Hadoop 使用keytab连接到安全的kerberos身份验证群集中的配置单元
我正在使用CDH 5.3.3和hive JDBC驱动程序连接到安全集群中的hive。我尝试使用keytab登录 loginuserfromkytab(lprincipal,keytabath) 我对配置单元url使用了以下格式 jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EXAMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive 示例代码:Hadoop 使用keytab连接到安全的kerberos身份验证群集中的配置单元,hadoop,hive,kerberos,cloudera,yarn,Hadoop,Hive,Kerberos,Cloudera,Yarn,我正在使用CDH 5.3.3和hive JDBC驱动程序连接到安全集群中的hive。我尝试使用keytab登录 loginuserfromkytab(lprincipal,keytabath) 我对配置单元url使用了以下格式 jdbc:hive2://localhost:10000;AuthMech=1;KrbRealm=EXAMPLE.COM;KrbHostFQDN=hs2.example.com;KrbServiceName=hive 示例代码: // Authenticating Ker
// Authenticating Kerberos principal
System.out.println("Principal Authentication: ");
final String user = "cloudera@CLOUDERA.COM";
final String keyPath = "cloudera.keytab";
UserGroupInformation.loginUserFromKeytab(user, keyPath);
Connection connection = DriverManager.getConnection(url);
com.cloudera.hive.support.exceptions.GeneralException: CONN_KERBEROS_AUTHENTICATION_ERROR_GET_TICKETCACHE
javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:800)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:671)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584)
at sun.reflect.NativeMethodAccessorImpl.inv
DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login
DEBUG org.apache.hadoop.security.UserGroupInformation: hadoop login commit
DEBUG org.apache.hadoop.security.UserGroupInformation: using kerberos user:null
DEBUG org.apache.hadoop.security.UserGroupInformation: using local user:UnixPrincipal: user66
DEBUG org.apache.hadoop.security.UserGroupInformation: UGI loginUser:user66 (auth:KERBEROS)
DEBUG org.apache.hadoop.security.UserGroupInformation: PrivilegedAction as:user66 (auth:KERBEROS) from:org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
DEBUG org.apache.thrift.transport.TSaslTransport: opening transport org.apache.thrift.transport.TSaslClientTransport@1f20a0ab
ERROR org.apache.thrift.transport.TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:96)
at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
DEBUG org.apache.hadoop.security.UserGroupInformation:hadoop登录
DEBUG org.apache.hadoop.security.UserGroupInformation:hadoop登录提交
DEBUG org.apache.hadoop.security.UserGroupInformation:使用kerberos用户:null
DEBUG org.apache.hadoop.security.UserGroupInformation:使用本地用户:UnixPrincipal:user66
DEBUG org.apache.hadoop.security.UserGroupInformation:UGI登录用户:user66(auth:KERBEROS)
DEBUG org.apache.hadoop.security.UserGroupInformation:PrivilegedAction as:user66(auth:KERBEROS)from:org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
调试org.apache.thrift.transport.TSaslTransport:打开transport org.apache.thrift.transport。TSaslClientTransport@1f20a0ab
错误org.apache.thrift.transport.TSaslTransport:SASL协商失败
javax.security.sasl.SaslException:GSS启动失败[由GSSException引起:未提供有效凭据(机制级别:找不到任何Kerberos tgt)]
位于com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
位于org.apache.thrift.transport.TSaslClientTransport.handlesalstartmessage(TSaslClientTransport.java:94)
位于org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
位于org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
位于org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
位于org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
位于java.security.AccessController.doPrivileged(本机方法)
位于javax.security.auth.Subject.doAs(Subject.java:415)
位于org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1548)
位于org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
位于org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:156)
位于org.apache.hive.jdbc.HiveConnection。(HiveConnection.java:96)
位于org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:104)
HTH.顺便说一句:您的URL在“主机:端口”部分后缺少a/或a/someDB。如果没有斜杠,Hive JDBC驱动程序将无法正确解析参数(除非该问题最终在您的版本中得到解决)@SamsonScharfrichter我已经编辑了url部分。请检查它是否表示可以登录loginUserFromKeytab(用户,密钥路径);但无法访问票证缓存。我怀疑这个API登录是否可以用于JDBC连接?请尝试创建一个带有“use cache:no”、“use keytab:yes”的“private”票据,并提供一个有效的keytab路径。它起作用了。顺便说一句,这甚至是让它在Windows上工作的唯一方法。看看完美的评论吧。Kerberos是黑魔法!但说实话,一旦你越过了陡峭的学习曲线,事情就会变得更容易,而这可能会从理论上回答这个问题,在这里包括答案的基本部分,并提供链接供参考。链接占主导地位的答案可能通过以下方式变得无效。
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext