"No valid credentials provided" occurs for a YARN reservation in a Kerberos environment that uses the cas.USEYARN=true option


SAS® Cloud Analytic Services (CAS) might fail to start when you use the cas.USEYARN=true option.

After the failure occurs, a WARN message appears for the CAS controller in the caslaunch_default_controller_daemon.err file (located in /opt/sas/viya/config/var/log/cas/default/). The message is similar to what is shown here:

18/12/27 07:55:06 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

As a workaround, take these steps:

  1. Stop your CAS server with the following command:
    /etc/init.d/sas-viya-cascontroller-default stop
     
  2. You must authorize a Service Principal Name (SPN) or a User Principal Name (UPN) in order to access an Apache Hadoop YARN environment. Here is an example: 
    sascas/cascontroller.mycompany.com@MYCOMPANY.COM
     
  3. SAS recommends using the above identity along with the default Kerberos keytab location and file name. The file name is sascas.keytab, and the location is the /etc directory.
     
  4. Validate the following commands to receive a ticket for your SPN or UPN:  
    kinit -V -k -t /etc/sascas.keytab sascas/cascontroller.mycompany.com@MYCOMPANY.COM​​​​​​​
    klist
    ​​​​​​​
  5. Back up the following file:
    /opt/sas/viya/home/SASFoundation/utilities/bin/sas-cas.sh
     
  6. After line 11 (which should be #set -x), in the sas-cas.sh file, insert the following: ​​​​​​​
    kinit -V -k -t /etc/sascas.keytab​​​​​​​ ​​​​​​​sascas/cascontroller.mycompany.com@MYCOMPANY.COM
     
  7. Start your CAS controller with the following command:
    /etc/init.d/sas-viya-cascontroller-default start