Troubleshooting Kerberos Errors
This topic describes some common Kerberos issues and their recommended solutions.
HDFS commands fail with Kerberos errors even though Kerberos authentication is successful in the web application
If Kerberos authentication is successful in the web
application, and the output of klist
in the engine reveals a valid-looking TGT, but
commands such as hdfs dfs -ls
/
still fail with a Kerberos error, it is possible that your
cluster is missing the Java Cryptography
Extension (JCE) Unlimited Strength Jurisdiction Policy File.
The JCE policy file is required when Red Hat uses AES-256 encryption.
This library should be installed on each cluster host and will live
under $JAVA_HOME
. For
more information, see Using AES-256
Encryption.
Cannot find renewable Kerberos TGT
WARN
or lower, you may see exceptions such
as:16/12/24 16:38:40 WARN security.UserGroupInformation: Exception encountered while running the renewal command. Aborting renew thread. ExitCodeException exitCode=1: kinit: Resource temporarily unavailable while renewing credentials
16/12/24 16:41:23 WARN security.UserGroupInformation: PriviledgedActionException as:user@CLOUDERA.LOCAL (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
This is not a bug. Spark 2 workloads will not be affected by this. Access to Kerberized resources should also work as expected.