Troubleshooting Kerberos Errors
This topic describes some common Kerberos issues and their recommended solutions.
HDFS commands fail with Kerberos errors even though Kerberos authentication is successful in the web application
If Kerberos authentication is successful in the web
application, and the output of
klist in the engine reveals a valid-looking TGT, but
commands such as
hdfs dfs -ls
/ still fail with a Kerberos error, it is possible that your
cluster is missing the Java Cryptography
Extension (JCE) Unlimited Strength Jurisdiction Policy File.
The JCE policy file is required when Red Hat uses AES-256 encryption.
This library should be installed on each cluster host and will live
more information, see Using AES-256
Cannot find renewable Kerberos TGT
WARNor lower, you may see exceptions such as:
16/12/24 16:38:40 WARN security.UserGroupInformation: Exception encountered while running the renewal command. Aborting renew thread. ExitCodeException exitCode=1: kinit: Resource temporarily unavailable while renewing credentials 16/12/24 16:41:23 WARN security.UserGroupInformation: PriviledgedActionException as:user@CLOUDERA.LOCAL (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
This is not a bug. Spark 2 workloads will not be affected by this. Access to Kerberized resources should also work as expected.