Develop Reference

Embedded apache drill - unable to start with security configuration

We are fetching password with custom authentication provider and that will fetch the password from secured service. with below configuration when we start it, it is throwing error. The same configuration is working for cluster mode.
drill.exec: {
sys.store.provider.local.path="/home/user/somedatafolder",
security.user.auth:
{ enabled: true, packages += "com.app", impl: "myCustomAuthenticatorType" // custom auth provider }
},
// below properties are used by the custom authenticator to fetch the password from external service
drill.username: "username",
drill.password.key: "passkey",
drill.password.service.url: "https://somehost/api",
drill.exec.options:
{ security.admin.users: "username" }
Error :
Error: Failure in connecting to Drill: org.apache.drill.exec.rpc.NonTransientRpcException: javax.security.sasl.SaslException: Server requires authentication using [PLAIN]. Insufficient credentials?. [Details: Encryption: disabled , MaxWrappedSize: 65536 , WrapSizeLimit: 0]. (state=,code=0)
java.sql.SQLNonTransientConnectionException: Failure in connecting to Drill: org.apache.drill.exec.rpc.NonTransientRpcException: javax.security.sasl.SaslException: Server requires authentication using [PLAIN]. Insufficient credentials?. [Details: Encryption: disabled , MaxWrappedSize: 65536 , WrapSizeLimit: 0].
at org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:178)
at org.apache.drill.jdbc.impl.DrillJdbc41Factory.newDrillConnection(DrillJdbc41Factory.java:67)
at org.apache.drill.jdbc.impl.DrillFactory.newConnection(DrillFactory.java:67)
at org.apache.calcite.avatica.UnregisteredDriver.connect(UnregisteredDriver.java:138)
at org.apache.drill.jdbc.Driver.connect(Driver.java:75)
at sqlline.DatabaseConnection.connect(DatabaseConnection.java:135)
at sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:192)
at sqlline.Commands.connect(Commands.java:1364)
at sqlline.Commands.connect(Commands.java:1244)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:38)
at sqlline.SqlLine.dispatch(SqlLine.java:730)
at sqlline.SqlLine.initArgs(SqlLine.java:410)
at sqlline.SqlLine.begin(SqlLine.java:515)
at sqlline.SqlLine.start(SqlLine.java:267)
at sqlline.SqlLine.main(SqlLine.java:206)
Caused by: org.apache.drill.exec.rpc.NonTransientRpcException: javax.security.sasl.SaslException: Server requires authentication using [PLAIN]. Insufficient credentials?. [Details: Encryption: disabled , MaxWrappedSize: 65536 , WrapSizeLimit: 0].
at org.apache.drill.exec.rpc.user.UserClient.connect(UserClient.java:207)
at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:458)
at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:402)
at org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:169)
... 18 more

ngx-socket-io connected false but flask_socketio logs show 200 OK

Any tips to debug would help, this is just the basic implementation.
I am using the exact tutorial as here to setup the ngx socket client:
https://www.npmjs.com/package/ngx-socket-io
flask-socketio for the server
https://flask-socketio.readthedocs.io/en/latest/
Server-side shows no error, but the registered handler methods to emit/receive seem blind.
Server Logs:
127.0.0.1 - - [28/Jan/2021 10:58:51] "GET /socket.io/?EIO=3&transport=polling&t=NT8Dtbg HTTP/1.1" 200 418 0.000640
(12285) accepted ('127.0.0.1', 37400)
fa1a1d40bbc349c384a121302ef567c7: Received request to upgrade to websocket
127.0.0.1 - - [28/Jan/2021 10:58:51] "GET /socket.io/?EIO=3&transport=polling&t=NT8Dtcd&sid=fa1a1d40bbc349c384a121302ef567c7 HTTP/1.1" 200 235 0.000408
127.0.0.1 - - [28/Jan/2021 10:58:51] "GET /socket.io/?EIO=3&transport=polling&t=NT8DtdE&sid=fa1a1d40bbc349c384a121302ef567c7 HTTP/1.1" 200 235 0.000268
fa1a1d40bbc349c384a121302ef567c7: Upgrade to websocket successful
5002732d42184ba6b453e7d4f35e864e: Received packet PING data None
5002732d42184ba6b453e7d4f35e864e: Sending packet PONG data None
Client logs:
config: {url: "http://127.0.0.1:5000/", options: {…}}
emptyConfig: {url: "", options: {…}}
eventObservables$: {}
ioSocket: Socket
acks: {}
connected: false
disconnected: true
flags: {}
ids: 0
io: Manager
autoConnect: true
backoff: Backoff {ms: 1000, max: 5000, factor: 2, jitter: 0.5, attempts: 0}
connecting: [Socket]
decoder: Decoder {reconstructor: null, _callbacks: {…}}
encoder: Encoder {}
encoding: false
engine: Socket {secure: false, agent: false, hostname: "127.0.0.1", port: "5000", query: {…}, …}
lastPing: Thu Jan 28 2021 11:00:56
Server code (no print)
#socketio.on('connect')
def test_connect():
print('\n\nClient connected')
Why can't I get the connection working? Thanks

