alluxio.master.keytab.file=<YOUR_HDFS_KEYTAB_FILE_PATH>
alluxio.master.principal=hdfs/<_HOST>@<REALM>
alluxio.worker.keytab.file=<YOUR_HDFS_KEYTAB_FILE_PATH>
alluxio.worker.principal=hdfs/<_HOST>@<REALM>
I tried introduce alluxio to speed up the processing, our HDFS need kerberos auth. There are quite a few kinds of kerberos configuration re kerberos on Alluxio. From official site, it documented to create a config file named alluxio-site.properties with params:
alluxio.master.keytab.file=<YOUR_HDFS_KEYTAB_FILE_PATH>
alluxio.master.principal=hdfs/<_HOST>@<REALM>
alluxio.worker.keytab.file=<YOUR_HDFS_KEYTAB_FILE_PATH>
alluxio.worker.principal=hdfs/<_HOST>@<REALM>my config file is like:alluxio.master.keytab.file=/root/hdfs.keytab
alluxio.master.principal=hdfs@SAIC.COMalluxio.worker.keytab.file=/root/hdfs.keytaballuxio.worker.principal=hdfs@SAIC.COM
Does not work.Others config from web:Add java opts into alluxio-env.sh
ALLUXIO_JAVA_OPTS+="-Djava.security.krb5.realm=SAIC.COM-Djava.security.krb5.kdc=10.32.47.201:88-Dalluxio.master.keytab.file=file:///root/mxsdev.keytab
-Dalluxio.master.principal=mxsd...@SAIC.COM-Dalluxio.worker.keytab.file=file:///root/mxsdev.keytab-Dalluxio.worker.principal=mxsd...@SAIC.COM"
--
You received this message because you are subscribed to the Google Groups "Alluxio Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to alluxio-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Hi,The error is due to no Kerberos name rules applied to hd...@SAIC.COM.By default Hadoop takes the full Kerberos principal with the format: <NAME>/<_HOST>@<REALM>Can you please try to use the principal name with "/<_HOST>" field? e.g. hdfs/<your_host_name_here>@SAIC.COMHope this helps,Chaomin
On Wed, Sep 7, 2016 at 6:56 AM, Hakata J <tanshe...@163.com> wrote:
BTW: I am using CDH 5.7, Alluxio 1.2
在 2016年9月7日星期三 UTC+8下午9:55:19,Hakata J写道:
I tried introduce alluxio to speed up the processing, our HDFS need kerberos auth. There are quite a few kinds of kerberos configuration re kerberos on Alluxio. From official site, it documented to create a config file named alluxio-site.properties with params:
alluxio.master.keytab.file=<YOUR_HDFS_KEYTAB_FILE_PATH>
alluxio.master.principal=hdfs/<_HOST>@<REALM>
alluxio.worker.keytab.file=<YOUR_HDFS_KEYTAB_FILE_PATH>
alluxio.worker.principal=hdfs/<_HOST>@<REALM>my config file is like:alluxio.master.keytab.file=/root/hdfs.keytab
alluxio.master.principal=hd...@SAIC.COMalluxio.worker.keytab.file=/root/hdfs.keytaballuxio.worker.principal=hd...@SAIC.COM
To unsubscribe from this group and stop receiving emails from it, send an email to alluxio-user...@googlegroups.com.
Hi,
The error is due to no Kerberos name rules applied to hd...@SAIC.COM.By default Hadoop takes the full Kerberos principal with the format: <NAME>/<_HOST>@<REALM>Can you please try to use the principal name with "/<_HOST>" field? e.g. hdfs/<your_host_name_here>@SAIC.COMHope this helps,Chaomin
On Wed, Sep 7, 2016 at 6:56 AM, Hakata J <tanshe...@163.com> wrote:
BTW: I am using CDH 5.7, Alluxio 1.2
在 2016年9月7日星期三 UTC+8下午9:55:19,Hakata J写道:
I tried introduce alluxio to speed up the processing, our HDFS need kerberos auth. There are quite a few kinds of kerberos configuration re kerberos on Alluxio. From official site, it documented to create a config file named alluxio-site.properties with params:
alluxio.master.keytab.file=<YOUR_HDFS_KEYTAB_FILE_PATH>
alluxio.master.principal=hdfs/<_HOST>@<REALM>
alluxio.worker.keytab.file=<YOUR_HDFS_KEYTAB_FILE_PATH>
alluxio.worker.principal=hdfs/<_HOST>@<REALM>my config file is like:alluxio.master.keytab.file=/root/hdfs.keytab
alluxio.master.principal=hd...@SAIC.COMalluxio.worker.keytab.file=/root/hdfs.keytaballuxio.worker.principal=hd...@SAIC.COM
To unsubscribe from this group and stop receiving emails from it, send an email to alluxio-user...@googlegroups.com.
BTW: It confused to me that the kerberos configure should be on alluxio server side(include master and worker), or should be passed from alluxio client. As the document says that: "If you use Alluxio shell, you can add to ALLUXIO_JAVA_OPTS in conf/alluxio-env.sh. ALLUXIO_JAVA_OPTS+=" -Djava.security.krb5.realm=<YOUR_KERBEROS_REALM> -Djava.security.krb5.kdc=<YOUR_KERBEROS_KDC_ADDRESS>", it seem that the kerberos configuration should be on client side. Isnt it? Or it mean that, alluxio server side should use kerberos user "HDFS" and client also need pass it own kerberos user?
在 2016年9月18日星期日 UTC+8下午5:23:18,Hakata J写道:I change the alluxio-env.sh like this:export ALLUXIO_JAVA_OPTS+="-Djava.security.krb5.realm=SAIC.COM-Djava.security.krb5.kdc=10.32.47.201:88-Dalluxio.master.keytab.file=/root/hdfs.keytab-Dalluxio.master.principal=hdfs/saic...@SAIC.COM-Dalluxio.worker.keytab.file=/root/hdfs.keytab-Dalluxio.worker.principal=hdfs/saic...@SAIC.COM"
it throws out the error as the same:Caused by: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name hd...@SAIC.COM: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to hd...@SAIC.COMat org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:199)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:606)at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)at java.security.AccessController.doPrivileged(Native Method)at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)at javax.security.auth.login.LoginContext.login(LoginContext.java:596)at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:812)... 17 moreCaused by: java.lang.IllegalArgumentException: Illegal principal name hd...@SAIC.COM: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to hd...@SAIC.COM
To unsubscribe from this group and stop receiving emails from it, send an email to alluxio-users+unsubscribe@googlegroups.com.