Kerberos Authentication using Credentials Cache works via Eclipse, but not Command Line

Question

Description: I have built an application that fetches a HDFS(Hadoop Distributed File System) File from a Remote Cluster on which Kerberos Authentication is applied. I could executed HDFS.copyToLocalFile(path1, path2) from Eclipse and it worked fine. But when I export the project as a runnable jar and try to run it through command line, it throws the below error. Note: I've followed the steps mentioned @https://sourceforge.net/p/jsch/mailman/message/26939797/ and was successful in running the project from Eclipse. I've checked for additional files in Eclipse but couldn't find any. I have Kerberos V5 MIT installed along with Network Identity Manager (4.0 version)

Caused by: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)
at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:643)
at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:730)
at org.apache.hadoop.ipc.Client$Connection.access$2800(Client.java:368)
at org.apache.hadoop.ipc.Client.getConnection(Client.java:1521)
at org.apache.hadoop.ipc.Client.call(Client.java:1438)
... 70 more
Caused by: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
at org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:172)
at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:396)
at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:553)
at org.apache.hadoop.ipc.Client$Connection.access$1800(Client.java:368)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:722)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:718)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)
at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:717)
... 73 more

Note: I've configured the eclipsed related parameters into a Configuration.xml and bundled it into the classpath.

<property>
    <name>java.security.auth.login.config</name>
    <value>./Configuration/login.conf</value>
</property>
<property>
    <name>java.security.krb5.conf</name>
    <value>./Configuration/krb5.conf</value>
</property>
<property>
    <name>javax.security.auth.useSubjectCredsOnly</name>
    <value>false</value>
</property>

Answer 1

I think that the Kerberos authentication fails, because your login.conf and krb5.conf files can't be found on runtime when using the JAR.

I had a similar problem, when I tried to access a file in my assets folder from the JAR file. The point is, that the paths change somehow when exporting the package as JAR. Do you have an opportunity to check the file paths somehow in your code, e.g.

String resourceFile = YourClass.class.getResource("/krb5.conf").getFile();
// check if resourceFile is null!

If this class.getResource(...) command works on running via IDE, but won't in your JAR, the problem is the difference in the file location.

I think this post could help you: How to get a path to a resource in a Java JAR file