Double check npm/python environment of current versions of socketio and engineio.
https://github.com/miguelgrinberg/python-socketio
d7e95928d73c42fab431e94ce2df40fc: Sending packet OPEN data {'sid': 'd7e95928d73c42fab431e94ce2df40fc', 'upgrades': ['websocket'], 'pingTimeout': 60000, 'pingInterval': 25000}
Client connected
d7e95928d73c42fab431e94ce2df40fc: Sending packet MESSAGE data 0

Logstash beats input "invalid version of beats protocol"

I'm writing a kibana plugin and a logstash pipeline. For my tests, I just wrote a logstash input like that:
input {
beats {
port => 9600
ssl => false
ssl_verify_mode => "none"
}
}
But when I try to open a connection with node (code above):
invoke = (parameters, id, port, host) => {
var fs = require('fs');
console.log(`Sending message in beats, host= ${host}, port= ${port}, message= ${parameters.message}`);
var connectionOptions = {
host: host,
port: port
};
var client = lumberjack.client(connectionOptions, {rejectUnauthorized: false, maxQueueSize: 500});
client.writeDataFrame({"line": id + " " + parameters.message});
}
logstash gives to me "invalid version of beats protocol: 22" and "invalid version of beats protocol: 3":
Caused by: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 22
at org.logstash.beats.Protocol.version(Protocol.java:22) ~[logstash-input-beats-6.0.11.jar:?]
at org.logstash.beats.BeatsParser.decode(BeatsParser.java:62) ~[logstash-input-beats-6.0.11.jar:?]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
... 9 more
[2020-08-11T07:49:47,954][INFO ][org.logstash.beats.BeatsHandler] [local: 172.22.0.40:9600, remote: 172.22.0.1:33766] Handling exception: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 3
[2020-08-11T07:49:47,955][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 3
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:404) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:371) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:354) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:262) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.AbstractChannelHandlerContext.access$300(AbstractChannelHandlerContext.java:61) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
at io.netty.channel.AbstractChannelHandlerContext$4.run(AbstractChannelHandlerContext.java:253) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-all-4.1.49.Final.jar:4.1.49.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-all-4.1.49.Final.jar:4.1.49.Final]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-all-4.1.49.Final.jar:4.1.49.Final]
at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 3
at org.logstash.beats.Protocol.version(Protocol.java:22) ~[logstash-input-beats-6.0.11.jar:?]
at org.logstash.beats.BeatsParser.decode(BeatsParser.java:62) ~[logstash-input-beats-6.0.11.jar:?]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
... 11 more

Instead of use beats input you could try to use tcp input.
Example:
input {
tcp {
port => "9600"
codec => "json"
}
}
If you are using beats input and you want to use Logstash to perform additional processing on the data collected by Filebeat, you need to configure Filebeat to use Logstash.
To do this, you edit the Filebeat configuration file to disable the Elasticsearch output by commenting it out and enable the Logstash output by uncommenting the Logstash section:
output.logstash:
hosts: ["127.0.0.1:5044"]
You can read more on https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html

