Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBASE-6077. Document the most common secure RPC troubleshooting resolutions 

git-svn-id: https://svn.apache.org/repos/asf/hbase/trunk@1342104 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Andrew Kyle Purtell 2012-05-24 00:30:46 +00:00
parent 6db2eedc9b
commit 44ddcab9a7
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/docbkx/troubleshooting.xml
View File

@ -605,6 +605,28 @@ invocation of the admin API.
</para>
</section>
<section xml:id="trouble.client.security.rpc">
<title>Secure Client Cannot Connect ([Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)])</title>
<para>
There can be several causes that produce this symptom.
</para>
<para>
First, check that you have a valid Kerberos ticket. One is required in order to set up communication with a secure HBase cluster. Examine the ticket currently in the credential cache, if any, by running the <tt>klist</tt> command line utility. If no ticket is listed, you must obtain a ticket by running the <tt>kinit</tt> command with either a keytab specified, or by interactively entering a password for the desired principal.
</para>
<para>
Then, consult the <a href="http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html">Java Security Guide troubleshooting section</a>. The most common problem addressed there is resolved by setting <tt>javax.security.auth.useSubjectCredsOnly</tt> system property value to <tt>false</tt>.
</para>
<para>
Because of a change in the format in which MIT Kerberos writes its credentials cache, there is a bug in the Oracle JDK 6 Update 26 and earlier that causes Java to be unable to read the Kerberos credentials cache created by versions of MIT Kerberos 1.8.1 or higher. If you have this problematic combination of components in your environment, to work around this problem, first log in with <tt>kinit</tt> and then immediately refresh the credential cache with <tt>kinit -R</tt>. The refresh will rewrite the credential cache without the problematic formatting.
</para>
<para>
Finally, depending on your Kerberos configuration, you may need to install the <a href="http://docs.oracle.com/javase/1.4.2/docs/guide/security/jce/JCERefGuide.html">Java Cryptography Extension</a>, or JCE. Insure the JCE jars are on the classpath on both server and client systems.
</para>
<para>
You may also need to download the <a href="http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html">unlimited strength JCE policy files</a>. Uncompress and extract the downloaded file, and install the policy jars into <tt>&lt;java-home&gt;/lib/security</tt>.
</para>
</section>
</section>
<section xml:id="trouble.mapreduce">