我正在尝试使用 Java 从我的本地计算机创建一个 kerberos 安全的 Hadoop 集群。
这是我尝试做的事情:
public static void hbase() throws IOException {
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
final Configuration hBaseConfig = HBaseConfiguration.create();
hBaseConfig.setInt("timeout", 120000);
hBaseConfig.set("hbase.zookeeper.quorum", <zookeeper_quorum_address>);
hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181");
hBaseConfig.set("hadoop.security.authentication", "kerberos");
hBaseConfig.set("hbase.security.authentication", "kerberos");
hBaseConfig.set("hbase.master.kerberos.principal", <kerberos.hbase.principal>);
hBaseConfig.set("hbase.regionserver.kerberos.principal", <kerberos.hbase.principal>);
hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab");
hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab");
UserGroupInformation.setConfiguration(hBaseConfig);
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(<principalName>,
path_to_keytab_on_local_fs);
}
我从集群管理员那里获得了 zookeeper quorum、hbase principal 等的值,所以我相当确定它们是准确的。我还通过在集群上使用 kinit 获取票证来验证我的 key 表
这是错误跟踪:
Exception in thread "main" java.io.IOException: Login failure for <principal> from keytab <path_to_keytab_on_local_fs>
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008)
at Kerberos.KerberosAuthentication.App.hbase(App.java:32)
at Kerberos.KerberosAuthentication.App.main(App.java:15)
Caused by: javax.security.auth.login.LoginException: null (68)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997)
... 2 more
Caused by: KrbException: null (68)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735)
... 15 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 18 more
我还尝试了另一种方法,重新调整
UserGroupInformation
与 SecurityUtil
SecurityUtil.login(hBaseConfig, <keytab>, <principal name>);
SecurityUtil.doAsCurrentUser(new PrivilegedExceptionAction<Void>() {
.............
}
使用这种方法,控制台输出显示
Session Established
,但除此之外,执行仍在继续,没有任何日志/控制台输出,我必须强制终止它。我真的很感激一些洞察力来帮助解决这个问题。
最佳答案
你可以尝试类似的东西
System.setProperty("java.security.krb5.conf", "/etc/krb5.conf")
System.setProperty("sun.security.krb5.debug", "true")
hbaseConf = HBaseConfiguration.create()
hbaseConf.set("hbase.connection.timeout", "5000")
hbaseConf.set("zookeeper.znode.parent", "/hbase")
hbaseConf.set("hbase.zookeeper.quorum", zkQuorum)
hbaseConf.set("hbase.zookeeper.property.clientPort", zkPort)
hbaseConf.set("hbase.client.retries.number", Integer.toString(1))
hbaseConf.set("zookeeper.session.timeout", Integer.toString(60000))
hbaseConf.set("zookeeper.recovery.retry", Integer.toString(1))
hbaseConf.addResource(new Path(System.getenv("PWD") + "/" + "core-site.xml"))
hbaseConf.addResource(new Path(System.getenv("PWD") + "/" + "hbase-site.xml"))
hbaseConf.set("hbase.rpc.controllerfactory.class", "org.apache.hadoop.hbase.ipc.RpcControllerFactory")
hbaseConf.set("hadoop.security.authentication", "kerberos")
hbaseConf.set("hbase.security.authentication", "kerberos")
hbaseConf.set("hbase.master.kerberos.principal", masterKerberosPrincipal)
hbaseConf.set("hbase.regionserver.kerberos.principal", regionServerKerberosPrincipal)
UserGroupInformation.setConfiguration(hbaseConf)
val loggedUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, localPath.toString)
loggedUGI.doAs(new PrivilegedAction[Void] {
override def run() = {
val connection = getConnection()
val table = getTable(connection, fullTableName)
try {
.... HBASE STUFF
} finally {
table.close()
connection.close()
}
null
}
})
关于java - 通过 Java 中的 Keytab 进行 Kerberos 身份验证的问题,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28375300/