connect HDFS WITH KERBEROS

KNIME Extensions
,
1

Hi,
I am trying to connect to hdfs and hive with Kerberos authentication (with kerberos config and keytab).

If try with knime version 4_3_0 it works, and i’m connect!!.

If i use the same settings version Knime 4_6_0 it returns me ERROR (cancel the server)

Execute failed: Failed on local exception: java.io.IOException:

  • javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:*
  • No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))];*
  • Host Details : local host is: “xxxxxxx”; destination host is: “xxxxxxxxxx”:xxx;*

can you help me?

thanks

1 Like
2

Hi @And,

more information about the Kerberos connection can be found in the debug log. You can enable and view them in the preferences → KNIME → Kerberos. Does this already solve the issue? If not, what Kerberos Server are you using?

Cheers
Sascha

3

Hi Sascha,
I still have the problem.
I looked at the kerberos log in preference with debug mode.

This is the view of the initial login authentication (knime 4_3_0 vs 4_6_0):

error_log_KERBEROS_KNIME_VERSION
error_log_KERBEROS_KNIME_VERSION1672×763 80.9 KB

This is the appears in the crypto phase where in version 4_6_0 it goes into error (knime 4_3_0 vs 4_6_0) :

image
image1775×858 122 KB

available for details,
Thanks

1 Like
4

Hi,

the Java VM inside KNIME was update between the KNIME versions, and I guess the encryption type is considered weak now. What cluster are you using?

Cloudera has some documentation about the supported types here: Managing Kerberos credentials using Cloudera Manager

I guess in the second image, the working knime_4_3_0 is on the right side and the non-working knime_4_6_0 on the left side? The posted logs are hard to read, and the important things are possible outside the window. Feel free to open a support ticket and provide the logs there, in a more secure way.

Are you using krb.conf inside KNIME, and if yes, do you have any encryption related setting in it?

Cheers
Sascha

6

Hi,
We are using cdp version 7.4.4.
I read the encryption type on the documentation and it looks like this:

Cloudera Manager allows you to configure the encryption types (or enctype) used by an Active Directory KDC to protect its data. Cloudera supports the following encryption types:
rc4-hmac
aes128-cts
aes256-cts
des-cbc-crc
des-cbc-md5

We have this encryption in our krb.conf:

dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts rc4-hmac
default_tkt_enctypes = aes256-cts rc4-hmac
permitted_enctypes = aes256-cts rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000

so there is encryption .

Yes in second image knime_4_3_0 is on the right .

Thanks for the support

7

Hi @And,

RC4 is considered weak since years and should not be used anymore.

You have to find an encryption that both, Java/KNIME and your Kerberos Server supports. What Kerberos server are you using? MIT, Microsoft Active Directory or some other?

Cheers,
Sascha

8

HI Sasha

We use kerberos on Active Directory (windows server 2016).

Ok RC4 is deprecated, but aes256-cts?
Anyway I wanted to try to change the jdk on knime to see what happens, but with knime 4.3 I can, with knime 4.6 no? Why this?

Preference knime 4.6

image
image1010×820 87.4 KB

Preference knime 4.3

image
image1920×1080 304 KB

cheers

9

Hi @And,

KNIME requires a recent Java version, old Java versions are not supported anymore and this is a security problem, that’s why you can’t downgrade the Java version.

AES encryption has to b enabled in Active Directory, see here: Decrypting the Selection of Supported Kerberos Encryption Types - Microsoft Community Hub

The Kerberos debug log might have additional information why AES does not work.

Cheers
Sascha

1 Like
10

Hi Sasha,
Maybe we use both keys for the kerberos connection to hadoop, so I can login but not the hadoop connection.
But I would need to know which version of java uses knime 4_6_0 → jdk, jre and jvm, to understand the problem with the kerberos server.
Can you provide me with this information?

thanks.

11

Hi @And,

you can find the Java Version in the KNIME AP this way:

  1. Help → About KNIME Analytics Platform → Installation Details
  2. Then search JRE in the new Dialog on the Plug-Ins Tab

In the latest Version of KNIME (4.6.3) this is Java 17.0.3.

If you are working in a test setup, adding allow_weak_crypto = true to your krb5.conf might be something as a quick workaround (see here). Please note that RC4 is considered weak and a security risk.

Cheers
Sascha

2 Likes
12

Hi Sasha,
I understand the problem of secure encryption.
Also add line allow_weak_crypto = true —> WORKS knime 4_6_0.

Thanks for the explanations and support !!

2 Likes
13

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.