search

UNIm95 / SEBC

0 stars 0 forks source link

Security Lab #5

Open UNIm95 opened 7 years ago

UNIm95 commented 7 years ago

I stacked on Security lab.

While making lab for kerberos i followed given guide. Everything was fine.

Before Step 9 i tested if cloudera-scm@UNIM95.COM with kinit and klist

Test from master node.

[root@ip-10-0-0-253 ~]# kinit cloudera-scm 
Password for cloudera-scm@UNIM95.COM: 
[root@ip-10-0-0-253 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: cloudera-scm@UNIM95.COM

Valid starting       Expires              Service principal
17.11.2016 16:47:40  18.11.2016 16:47:40  krbtgt/UNIM95.COM@UNIM95.COM
        renew until 24.11.2016 16:47:40

Test from one of datanodes

[centos@ip-10-0-0-254 ~]$ kinit cloudera-scm
Password for cloudera-scm@UNIM95.COM: 
[centos@ip-10-0-0-254 ~]$ klist 
Ticket cache: KEYRING:persistent:1000:1000
Default principal: cloudera-scm@UNIM95.COM

Valid starting       Expires              Service principal
17.11.2016 16:48:38  18.11.2016 16:48:38  krbtgt/UNIM95.COM@UNIM95.COM
    renew until 24.11.2016 16:48:38

As you can see I have working user(principal) for cloudera manager.

Step 9 run without problems. Cloudera manager also added own principales:

kadmin.local:  listprincs
HTTP/ip-10-0-0-250.ec2.internal@UNIM95.COM
HTTP/ip-10-0-0-251.ec2.internal@UNIM95.COM
HTTP/ip-10-0-0-252.ec2.internal@UNIM95.COM
HTTP/ip-10-0-0-253.ec2.internal@UNIM95.COM
HTTP/ip-10-0-0-254.ec2.internal@UNIM95.COM
K/M@UNIM95.COM
centos/admin@UNIM95.COM
centos@UNIM95.COM
cetos@UNIM95.COM
cloudera-scm@UNIM95.COM
hdfs/ip-10-0-0-250.ec2.internal@UNIM95.COM
hdfs/ip-10-0-0-251.ec2.internal@UNIM95.COM
hdfs/ip-10-0-0-252.ec2.internal@UNIM95.COM
hdfs/ip-10-0-0-253.ec2.internal@UNIM95.COM
hdfs/ip-10-0-0-254.ec2.internal@UNIM95.COM
hive/ip-10-0-0-253.ec2.internal@UNIM95.COM
httpfs/ip-10-0-0-251.ec2.internal@UNIM95.COM
httpfs/ip-10-0-0-252.ec2.internal@UNIM95.COM
hue/ip-10-0-0-250.ec2.internal@UNIM95.COM
kadmin/admin@UNIM95.COM
kadmin/changepw@UNIM95.COM
kadmin/ip-10-0-0-253.ec2.internal@UNIM95.COM
kiprop/ip-10-0-0-253.ec2.internal@UNIM95.COM
krbtgt/UNIM95.COM@UNIM95.COM
mapred/ip-10-0-0-252.ec2.internal@UNIM95.COM
oozie/ip-10-0-0-252.ec2.internal@UNIM95.COM
yarn/ip-10-0-0-250.ec2.internal@UNIM95.COM
yarn/ip-10-0-0-251.ec2.internal@UNIM95.COM
yarn/ip-10-0-0-252.ec2.internal@UNIM95.COM
yarn/ip-10-0-0-253.ec2.internal@UNIM95.COM
yarn/ip-10-0-0-254.ec2.internal@UNIM95.COM
zookeeper/ip-10-0-0-250.ec2.internal@UNIM95.COM
zookeeper/ip-10-0-0-251.ec2.internal@UNIM95.COM
zookeeper/ip-10-0-0-254.ec2.internal@UNIM95.COM

I tried silple command hdfs dfs -ls / with different principals without any success

Every time i get same message with other user(principals)

16/11/18 01:01:14 WARN security.UserGroupInformation: PriviledgedActionException as:centos (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
16/11/18 01:01:14 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials pr
ovided (Mechanism level: Failed to find any Kerberos tgt)]
16/11/18 01:01:14 WARN security.UserGroupInformation: PriviledgedActionException as:centos (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Cau
sed by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
16/11/18 01:01:14 WARN security.UserGroupInformation: PriviledgedActionException as:centos (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
16/11/18 01:01:14 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials pr
ovided (Mechanism level: Failed to find any Kerberos tgt)]
16/11/18 01:01:14 WARN security.UserGroupInformation: PriviledgedActionException as:centos (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Cau
sed by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
16/11/18 01:01:14 INFO retry.RetryInvocationHandler: Exception while invoking getFileInfo of class ClientNamenodeProtocolTranslatorPB over ip-10-0-0-253.ec2.internal/10.0.0.253:8020 after 1 fai
l over attempts. Trying to fail over immediately.
java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism lev
el: Failed to find any Kerberos tgt)]; Host Details : local host is: "ip-10-0-0-253.ec2.internal/10.0.0.253"; destination host is: "ip-10-0-0-253.ec2.internal":8020;

I cannot do anything else with cluster.

It is fully stacked.

UNIm95 commented 7 years ago

CentOs 7.2 by default uses KEYRING to store Kerberos credentials. But KEYRING is not supported by hadoop