Troubleshooting Kerberos Errors
Here are troubleshooting guidelines for Kerberos errors.
HDFS commands fail with Kerberos errors even though Kerberos authentication is successful in the web application
If Kerberos authentication is successful in the web application, and
the output of klist
in the engine reveals a
valid-looking TGT, but commands such as hdfs dfs -ls
/
still fail with a Kerberos error, it is possible that
your cluster is missing the Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy File. The JCE policy
file is required when Red Hat uses AES-256 encryption. This library
should be installed on each cluster host and will live under
$JAVA_HOME
. For more information, see Using AES-256 Encryption.
Cannot find renewable Kerberos TGT
WARN
or lower, you may see
exceptions such
as:16/12/24 16:38:40 WARN security.UserGroupInformation: Exception encountered while running the renewal command. Aborting renew thread. ExitCodeException exitCode=1: kinit: Resource temporarily unavailable while renewing credentials
16/12/24 16:41:23 WARN security.UserGroupInformation: PriviledgedActionException as:user@CLOUDERA.LOCAL (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
This is not a bug. Spark 2 workloads will not be affected by this. Access to Kerberized resources should also work as expected.