HBase SQL statement fails with Insufficient permissions for user

ISSUE: Below error comes up when creating new hbase table hbase(main):001:0> create 'anoop','cf1' ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions for user 'anoop' (global, action=CREATE) at org.apache.hadoop.hbase.security.access.AccessController.requirePermission(AccessController.java:426) at org.apache.hadoop.hbase.security.access.AccessController.preCreateTable(AccessController.java:563) Solution: - Once the cluster has been secured, a user has to authenticate itself to kerberos by doing a kinit. By default, hbase is a superuser who was … Continue reading HBase SQL statement fails with Insufficient permissions for user


Steps to use security enabled kafka

Steps to use kerberos security enabled kafka are below.   Set Inter Broker Protocol SASL_PLAINTEXT in Cloudera manager Create a jaas.conf file with the following contents to use with cached Kerberos credentials For kinit KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true; }; For keytab   KafkaClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/etc/security/keytabs/username.keytab" principal="username@realm"; }; In the above jaas.conf file the user's … Continue reading Steps to use security enabled kafka

Creating multiple spark sessions in kerberos enabled cluster throws error

ISSUE:Creating multiple spark sessions in kerberos enabled cluster throws below error Py4JJavaError: An error occurred while calling None.org.apache.spark.api.java.JavaSparkContext. : org.apache.hadoop.ipc.RemoteException(java.io.IOException): Delegation Token can be issued only with kerberos or web authentication at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getDelegationToken(FSNamesystem.java:7519) at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getDelegationToken(NameNodeRpcServer.java:548) Solution: Use the keytab and principal wihin spark code as below   spark = SparkSession\     .builder\     .appName('asdf')\     … Continue reading Creating multiple spark sessions in kerberos enabled cluster throws error


How to generate kerberos keytabs

For AD accounts 1.From shell #ktutil 2. Add an entry as below ktutil:addent -password  -p username@realm.com -k 1 -e RC4-HMAC ktutil:wkt  username.keytab ktutil:q For FeeIPA accounts Use the below command #ipa-getkeytab -s ipa.host.com -p username@realm.com  --keytab=username.keytab --password Try kinit using the keytab as below #kinit username@realm.com -k -t username.keytab Note: Change the username  accordingly.


Crontab not working for kerberized hadoop

ISSUE:- Cronjobs not working for kerberos enabled hadoop. Throwing below error. ERROR tool.ImportTool: Encountered IOException running import job: java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)];   Solution:- This is because there is no TTY, Profile setup for the … Continue reading Crontab not working for kerberized hadoop


Kerberos commands usage

Enter the kadmin console #kadmin.local Adding Principal to a Keytab File kadmin.local : ktadd -k /etc/krb5/anoop.keytab sherlock Removing a principal from keytab kadmin.local : ktremove host/denver.example.com@EXAMPLE.COM Adding principal addprinc -randkey $primary_name/$fully.qualified.domain.name@EXAMPLE.COM To list all of the entries in the etc/krb5/my_keytab key table with timestamps, type: klist -t -k etc/krb5/my_keytab Create the hdfs keytab file, which contains an … Continue reading Kerberos commands usage