Environment:
- Java 8
- Kerberos
- HTTP/SPNEGO
Issue:
- Java error states Kerberos ticket not found
- HTTP/SPNEGO authentication with Kerberos required.
Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:360)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:204)
... 63 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:162)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:189)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:336)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:310)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:310)
... 64 more
Resolution:
- Create a block in the JAAS configuration file with the entry name com.sun.security.jgss.krb5.initiate
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytabs/spnego_client.keytab"
principal="spnego_client/node-01.cluster@EXAMPLE.COM";
}
- JAAS configuration file location will vary depending on the setup of Data Collector
- JAAS configuration file will be the same file used to configure LDAP and Kafka security
- Examples of where the JAAS configuration file could be:
- Specified via Java options: -Djava.security.auth.login.config=<JAAS config path>/client_jaas.conf
- $SDC_CONF/ldap-login.conf
- Cloudera Manager: Data Collector Advanced Configuration Snippet (Safety Valve) for generated-ldap-login-append.conf
References
- https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html
- https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part6.html
- https://streamsets.com/documentation/datacollector/latest/help/datacollector/UserGuide/Configuration/Authentication.html
- https://streamsets.com/documentation/datacollector/latest/help/datacollector/UserGuide/Pipeline_Configuration/KafkaSecurity.html