MapR 5.0 Documentation : Troubleshoot Hue Security Issues

To troubleshoot Kerberos security issues, enable the debugger by changing the following setting in the /opt/mapr/conf/env.sh file:

# uncomment the following line to debug client kerberos issues
#MAPR_KERBEROS_DEBUG="-Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true -Djavax.net.debug=all"

Under the Hue installation directory, check logs/runcpserver.log for errors. Some sample error messages are shown below.

Could not start SASL

If you see this message, try using renewable tickets:

 

TypeError: TTransportException('Could not start SASL: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired)',) is not JSON serializable

 

Run the kinit command to generate a new ticket with a long running lifetime, then restart the Hue webserver.

Configuration Error

If you see this message, it means that the ticket generated by the kinit command from maprlogin kerberos was not copied to /tmp/hue_krb5_ccache:

Caused by: javax.security.auth.login.LoginException: Configuration Error - useTicketCache should be set to true to use the ticket cache /tmp/hue_krb5_ccache

This can happen when you generate a new ticket after the original ticket expires and forget to copy it into the ticket cache. Run the following command to copy the ticket into the ticket cache:

kinit -k -t /opt/mapr/conf/mapr.keytab -c /tmp/hue_krb5_ccache mapr/perfnode181.perf.lab@dev-maprtech

Password incorrect while getting initial credentials

This message (Password incorrect while getting initial credentials) appears when you create a keytab file, but try to authenticate with a password. The act of creating a keytab causes a new random key to be placed in the Kerberos database and into the keytab file (/opt/mapr/conf/mapr.keytab). That key does not have a password associated with it, so you can only authenticate using the keytab.

If you want to authenticate with a password, run the cpw command in kadmin instead of the ktadd command.

TaskTracker daemon does not start

If the TaskTracker log contains an error message similar to this, check that the /opt/mapr/conf/mapr.keytab file contains the correct Kerberos principal name, as specified in mapred-site.xml:

ERROR ipc.RPC [main]: FailoverProxy: Failing this Call: getBuildVersion for error(RemoteException): org.apache.hadoop.ipc.RemoteException: User mapr is not authorized for protocol interface org.apache.hadoop.mapred.InterTrackerProtocol, expected client Kerberos principal is mapr/perfnode153.perf.lab@dev-maprtech
ERROR mapred.TaskTracker [main]: Error org.apache.hadoop.ipc.RemoteException: User mapr is not authorized for protocol interface org.apache.hadoop.mapred.InterTrackerProtocol, expected client Kerberos principal is mapr/perfnode153.perf.lab@dev-maprtech while getting jobTracker build version. Exiting..

To check the principal name, list the contents of the keytab file by running the following commands:

kinit -k -t /opt/mapr/conf/mapr.keytab
klist