Unable to login to MapR Control System (MCS) due to 'No LoginModules configured for jpamLogin' error

Document created by jbubier Employee on Feb 7, 2016Last modified by jbubier Employee on Feb 7, 2016
Version 2Show Document
  • View in full screen mode

Author: Jonathan Bubier


Original Publication Date: December 9, 2014


When attempting to login to the MapR Control System (MCS) a login failure can occur when entering valid user credentials.  In the webserver log /opt/mapr/logs/adminuiapp.log an error sequence similar to the following is observed:


2014-12-10 13:52:35,941 INFO com.mapr.adminuiapp.commands.LoginCallable [1146586674@qtp-829077776-2]: validateUser: Attempting to authenticate user: root

2014-12-10 13:52:35,945 WARN org.mortbay.log [1146586674@qtp-829077776-2]: javax.security.auth.login.LoginException: No LoginModules configured for jpamLogin

2014-12-10 13:52:35,945 INFO com.mapr.adminuiapp.commands.LoginCallable [1146586674@qtp-829077776-2]: validateUser: Failed for user: root

The error message indicates that the user cannot be authenticated because there is no authentication module associated with jPamLogin.  jPAM is a Java wrapper around PAM (Pluggable Authentication Module) and is used by the webserver as an interface between user login requests and the local PAM modules. The authentication configuration for the webserver is defined in the command-line arguments for the webserver JVM by the argument 'java.security.auth.login.conf'.  The following is an example of a valid configuration:


mapr 18218 1 0 Dec09 ? 00:00:47 /usr/lib/jvm/jdk1.7.0_71//bin/java -Xmx512m



-Dhadoop.login=maprsasl -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf

-Dzookeeper.sasl.clientconfig=Client_simple -Dzookeeper.saslprovider=com.mapr.security.simplesasl.SimpleSaslProvider

When looking at the webserver JVM arguments you may see multiple arguments missing and this typically leads to the login failure.  Ex:


mapr 14400 1 13 13:51 ? 00:00:03 /usr/lib/jvm/jdk1.7.0_71//bin/java -Xmx512m



The configuration file /opt/mapr/conf/mapr.login.conf referenced by the 'java.security.auth.login.config' argument contains the definition for the jpamLogin module. If this argument is not present in the command-line arguments of the webserver the jpamLogin module definition will not be found and all user login requests will fail. From /opt/mapr/conf/mapr.login.conf:



* Used for password authentication with PAM. jpam is a Java wrapper

* for PAM. The serviceName below determines which PAM configurations

* are to be used for validating passwords. The list is used in the order

* shown. A failure is ignored and the system proceeds to the next entry.

* If your PAM configurations (typically in /etc/pam.d) are not the same

* as our provided defaults, you may need to change the serviceName values,

* add stanzas, or remove stanzas.


* mapr-admin is there by default as a placeholder should you choose to

* create MapR specific PAM configuration. If you have no mapr-admin

* PAM configuration, you can just remove it.


jpamLogin {

  net.sf.jpam.jaas.JpamLoginModule Sufficient



  net.sf.jpam.jaas.JpamLoginModule Sufficient



  net.sf.jpam.jaas.JpamLoginModule Sufficient




The default jpamLogin module references three PAM profiles - sudo, sshd and mapr-admin.  As long as the user login request can be authenticated using the configuration in one of these profiles the login request will succeed.


The webserver builds the command-line arguments mentioned above to leverage the configuration in /opt/mapr/conf/mapr.login.conf based on environment variables in /opt/mapr/conf/env.sh.  These environment variables must be set in /opt/mapr/conf/env.sh or otherwise set externally and sourced by the webserver to be set properly when the webserver initialized. 


# For Kerberos SSO support

# kerberos and ssl conf needed for kerberos sso




# security configuration for individual components

MAPR_JAAS_CONFIG_OPTS="-Djava.security.auth.login.config=${MAPR_LOGIN_CONF} ${MAPR_KERBEROS_DEBUG}"



The 'MAPR_LOGIN_OPTS' environment variable is used directly by the webserver though all four environment variables must be set properly for the webserver to get the correct configuration.  The most common cause for the webserver missing the necessary command-line arguments is that /opt/mapr/conf/env.sh does not have the complete definition for these environment variables.  This can happen on upgrades of the MapR software, typically from 3.0.x versions to MapR v3.1 and later as configuration files are not replaced on upgrades.


If /opt/mapr/conf/env.sh is incomplete on the webserver node it can be restored from /opt/mapr/conf.new/env.sh.  Make a note of any existing configuration in /opt/mapr/conf/env.sh, such as JAVA_HOME or MAPR_SUBNETS and re-apply the configuration after restoring from /opt/mapr/conf.new/env.sh.  After updating the configuration in /opt/mapr/conf/env.sh to set the above environment variables restart the webserver using the MCS or using maprcli node services. Ex:


$ maprcli node services -nodes `hostname -f` -webserver restart

Verify that the command-line arguments for the webserver JVM have been updated after the restart.  If you are still seeing login issues after restarting the webserver please capture a support-dump from the webserver node by running /opt/mapr/support/tools/mapr-support-dump.sh and contact MapR Support using the Support Portal.