Repository-hdfs with kerberos failed

stack-security
#1

Hi, I want to create a secure repository-hdfs with kerberos.

  • Place the keytab file in /etc/elasticsearch/repository-hdfs/krb5.keytab
  • Edit the realm info in /etc/krb5.conf

After done the above two steps, I can use kinit and klist get the correct message. So I create my repo in kibana console:

"""
PUT _snapshot/my_hdfs_repository
{
"type": "hdfs",
"settings": {
"uri": "hdfs://10.149.164.225:8020",
"path": "/data/nta/repositories/my_hdfs_repository",
"security.principal": "sys_cq@HADOOP.XXXX.COM"
}
}
"""

But I get the error log:

"""
Permission denied: user=sys_cq, access=WRITE, inode="/":hdfs:hadoop:drwxr-xr-x
"""

I have the right permissions in HDFS:
"""
$ hadoop fs -ls -d /data/nta
drwxr-x--- - sys_cq sys_cq
"""

My software version is:
"""
elasticsearch Version: 6.5.3, Build: default/rpm/159a78a/2018-12-06T20:11:28.826501Z, JVM: 1.8.0_201
hadoop version: Hadoop 2.6.0-cdh5.11.0
"""

Can anybody help me ? :slight_smile:

(James Baiera) #2

Could you increase the logging level in Elasticsearch for the org.elasticsearch.repositories.hdfs package to DEBUG and post the full logs here?

(system) closed #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.