我正在尝试使用以下代码连接到Kerberized hdfs集群,使用相同的代码,我可以使用HBaseConfiguration访问hbase ofcourse,
Configuration config = new Configuration();
config.set("hadoop.security.authentication", "Kerberos");
UserGroupInformation.setConfiguration(config);
UserGroupInformation ugi = null;
ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI("me@EXAMPLE>COM","me.keytab");
model = ugi.doAs((PrivilegedExceptionAction<Map<String,Object>>) () -> {
testHadoop(hcb.gethDFSConfigBean());
return null;
});
我已经能够使用相同的keytab和principal成功访问Solr,Impala,我得到这个奇怪的未找到hdfs的服务名称 .
请看下面的堆栈跟踪
java.io.IOException: Failed on local exception: java.io.IOException: java.lang.IllegalArgumentException: Failed to specify server's Kerberos principal name; Host Details : local host is: "Securonix-int3.local/10.0.4.36"; destination host is: "sobd189.securonix.com":8020;
at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:772)
at org.apache.hadoop.ipc.Client.call(Client.java:1472)
at org.apache.hadoop.ipc.Client.call(Client.java:1399)
at org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:232)
at com.sun.proxy.$Proxy9.getFileInfo(Unknown Source)
at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:752)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.hadoop.io.retry.RetryInvocationHandler.invokeMethod(RetryInvocationHandler.java:187)
at org.apache.hadoop.io.retry.RetryInvocationHandler.invoke(RetryInvocationHandler.java:102)
at com.sun.proxy.$Proxy10.getFileInfo(Unknown Source)
at org.apache.hadoop.hdfs.DFSClient.getFileInfo(DFSClient.java:1988)
at org.apache.hadoop.hdfs.DistributedFileSystem$18.doCall(DistributedFileSystem.java:1118)
at org.apache.hadoop.hdfs.DistributedFileSystem$18.doCall(DistributedFileSystem.java:1114)
at org.apache.hadoop.fs.FileSystemLinkResolver.resolve(FileSystemLinkResolver.java:81)
at org.apache.hadoop.hdfs.DistributedFileSystem.getFileStatus(DistributedFileSystem.java:1114)
at org.apache.hadoop.fs.FileSystem.exists(FileSystem.java:1400)
at com.securonix.application.ui.uiUtil.SnyperUIUtil.lambda$main$4(SnyperUIUtil.java:1226)
at com.securonix.application.ui.uiUtil.SnyperUIUtil$$Lambda$6/1620890840.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)
at com.securonix.application.ui.uiUtil.SnyperUIUtil.main(SnyperUIUtil.java:1216)
Caused by: java.io.IOException: java.lang.IllegalArgumentException: Failed to specify server's Kerberos principal name
at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)
at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:643)
at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:730)
at org.apache.hadoop.ipc.Client$Connection.access$2800(Client.java:368)
at org.apache.hadoop.ipc.Client.getConnection(Client.java:1521)
at org.apache.hadoop.ipc.Client.call(Client.java:1438)
... 23 more
Caused by: java.lang.IllegalArgumentException: Failed to specify server's Kerberos principal name
at org.apache.hadoop.security.SaslRpcClient.getServerPrincipal(SaslRpcClient.java:322)
at org.apache.hadoop.security.SaslRpcClient.createSaslClient(SaslRpcClient.java:231)
at org.apache.hadoop.security.SaslRpcClient.selectSaslClient(SaslRpcClient.java:159)
at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:396)
