Mac 下 折腾 Kerberos的一些基础东西

第一次搞Kerberos,这个被很多人深恶痛绝的东西。还好有人问,少走了很多弯路,主要是在mac 下搞Kerberos配置。希望这个是自己的第一篇大数据方面的博文。

默认情况下mac是安装了Kerberos,只需要加一个配置,加一个 /etc/krb5.conf 文件

示例配置:

[libdefaults]
 default_realm = HADOOP.HZ.NETEASE.COM

allow_weak_crypto = true

# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
[realms]
 HADOOP.HZ.NETEASE.COM = {
 kdc = xxx.photo.163.org
 kdc = app-xxx.photo.163.org
 kdc = app-xxx.photo.163.org
 admin_server = hadoopxxxx.photo.163.org
 kadmind_port = 779
 }
[domain_realm]
 .photo.163.org = HADOOP.HZ.163.COM
 photo.163.org = HADOOP.HZ.163.COM
[logging]
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmin.log
 default = FILE:/var/log/krb5lib.log

然后执行 kinit -kt /Users/xuezhaoming/soft/hadoop/flume.keytab flume/inspur116.photo.163.org@HADOOP.HZ.NETEASE.COM
klist
kinit -R( 不一定需要执行)

java 代码实现访问:


String kerbConfPrincipal = "flume@xxx.com";
 String kerbKeytab = "/Users/xuezhaoming/soft/hadoop/flume.keytab";
 String proxyUserName = "flume";

String hdfsPropertities = "/Users/xuezhaoming/soft/hadoop/hadoop-site-cluster.xml";

Configuration hadoopConf = new Configuration();
 Path conPath = new Path(hdfsPropertities);
 hadoopConf.addResource(conPath);
 // hadoopConf.set("hadoop.security.authentication", "Kerberos");
 UserGroupInformation.setConfiguration(hadoopConf);
 UserGroupInformation.loginUserFromKeytab(kerbConfPrincipal, kerbKeytab);

FileSystem fileSystem1 = FileSystem.get(hadoopConf);

String fileName = "hdfs://xxxx.lzo";
 Path hdfsPath = new Path(fileName);

boolean file = fileSystem1.isFile(hdfsPath);
 System.out.println(file);

一些错误:


java.io.IOException: Login failure for hdfs from keytab /

<em id="__mceDel"> at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:891)
 at com.security.HdfsSecurityDemo.test1(HdfsSecurityDemo.java:64)
 at com.security.HdfsSecurityDemo.main(HdfsSecurityDemo.java:50)
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
 at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856)
 at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)
 at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:606)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
 at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:882)
 ... 2 more</em>

原因是没有配置正确 user 和 ketytab

作者: inter12

在这苦短的人生中,追求点自己的简单快乐

发表评论

电子邮件地址不会被公开。 必填项已用*标注