Troubleshooting Kerberos issues
This topic describes some common Kerberos issues and their recommended solutions.
HDFS commands fail with Kerberos errors even though Kerberos authentication is successful in the web application
If Kerberos authentication is successful in the web application, and the
output of klist
in the engine reveals a
valid-looking TGT, but commands such as hdfs dfs -ls
/
still fail with a Kerberos error, it is possible that your cluster is missing
the Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy File. The JCE policy file is required when
Red Hat uses AES-256 encryption. This library shall be installed on each cluster host and
will live under $JAVA_HOME
. For more
information, see Using AES-256 Encryption.
Cannot find renewable Kerberos TGT
WARN
or lower, you may see exceptions such
as:16/12/24 16:38:40 WARN security.UserGroupInformation: Exception encountered while running the renewal command. Aborting renew thread. ExitCodeException exitCode=1: kinit: Resource temporarily unavailable while renewing credentials
16/12/24 16:41:23 WARN security.UserGroupInformation: PriviledgedActionException as:user@CLOUDERA.LOCAL (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
This is not a bug. Spark 2 workloads will not be affected by this. Access to Kerberized resources should also work as expected.