Skip to content

Kerberos – Unable to obtain password from user

Error –

Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:880) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:743) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:597) at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:734) at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:672) at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:670) at java.base/java.security.AccessController.doPrivileged(AccessController.java:712) at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:670) at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:580) at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:2091) at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:2001) 

Environment –

  • Apache Hive version 1 and above
  • Any language used for backend code Java / Kotlin / Groovy

Root cause –

There can be multiple root causes for this issue. Mainly the issue is with keytab file used for kerberos authentication. Please refer below section and try all the solutions given.

Solution #1 –

Check your application is able to access keytab file from the given location. Try giving all permissions to the keytab file and try again. For Linux try running below command.

chmod 777 keytab_file_name

Solution #2 –

If permissions are good then check keytab location is correctly used in your code. Also check user Kerberos Principal belongs to same keytab file. Refer below Java code.

Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "Kerberos"); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(userKerberosPrincipal, userKeyTabLocation);

Solution #3 –

Use kinit command to retrieves or extends a granting ticket in the Kerberos authentication.

kinit -kt hiveuser.keytab hiveuser

Details for above command.

  • -k – It means the key for a ticket principal is retrieved from a key table. It is used to avoid typing password manually.
  • -t – It is used to indicate which key file should be used instead of the default key file.
  • hiveuser.keytab – keytab file name.
  • hiveuser – SID or user used for Kerberos authentication.

Do you have another solution?

The solution provided above is based on the scenario our one of the developers/contributors faced. If you faced the same issue and found any other root cause then please share your solution in the comment section below. We will add the solution in this article.

Leave a Reply

Your email address will not be published. Required fields are marked *