程序员经验分享-hwhale

启用安全性后,运行任何 Hadoop 命令都会失败。

2023-12-27

我试图为我的设备启用 KerberosCDH 4.3(通过 Cloudera Manager)测试床。因此,在 WebUI 中将身份验证从 Simple 更改为 Kerberos 后,我无法执行任何 hadoop 操作,如下所示。是否有明确指定密钥表?

[root@host-dn15 ~]# su - hdfs
-bash-4.1$ hdfs dfs -ls /
13/09/10 08:15:35 ERROR security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
13/09/10 08:15:35 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
13/09/10 08:15:35 ERROR security.UserGroupInformation: PriviledgedActionException as:hdfs (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "host-dn15.hadoop.com/192.168.10.227"; destination host is: "host-dn15.hadoop.com":8020;
-bash-4.1$ kdestroy
-bash-4.1$ kinit
Password for [email protected] /cdn-cgi/l/email-protection:
-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_494
Default principal: [email protected] /cdn-cgi/l/email-protection

Valid starting     Expires            Service principal
09/10/13 08:20:31  09/11/13 08:20:31  krbtgt/[email protected] /cdn-cgi/l/email-protection
    renew until 09/10/13 08:20:31

-bash-4.1$ klist -e
Ticket cache: FILE:/tmp/krb5cc_494
Default principal: [email protected] /cdn-cgi/l/email-protection

Valid starting     Expires            Service principal
09/10/13 08:20:31  09/11/13 08:20:31  krbtgt/[email protected] /cdn-cgi/l/email-protection
    renew until 09/10/13 08:20:31, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
-bash-4.1$

所以我仔细查看了namenode日志,

2013-09-10 10:02:06,085 INFO org.apache.hadoop.ipc.Server: IPC Server listener on 8022: readAndProcess threw exception javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)] from client 10.132.100.228. Count of bytes read: 0
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]

JCE 策略文件已安装在所有节点上。

[root@host-dn15 security]# sha256sum ./local_policy.jar
4a5c8f64107c349c662ea688563e5cd07d675255289ab25246a3a46fc4f85767  ./local_policy.jar
[root@host-dn15 security]# sha256sum ./US_export_policy.jar
b800fef6edc0f74560608cecf3775f7a91eb08d6c3417aed81a87c6371726115  ./US_export_policy.jar
[root@host-dn15 security]# sha256sum ./local_policy.jar.bak
7b26d0e16722e5d84062240489dea16acef3ea2053c6ae279933499feae541ab  ./local_policy.jar.bak
[root@host-dn15 security]# sha256sum ./US_export_policy.jar.bak
832133c52ed517df991d69770f97c416d2e9afd874cb4f233a751b23087829a3  ./US_export_policy.jar.bak
[root@host-dn15 security]#

以及王国中的校长名单。

kadmin:  listprincs
HTTP/[email protected] /cdn-cgi/l/email-protection
HTTP/[email protected] /cdn-cgi/l/email-protection
HTTP/[email protected] /cdn-cgi/l/email-protection
K/[email protected] /cdn-cgi/l/email-protection
cloudera-scm/[email protected] /cdn-cgi/l/email-protection
hbase/[email protected] /cdn-cgi/l/email-protection
hbase/[email protected] /cdn-cgi/l/email-protection
hbase/[email protected] /cdn-cgi/l/email-protection
hdfs/[email protected] /cdn-cgi/l/email-protection
hdfs/[email protected] /cdn-cgi/l/email-protection
hdfs/[email protected] /cdn-cgi/l/email-protection
[email protected] /cdn-cgi/l/email-protection
hue/[email protected] /cdn-cgi/l/email-protection
host-dn16/[email protected] /cdn-cgi/l/email-protection
kadmin/[email protected] /cdn-cgi/l/email-protection
kadmin/[email protected] /cdn-cgi/l/email-protection
kadmin/[email protected] /cdn-cgi/l/email-protection
krbtgt/[email protected] /cdn-cgi/l/email-protection
mapred/[email protected] /cdn-cgi/l/email-protection
mapred/[email protected] /cdn-cgi/l/email-protection
mapred/[email protected] /cdn-cgi/l/email-protection
root/[email protected] /cdn-cgi/l/email-protection
[email protected] /cdn-cgi/l/email-protection
zookeeper/ho[email protected] /cdn-cgi/l/email-protection
kadmin:  exit
[root@host-dn15 ~]#

导出 hdfs 的密钥表并用于 kinit。

-bash-4.1$ kinit -kt ./hdfs.keytab hdfs
-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_494
Default principal: [email protected] /cdn-cgi/l/email-protection

Valid starting     Expires            Service principal
09/10/13 09:49:42  09/11/13 09:49:42  krbtgt/[email protected] /cdn-cgi/l/email-protection
    renew until 09/10/13 09:49:42

一切都变得徒劳。任何想法??

提前谢谢,


我遇到了一个问题,我有一个 Kerberos 化的 CDH 集群,即使有有效的 Kerberos 票证,我也无法从命令行运行任何 hadoop 命令。

NOTE:写完这个答案后,我将其写为博客文章:http://sarastreeter.com/2016/09/26/resolving-hadoop-problems-on-kerberized-cdh-5-x/ http://sarastreeter.com/2016/09/26/resolving-hadoop-problems-on-kerberized-cdh-5-x/。请分享!

本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)

Hadoop

MapReduce

kerberos

Cloudera

启用安全性后,运行任何 Hadoop 命令都会失败。 的相关文章

随机推荐

热门标签