at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:553)
at org.apache.hadoop.ipc.Client$Connection.access$1800(Client.java:368)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:722)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:718)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)
at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:717)
在我启用Kerberos的调试代码后,当我调用FileSystem.get()时,我得到了以下调试日志; Kerberor调试日志:
Java配置名称:null Java配置名称:null本机配置名称:/etc/krb5.conf本机配置名称:/etc/krb5.conf从本机配置加载从本机配置加载16/02/22 15:53:14 WARN util .NativeCodeLoader:无法为您的平台加载native-hadoop库...使用适用的builtin-java类
Java配置名称:null Java配置名称:null本机配置名称:/etc/krb5.conf本机配置名称:/etc/krb5.conf从本机配置加载从本机配置加载
KdcAccessibility:reset >>> KdcAccessibility:reset KdcAccessibility:reset >>> KdcAccessibility:reset KeyTabInputStream,readName():EXAMPLE.COM >>> KeyTabInputStream,readName():EXAMPLE.COM KeyTabInputStream,readName():securonix >>> KeyTabInputStream,readName():securonix KeyTab:load()条目长度:55; type:23 >>> KeyTab:load()条目长度:55; type:23 KeyTabInputStream,readName():EXAMPLE.COM >>> KeyTabInputStream,readName():EXAMPLE.COM KeyTabInputStream,readName():securonix >>> KeyTabInputStream,readName():securonix KeyTab:load()entry length:71 ;类型:18 >>> KeyTab:load()条目长度:71;类型:18寻找钥匙:securonix@EXAMPLE.COM寻找钥匙:securonix@EXAMPLE.COM增加钥匙:18版:1增加钥匙:18版:1增加钥匙:23版:1增加钥匙:23版:1寻找钥匙for:securonix@EXAMPLE.COM寻找关键:securonix@EXAMPLE.COM增加密钥:18版本:1增加密钥:18版本:1添加密钥:23版本:1添加密钥:23版本:默认etypes为default_tkt_enctypes:18 18 16 . default_tkt_enctypes的默认etypes:18 18 16. KrbAsReq创建消息>>> KrbAsReq创建消息KrbKdcReq send:kdc = sobd189.securonix.com TCP:88,timeout = 30000,重试次数= 3,#bytes = 139 >>> KrbKdcReq send:kdc = sobd189.securonix.com TCP:88,timeout = 30000,重试次数= 3,#bytes = 139 KDCCommunication:kdc = sobd189.securonix.com TCP:88,timeout = 30000,Attempt = 1,#byte = 139 >>> KDCCommunication:kdc = sobd189.securonix.com TCP:88,timeout = 30000,Attempt = 1,#bytes = 139 DEBUG:TCPClient读取639字节>>> DEBUG:TCPClient读取639字节KrbKdcReq发送:#bytes read = 639 >>> KrbKdcReq发送:#bytes read = 639 KdcAccessibility:remove sobd189.securonix.com >>> KdcAccessibility:remove sobd189.securonix.com寻找关键字:securonix@EXAMPLE.COM寻找钥匙for:securonix@EXAMPLE.COM添加密钥:18version:1添加密钥:18version:1添加密钥:23version:1添加密钥:23version:1 EType:sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> EType:sun KrbAsReq.getReply securonix中的.security.krb5.internal.crypto.Aes256CtsHmacSha1EType KrbAsRep缺点
有趣的是当我使用像hdfs.exists()这样的文件系统的api
>>>KinitOptions cache name is /tmp/krb5cc_501
>> Acquire default native Credentials
default etypes for default_tkt_enctypes: 18 18 16.
>>> Found no TGT's in LSA
2 回答
我认为问题在于HDFS希望Configuration具有dfs.datanode.kerberos.principal的值,这是datanode的主体,在这种情况下它是缺失的 .
当我从core-site.xml创建一个Configuration实例并忘记添加hdfs-site.xml时,我遇到了同样的问题 . 一旦我添加了hdfs-site.xml它就开始工作了,hdfs-site.xml有了:
希望这可以帮助 .
我对Spark2和HDP3.1也有同样的问题,使用Isilon / OneFS作为存储而不是HDFS .
OneFS服务管理包不提供Spark2预期的某些HDFS参数的配置(它们在Ambari中根本不可用),例如dfs.datanode.kerberos.principal . 如果没有这些参数,Spark2 HistoryServer可能无法启动并报告错误,例如“无法指定服务器的主体名称” .
我在Custom hdfs-site下向OneFS添加了以下属性:
这解决了初始错误 . 此后我收到以下形式的错误:
这与跨领域身份验证有关 . 通过将以下设置添加到自定义hdfs-site解决: