我試圖在啓用kerberos認證的安全模式下設置單節點hadoop集羣。 我已經按照文檔中所述創建了keytab文件。雖然與-HADOOP_OPTS調試東西Dsun.security.krb5.debug =真我看到了以下錯誤消息發現不支持的鍵類型(8)nn/hadoop-kerberos @ HADOOP-KERBEROS
Found unsupported keytype (8) for nn/[email protected]
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
Added key: 3version: 4
Found unsupported keytype (8) for nn/[email protected]
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:3738, timeout=30000, number of retries =3, #bytes=171
請注意,我有../jre/lib/security/local_policy.jar和 .../jre/lib/security/US_export_policy.jar CLASSPATH。
此外,我已在kdc.conf中以下
[kdcdefaults]
kdc_ports = 3738
kdc_tcp_ports = 3738
[realms]
HADOOP-KERBEROS = {
kadmind_port = 3739
#master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
#admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
admin_keytab = /etc/krb5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
[logging]
# By default, the KDC and kadmind will log output using
# syslog. You can instead send log output to files like this:
kdc = FILE:/home/build/log/krb5kdc.log
admin_server = FILE:/home/build/log/kadmin.log
default = FILE:/home/build/log/krb5lib.log
klist的-e顯示以下輸出aleksg用戶我使用與hadoop的名稱節點命令運行名稱節點
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: [email protected]
Valid starting Expires Service principal
07/12/15 09:16:39 07/13/15 09:16:39 krbtgt/[email protected]
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt501
klist: You have no tickets cached
因此,看起來與HMAC/sha1的DES cbc模式正在用於TGT。 請問我可以如何解決這個問題?我使用hadoop-2.4.0和jdk1.7.0_25。這是否可以以某種方式與密鑰表文件的權限相關聯,還是應該重新生成啓用了不同加密類型的密鑰表文件? 謝謝!
**(A1)**太陽/ Oracle的JDK在默認情況下 「弱密鑰加密」 安裝(因爲美國現在出口的政策已過時);你是否下載了「無限強度加密」JAR? *只要它們位於標準目錄中,不用擔心CLASSPATH **(A2)**您是否嘗試使用OpenJDK? **(B)**一些加密算法可能被禁用,因爲它們被認爲是「弱」,請檢查您的配置文件是否違反http://web.mit.edu/Kerberos/krb5-devel/doc/admin/enctypes.html –
嗨參孫。與A1相關。我已經下載了local_policy.jar和US_export_policy.jar並將它們添加到了CLASSPATH中。關於未來的一個問題,您在回覆中提到的標準目錄在哪裏。 Re A2。我沒有嘗試過OpenJDK。 Re B.我在配置方面做了一些改動,並能解決問題。請參閱我剛發佈給我的問題的答案。 –