There could be many cases of that in my case issue was related to my filebeat.yml i was having below error on my logstash server
nd it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 69
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:477) ~[netty-all-4.1.65.Final.jar:4.1.65.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:404) ~[netty-all-4.1.65.Final.jar:4.1.65.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:371) ~[netty-all-4.1.65.Final.jar:4.1.65.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:354) ~[netty-all-4.1.65.Final.jar:4.1.65.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:262) ~[netty-all-4.1.65.Final.jar:4.1.65.Final]
at io.netty.channel.AbstractChannelHandlerContext.access$300(AbstractChannelHandlerContext.java:61) ~[netty-all-4.1.65.Final.jar:4.1.65.Final]
at io.netty.channel.AbstractChannelHandlerContext$4.run(AbstractChannelHandlerContext.java:253) ~[netty-all-4.1.65.Final.jar:4.1.65.Final]
at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) ~[netty-all-4.1.65.Final.jar:4.1.65.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-all-4.1.65.Final.jar:4.1.65.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-all-4.1.65.Final.jar:4.1.65.Final]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-all-4.1.65.Final.jar:4.1.65.Final]
at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 69
at org.logstash.beats.Protocol.version(Protocol.java:22) ~[logstash-input-beats-6.2.6.jar:?]
at org.logstash.beats.BeatsParser.decode(BeatsParser.java:62) ~[logstash-input-beats-6.2.6.jar:?]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507) ~[netty-all-4.1.65.Final.jar:4.1.65.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446) ~[netty-all-4.1.65.Final.jar:4.1.65.Final]
... 11 more
When i check my filebeat so it says connection refused
root#ip-10-0-8-193:~# filebeat test output
elasticsearch: http://10.0.13.37:5044...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 10.0.13.37
dial up... OK
TLS... WARN secure connection disabled
talk to server... ERROR Get "http://10.0.13.37:5044": read tcp 10.0.8.193:34940->10.0.13.37:5044: read: connection reset by peer
when i closely check my logs so i found one misconfiguration from errors
[2022-10-12T11:08:06,107][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["http://10.0.14.30:9200"]}
above error means i didn't configure outputs correctly i closed elasticsearch line but miss output line
Solution In my case
I went back to my filebeat.yml and make the required changes
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
# Array of hosts to connect to.
# hosts: ["localhost:9200"]
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["10.0.13.37:5044"]
make sure we properly commented elasticsearch output

For understanding more about this error we will need to see the filbeat.yml. Input plugin that you have used is a valid input plugin but in filbert.yml you might have not had output.logstash value or probably made some other mistakes. Can you please check if you have sent the output to Elasticsearch or Logstash ?
Please ensure you have this line of code in your filebeat.yml
output.logstash:
hosts: ["127.0.0.1:5044"]

Kerberized Hadoop Login failure for user ... LoginException: Checksum failed

Environment:
Hadoop 2.9.2
Kerberos 5 release 1.15.1
RHEL 7
Error
Exception in Hadoop datanode log that prevents startup.
The log entry is:
INFO org.apache.hadoop.util.ExitUtil: Exiting with status 1: org.apache.hadoop.security.KerberosAuthException: Login failure for user: datanode/_HOST#<REALM> from keytab /etc/security/keytabs/<file.keytab> javax.security.auth.login.LoginException: Checksum failed
Full Stack Trace:
org.apache.hadoop.security.KerberosAuthException: Login failure for user: datanode/_HOST#<REALM> from keytab /etc/security/keytabs/datanode.keytab javax.security.auth.login.LoginException: Checksum failed
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1104)
at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:312)
at org.apache.hadoop.hdfs.server.datanode.DataNode.instantiateDataNode(DataNode.java:2596)
at org.apache.hadoop.hdfs.server.datanode.DataNode.createDataNode(DataNode.java:2645)
at org.apache.hadoop.hdfs.server.datanode.DataNode.secureMain(DataNode.java:2789)
at org.apache.hadoop.hdfs.server.datanode.SecureDataNodeStarter.start(SecureDataNodeStarter.java:77)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:243)
Caused by: javax.security.auth.login.LoginException: Checksum failed
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1095)
... 10 more
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:150)
at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)
at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:308)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:780)
... 23 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
... 30 more
Diagnose
If kdiag is run to diagnose the problem:
bin/hadoop org.apache.hadoop.security.KDiag --principal namenode/_HOST#<REALM> --keytab /etc/security/keytab/namenode.keytab
The same exception as above is encountered...
The last line of useful output is:
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Normal healthy output should be:
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> CksumType: sun.security.krb5.internal.crypto.HmacSha1Aes256CksumType
>>> KrbAsRep cons in KrbAsReq.getReply datanode/_HOST
/etc/krb5.conf
Contents of Kerberos Configuration
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = true
# pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
dict_file = /usr/share/dict/words
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

