SASL protection layer mismatch

When you try to establish a connection with HDFS catalog, you might encounter a SASL protection layer mismatch error.

Symptoms

The following error message is displayed:

javax.security.sasl.SaslException: No common protection layer between client and server

The client (watsonx.data) and server (Cloudera) have incompatible Kerberos RPC protection settings. The client is configured for authentication while the server requires privacy.

Hadoop RPC protection has three levels:

  • authentication: Authentication only
  • integrity: Authentication + checksums
  • privacy: Authentication + checksums + encryption

Both client and server must use the same protection level.

Resolving the problem

To resolve this issue, update the core-site.xml file to match the server's protection level.

  1. Open the core-site.xml file (typically located in your Hadoop configuration directory).
  2. Locate the hadoop.rpc.protection property (typically around line 15).
  3. Change the value from authentication to privacy:

    Current configuration (incorrect):

    <property>
  <name>hadoop.rpc.protection</name>
  <value>authentication</value>
</property>

    Updated configuration (correct):

    <property>
  <name>hadoop.rpc.protection</name>
  <value>privacy</value>
</property>
  4. Save the file and restart the affected services.
Note: If your Cloudera cluster is configured with privacy for maximum security, ensure the client configuration matches this setting.