0
我試圖從使用Java的本地計算機執行kerberos安全的Hadoop集羣。通過Java中的Keytab進行Kerberos身份驗證的問題
這裏就是我試圖做的事:
public static void hbase() throws IOException {
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
final Configuration hBaseConfig = HBaseConfiguration.create();
hBaseConfig.setInt("timeout", 120000);
hBaseConfig.set("hbase.zookeeper.quorum", <zookeeper_quorum_address>);
hBaseConfig.set("hbase.zookeeper.property.clientPort", "2181");
hBaseConfig.set("hadoop.security.authentication", "kerberos");
hBaseConfig.set("hbase.security.authentication", "kerberos");
hBaseConfig.set("hbase.master.kerberos.principal", <kerberos.hbase.principal>);
hBaseConfig.set("hbase.regionserver.kerberos.principal", <kerberos.hbase.principal>);
hBaseConfig.set("hbase.master.keytab.file", "hbase.keytab");
hBaseConfig.set("hbase.regionserver.keytab.file", "hbase.keytab");
UserGroupInformation.setConfiguration(hBaseConfig);
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(<principalName>,
path_to_keytab_on_local_fs);
}
我得到的數值爲動物園管理員法定人數,HBase的主,等我從羣集管理員,所以我敢肯定,他們是正確的。我還用它來使用kinit獲取集羣
這裏上一票驗證了我的密鑰表是錯誤跟蹤:
Exception in thread "main" java.io.IOException: Login failure for <principal> from keytab <path_to_keytab_on_local_fs>
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1008)
at Kerberos.KerberosAuthentication.App.hbase(App.java:32)
at Kerberos.KerberosAuthentication.App.main(App.java:15)
Caused by: javax.security.auth.login.LoginException: null (68)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:763)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:997)
... 2 more
Caused by: KrbException: null (68)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:735)
... 15 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 18 more
我也嘗試了另一種途徑,與SecurityUtil
UserGroupInformation
SecurityUtil.login(hBaseConfig, <keytab>, <principal name>);
SecurityUtil.doAsCurrentUser(new PrivilegedExceptionAction<Void>() {
.............
}
通過這種方法,控制檯輸出說Session Established
,但除此之外,執行只是不斷持續,沒有任何日誌/控制檯輸出,我必須強制終止它。
我真的很感謝一些見解,幫助解決這個問題。
是你能得到這個工作? – 2015-04-03 15:57:00