The Hadoop documentation explains this is a problem with Java not supporting renewable tickets.
1.8.0_242 Kerberos Java client will fail by "Message stream modified (41)" when the client requests a renewable ticket and the KDC
returns a non-renewable ticket. If your principal is not allowed to
obtain a renewable ticket, you must remove "renew_lifetime" setting
from your krb5.conf.
https://cwiki.apache.org/confluence/display/HADOOP/Hadoop+Java+Versions
Option 1
Remove renew_lifetime from krb5.conf
Note: If you don't want to disable renewable kerberos tickets system-wide you can configure a custom krb5.conf for java by passing these arguments to the jvm:
# non-windows
-Djava.security.krb5.conf=krb5.conf
# windows
-Djava.security.krb5.conf=krb5.ini
According to this
Option 2
Ensure renew_lifetime, ticket_lifetime and max_renewable_life are set.
Example working config
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des- cbc-crc
default_tkt_enctypes = aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc
kdc_timeout = 3000
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
dict_file = /usr/share/dict/words
max_renewable_life = 7d 0h 0m 0s
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

Connecting to cassandra cluster with kerberos using java driver

I followed the instructions from the following datastax post - Accessing secure DSE clusters
This is my code snippet -
public static void main(String[] args) {
KerberosAuthenticatedClient client = new KerberosAuthenticatedClient();
System.setProperty("java.security.krb5.conf","C:/Users/ADMIN/Desktop/krb5.config");
System.setProperty("java.security.auth.login.config","C:/Users/ADMIN/Desktop/DseClient.config");
cluster = Cluster.builder().addContactPoint(node).withAuthProvider(new DseAuthProvider()).build();
session = cluster.connect();
This is my DseClient File -
DseClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
doNotPrompt=true
keyTab="C:/Users/ADMIN/Desktop/dse.keytab"
principal="rock#MY.COM";
};
And This is my krb5.conf -
[libdefaults]
default_realm = MY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MY.COM = {
kdc = x.x.x.x
admin_server = x.x.x.x
}
[domain_realm]
.my.com = MY.COM
my.com = MY.COM
I have installed kerberos on my client machine and also on the servers too. But when I run I get the following error :-
Exception in thread "main" java.lang.RuntimeException: javax.security.auth.login.LoginException: Unable to obtain password from user
at com.datastax.driver.core.sasl.KerberosAuthenticator.loginSubject(KerberosAuthenticator.java:113)
at com.datastax.driver.core.sasl.KerberosAuthenticator.<init>(KerberosAuthenticator.java:94)
at com.datastax.driver.core.sasl.DseAuthProvider.newAuthenticator(DseAuthProvider.java:52)
at com.datastax.driver.core.Connection.initializeTransport(Connection.java:163)
at com.datastax.driver.core.Connection.<init>(Connection.java:131)
at com.datastax.driver.core.Connection.<init>(Connection.java:59)
at com.datastax.driver.core.Connection$Factory.open(Connection.java:444)
at com.datastax.driver.core.ControlConnection.tryConnect(ControlConnection.java:205)
at com.datastax.driver.core.ControlConnection.reconnectInternal(ControlConnection.java:168)
at com.datastax.driver.core.ControlConnection.connect(ControlConnection.java:81)
at com.datastax.driver.core.Cluster$Manager.init(Cluster.java:812)
at com.datastax.driver.core.Cluster$Manager.access$100(Cluster.java:739)
at com.datastax.driver.core.Cluster.<init>(Cluster.java:82)
at com.datastax.driver.core.Cluster.<init>(Cluster.java:67)
at com.datastax.driver.core.Cluster$Builder.build(Cluster.java:708)
at KerberosAuthenticatedClient.connect(KerberosAuthenticatedClient.java:19)
at KerberosAuthenticatedClient.main(KerberosAuthenticatedClient.java:45)
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at com.datastax.driver.core.sasl.KerberosAuthenticator.loginSubject(KerberosAuthenticator.java:109)
... 16 more

The error in the stacktrace is complaining that it is unable to find any credentials for the OS user executing the request. This is usually cause by one of three conditions:
not setting the location of the JAAS config correctly (which causes us to fall back to the default of using the TGT cache & often leading to 2.)
an empty local ticket cache (when not using a keytab)
credentials for the specified principal missing from the keytab
The first thing I'd check is that you have set the java.security.auth.login.config system property to the location of your JAAS config file (the DseClient file) correctly?
If you have and are still seeing the error, you can check the contents of the keytab with klist -e -t -k /path/to/keytab
Another useful tip for debugging is to set -Dsun.security.krb5.debug=true which will dump lots of detailed info to stdout.

I changed the service principle to dse/hostname#REALM from cassandra/hostname#REALM and it worked. I am not sure why the java program which I ran from my windows machine was taking the service principle as dse/hostname instead of cassandra/hostname