Hadoop cluster connection test fails with a 'org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to user@DOMAIN' error

Problem Description

Hadoop cluster is using Kerberos authentication. Testing the Hadoop cluster metadata connection by providing the keytab and service principal name (SPN), the following error is observed:

Caused by: java.io.IOException: Login failure for user @DOMAIN from keytab D:/Hadoop/Kerberos/Cloudera/key.keytab: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name user @DOMAIN: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to user @DOMAIN

Note: when generating the Kerberos ticket using keytab and SPN on the Hadoop node, the same error is observed.

 

Root Cause

The SPN (user@DOMAIN) does not match the rule specified on the Hadoop cluster. This is a Kerberos authentication issue of Hadoop.

 

Solution

Ensure that the service principal name (SPN) follows the rules defined in the Hadoop property: hadoop.security.auth_to_local.

Version history
Revision #:
6 of 6
Last update:
‎02-25-2019 01:11 AM
Updated by: