-
Notifications
You must be signed in to change notification settings - Fork 217
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SUPPORT] 希望连接hdfs和hive等组件支持kerberos认证 #127
Comments
当服务端开启kerberos认证之后,客户端如果没有提交kerberos认证需要的相关信息,会报以下错误
|
hive 启动发现 10000端口没有打开,查看 hive.log 发现以下异常信息2023-07-17T11:12:09,975 INFO [main] thrift.TokenStoreDelegationTokenSecretManager: New master key with key id=0
2023-07-17T11:12:09,976 INFO [Thread[Thread-7,5,main]] thrift.TokenStoreDelegationTokenSecretManager: Starting expired delegation token remover thread, tokenRemoverScanInterval=60 min(s)
2023-07-17T11:12:09,977 INFO [Thread[Thread-7,5,main]] delegation.AbstractDelegationTokenSecretManager: Updating the current master key for generating delegation tokens
2023-07-17T11:12:09,977 INFO [Thread[Thread-7,5,main]] thrift.TokenStoreDelegationTokenSecretManager: New master key with key id=1
2023-07-17T11:12:09,979 ERROR [main] metastore.HiveMetaStore: org.apache.thrift.transport.TTransportException: Kerberos principal should have 3 parts: hadoop
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.createSaslServerTransportFactory(HadoopThriftAuthBridge.java:364)
>>> 奇怪这里明明在调用hiveMetaStore 却调用到hadoop上的api上去了
--->at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.createTransportFactory(HadoopThriftAuthBridge.java:347)
--->at org.apache.hadoop.hive.metastore.HiveMetaStore.startMetaStore(HiveMetaStore.java:7165)
at org.apache.hadoop.hive.metastore.HiveMetaStore.main(HiveMetaStore.java:7076)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.hadoop.util.RunJar.run(RunJar.java:234)
at org.apache.hadoop.util.RunJar.main(RunJar.java:148)
2023-07-17T11:12:09,979 ERROR [main] metastore.HiveMetaStore: Metastore Thrift Server threw an exception...
org.apache.thrift.transport.TTransportException: Kerberos principal should have 3 parts: hadoop
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.createSaslServerTransportFactory(HadoopThriftAuthBridge.java:364) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.createTransportFactory(HadoopThriftAuthBridge.java:347) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.metastore.HiveMetaStore.startMetaStore(HiveMetaStore.java:7165) ~[hive-exec-2.3.7.jar:2.3.7]
at org.apache.hadoop.hive.metastore.HiveMetaStore.main(HiveMetaStore.java:7076) [hive-exec-2.3.7.jar:2.3.7]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_191]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_191]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_191]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_191]
at org.apache.hadoop.util.RunJar.run(RunJar.java:234) [hadoop-common-2.8.4.jar:?]
at org.apache.hadoop.util.RunJar.main(RunJar.java:148) [hadoop-common-2.8.4.jar:?]
2023-07-17T11:12:10,096 INFO [pool-2-thread-1] metastore.HiveMetaStore: Shutting down hive metastore.
2023-07-17T11:12:10,096 INFO [pool-2-thread-1] metastore.HiveMetaStore: SHUTDOWN_MSG:
/************************************************************
SHUTDOWN_MSG: Shutting down HiveMetaStore at baisui-test-1/192.168.28.200 查看UserGroupinfoinformation 中 commit方法: /opt/app/hadoop/etc/hadoop/core-site.xml 添加配置 <?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
</configuration> 再次重启之后发现以下异常,Caused by: java.io.IOException: Login failure for tis/tis@EXAMPLE.COM from keytab /opt/app/hive/conf/tis.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user
>>>>
发现 使用 YarnConfiguration.NM_PRINCIPAL
https://github.com/apache/hadoop/blob/c44823dadb73a3033f515329f70b2e3126fcb7be/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/main/java/org/apache/hadoop/yarn/server/nodemanager/NodeManager.java#L297C3-L300C4
protected void doSecureLogin() throws IOException {
SecurityUtil.login(getConfig(), YarnConfiguration.NM_KEYTAB,
YarnConfiguration.NM_PRINCIPAL);
}
<<<<
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1062) ~[hadoop-common-2.8.4.jar:?]
at org.apache.hive.service.auth.HiveAuthFactory.loginFromKeytab(HiveAuthFactory.java:236) ~[hive-service-2.3.7.jar:2.3.7]
at org.apache.hive.service.cli.CLIService.init(CLIService.java:89) ~[hive-service-2.3.7.jar:2.3.7]
... 12 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897) ~[?:1.8.0_191]
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760) ~[?:1.8.0_191]
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) ~[?:1.8.0_191]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_191]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_191]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_191]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_191]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) ~[?:1.8.0_191]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_191]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_191]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_191]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_191]
at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_191]
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1053) ~[hadoop-common-2.8.4.jar:?]
at org.apache.hive.service.auth.HiveAuthFactory.loginFromKeytab(HiveAuthFactory.java:236) ~[hive-service-2.3.7.jar:2.3.7]
at org.apache.hive.service.cli.CLIService.init(CLIService.java:89) ~[hive-service-2.3.7.jar:2.3.7]
... 12 more 通过关键词提示,找到文章:https://knowledge.informatica.com/s/article/521829?language=en_US 由于hadoop 启动试用非root账户启动的,需要执行 返回:
说明无法从KDC中获得凭证 经过调试发现是本地 /etc/krb5.conf 配置[realms.EXAMPLE.COM]修改即可
再重启之后,发现hadoop 启动日志中有以下异常:
文件 /opt/app/hadoop/etc/hadoop/yarn-site.xml 中添加以下配置: <property>
<name>yarn.nodemanager.principal</name>
<value>tis/tis@EXAMPLE.COM</value>
</property>
<property>
<name>yarn.nodemanager.keytab</name>
<value>/opt/app/hive/conf/tis.keytab</value>
</property>
<property>
<name>yarn.resourcemanager.principal</name>
<value>tis/tis@EXAMPLE.COM</value>
</property>
<property>
<name>yarn.resourcemanager.keytab</name>
<value>/opt/app/hive/conf/tis.keytab</value>
</property> Hive metadata 服务启动出错:
原因是:手动生成的keytab文件其owner是root,应该改成对应组件的系统用户 执行chown之后再 重启,发现以下问题:
sun.security.krb5.KrbException: Clock skew too great (37) 具体原因是 两个服务节点时间相差太大导致的是用 date -s"" 设置时间正确就行 https://blog.csdn.net/wysghmbb/article/details/122219022 Java 客户端启动报此异常在客户端端中已经执行了klist 是已经正常缓存了票据了 Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) |
相关同学 @奋斗, 场景: oracle-> hive(3.1.1)
The text was updated successfully, but these errors were encountered: