadoop cluster from my local machine using Java.

Here's what I've tried to do:

public static void hbase() throws IOException {
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    final Configuration hBaseConfig = HBaseConfiguration.create();
    hBaseConfig.setInt("timeout", 120000);
    hBaseConfig.set("hbase.zookeeper.quorum", <zookeeper_quorum_address>);
    hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181");
    hBaseConfig.set("hadoop.security.authentication", "kerberos");
    hBaseConfig.set("hbase.security.authentication", "kerberos");
    hBaseConfig.set("hbase.master.kerberos.principal", <kerberos.hbase.principal>);
    hBaseConfig.set("hbase.regionserver.kerberos.principal", <kerberos.hbase.principal>);
    hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab");
    hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab");
    UserGroupInformation.setConfiguration(hBaseConfig);
    UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(<principalName>,
            path_to_keytab_on_local_fs);
}

I obtained the values for zookeeper quorum, hbase principal, etc from my cluster administrator, so I'm fairly certain that they are accurate. I've also verified my keytab by using it to obtain a ticket using kinit on the cluster

Here is the error trace:

Exception in thread "main" java.io.IOException: Login failure for <principal> from keytab <path_to_keytab_on_local_fs>
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008)
at Kerberos.KerberosAuthentication.App.hbase(App.java:32)
at Kerberos.KerberosAuthentication.App.main(App.java:15)
Caused by: javax.security.auth.login.LoginException: null (68)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997)
... 2 more
Caused by: KrbException: null (68)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735)
... 15 more
    Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 18 more

I've also tried an alternate approach, repacing UserGroupInformation with SecurityUtil

 SecurityUtil.login(hBaseConfig, <keytab>, <principal name>);

    SecurityUtil.doAsCurrentUser(new PrivilegedExceptionAction<Void>() {
         .............
     }

With this approach, the console output says Session Established , but beyond that the execution just keeps continuing, without any logs/console output and I have to force-terminate it.

I would really appreciate some insight to help resolve this.

Answer 1

you can try something like

System.setProperty("java.security.krb5.conf", "/etc/krb5.conf")
System.setProperty("sun.security.krb5.debug", "true")

hbaseConf = HBaseConfiguration.create()
hbaseConf.set("hbase.connection.timeout", "5000")
hbaseConf.set("zookeeper.znode.parent", "/hbase")
hbaseConf.set("hbase.zookeeper.quorum", zkQuorum)
hbaseConf.set("hbase.zookeeper.property.clientPort", zkPort)
hbaseConf.set("hbase.client.retries.number", Integer.toString(1))
hbaseConf.set("zookeeper.session.timeout", Integer.toString(60000))
hbaseConf.set("zookeeper.recovery.retry", Integer.toString(1))
hbaseConf.addResource(new Path(System.getenv("PWD") + "/" + "core-site.xml"))
hbaseConf.addResource(new Path(System.getenv("PWD") + "/" + "hbase-site.xml"))
hbaseConf.set("hbase.rpc.controllerfactory.class", "org.apache.hadoop.hbase.ipc.RpcControllerFactory")
hbaseConf.set("hadoop.security.authentication", "kerberos")
hbaseConf.set("hbase.security.authentication", "kerberos")
hbaseConf.set("hbase.master.kerberos.principal", masterKerberosPrincipal)
hbaseConf.set("hbase.regionserver.kerberos.principal", regionServerKerberosPrincipal)

UserGroupInformation.setConfiguration(hbaseConf)



 val loggedUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, localPath.toString)

loggedUGI.doAs(new PrivilegedAction[Void] {
    override def run() = {
        val connection = getConnection()
        val table = getTable(connection, fullTableName)
        try {

.... HBASE STUFF

        } finally {
            table.close()
            connection.close()
        }
        null
    }
})