kerberos 中的服务主体名称更改
Service principal name changes in kerberos
不确定发生了什么,因为这里有多个活动部件。
我们有一个用于 hdfs、hadoop、impala、hbase 的 cloudera 集群。我们在所有 impala 服务器前面也有一个 F5 负载平衡器。我们正在尝试使用 Kerberos 保护 servers/cluster。我的同事使用 MIT KDC 设置了 Kerberos。当我们直接向服务器查询 impala 但当我们通过 F5 负载平衡器时,此设置工作正常。
我们已经 运行 kinit 获取预创建密钥表文件的票证。
kinit -k -t /blah/keytabs/first.last.keytab first.last
当我运行klist时,它显示了所有这些票:
$ klist
Ticket cache: FILE:/tmp/krb5cc_14377
Default principal: first.last@MADEUPNAME
Valid starting Expires Service principal
08/23/17 11:32:02 08/24/17 11:32:02 krbtgt/MADEUPNAME@MADEUPNAME
renew until 08/23/17 11:32:02
08/23/17 11:33:39 08/24/17 11:32:02 impala/hslave32101.company.com@MADEUPNAME
renew until 08/23/17 11:32:02
当我 运行 我的 impala-shell 命令时,它工作正常:
$ impala-shell -i hslave32101.company.com:21000 -k -q "select 1"
Starting Impala Shell using Kerberos authentication
Using service name 'impala'
Connected to hslave32101.company.com:21000
Server version: impalad version 2.7.0-cdh5.9.2 RELEASE (build 2f7871169d894fab16f8a2fb99f2e34f0df8763d)
Query: select 1
Query submitted at: 2017-08-23 13:08:34 (Coordinator: http://hslave32101.company.com:25000)
Query progress can be monitored at: http://hslave32101.company.com:25000/query_plan?query_id=4940ca8ca2f267c5:5eeb29af00000000
+---+
| 1 |
+---+
| 1 |
+---+
Fetched 1 row(s) in 0.01s
然而,当我 运行 我的命令通过 F5 负载均衡器时,它不起作用,因为它正在寻找的票与 klist 中的不匹配,因为它替换了它的一部分一些原因。
impala-shell -i bdaudit.company.com:21000 -d bigdata -k -q "select 1"
Starting Impala Shell using Kerberos authentication
Using service name 'impala'
Error connecting: TTransportException, Could not start SASL: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/COMPANY.COM@MADEUPNAME not found in Kerberos database)
Not connected to Impala, could not execute queries.
问题出在这行
(Server krbtgt/COMPANY.COM@MADEUPNAME not found in Kerberos database)
不知何故,当通过 F5 VIP 时,它会将 first.last@MADEUPNAME 更改为 COMPANY.COM@MADEUPNAME。有谁知道为什么把这部分ticket换掉了?
从 Cloudera 关于如何使用 F5 here and here
设置 Impala 的说明中找到了原因
这是 PDF 的片段:
In Cloudera Manager, navigate to the Impala service, select the Configuration pane, then search for “balancer” to
find the Impala Daemons Load Balancer parameter. The load balancer should be specified in host:port format,
where host is your virtual server’s FQDN and port. These values are used by Cloudera Manager and are also passed
to Hue
If the Impala Daemons Load Balancer parameter is specified and Kerberos is enabled, Cloudera Manager adds a
principal for 'impala/<load_balancer_host>@<realm>' to the keytab for all Impala daemons. No additional
configuration is required for Kerberos.
不确定发生了什么,因为这里有多个活动部件。 我们有一个用于 hdfs、hadoop、impala、hbase 的 cloudera 集群。我们在所有 impala 服务器前面也有一个 F5 负载平衡器。我们正在尝试使用 Kerberos 保护 servers/cluster。我的同事使用 MIT KDC 设置了 Kerberos。当我们直接向服务器查询 impala 但当我们通过 F5 负载平衡器时,此设置工作正常。
我们已经 运行 kinit 获取预创建密钥表文件的票证。
kinit -k -t /blah/keytabs/first.last.keytab first.last
当我运行klist时,它显示了所有这些票:
$ klist
Ticket cache: FILE:/tmp/krb5cc_14377
Default principal: first.last@MADEUPNAME
Valid starting Expires Service principal
08/23/17 11:32:02 08/24/17 11:32:02 krbtgt/MADEUPNAME@MADEUPNAME
renew until 08/23/17 11:32:02
08/23/17 11:33:39 08/24/17 11:32:02 impala/hslave32101.company.com@MADEUPNAME
renew until 08/23/17 11:32:02
当我 运行 我的 impala-shell 命令时,它工作正常:
$ impala-shell -i hslave32101.company.com:21000 -k -q "select 1"
Starting Impala Shell using Kerberos authentication
Using service name 'impala'
Connected to hslave32101.company.com:21000
Server version: impalad version 2.7.0-cdh5.9.2 RELEASE (build 2f7871169d894fab16f8a2fb99f2e34f0df8763d)
Query: select 1
Query submitted at: 2017-08-23 13:08:34 (Coordinator: http://hslave32101.company.com:25000)
Query progress can be monitored at: http://hslave32101.company.com:25000/query_plan?query_id=4940ca8ca2f267c5:5eeb29af00000000
+---+
| 1 |
+---+
| 1 |
+---+
Fetched 1 row(s) in 0.01s
然而,当我 运行 我的命令通过 F5 负载均衡器时,它不起作用,因为它正在寻找的票与 klist 中的不匹配,因为它替换了它的一部分一些原因。
impala-shell -i bdaudit.company.com:21000 -d bigdata -k -q "select 1"
Starting Impala Shell using Kerberos authentication
Using service name 'impala'
Error connecting: TTransportException, Could not start SASL: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/COMPANY.COM@MADEUPNAME not found in Kerberos database)
Not connected to Impala, could not execute queries.
问题出在这行
(Server krbtgt/COMPANY.COM@MADEUPNAME not found in Kerberos database)
不知何故,当通过 F5 VIP 时,它会将 first.last@MADEUPNAME 更改为 COMPANY.COM@MADEUPNAME。有谁知道为什么把这部分ticket换掉了?
从 Cloudera 关于如何使用 F5 here and here
设置 Impala 的说明中找到了原因这是 PDF 的片段:
In Cloudera Manager, navigate to the Impala service, select the Configuration pane, then search for “balancer” to find the Impala Daemons Load Balancer parameter. The load balancer should be specified in host:port format, where host is your virtual server’s FQDN and port. These values are used by Cloudera Manager and are also passed to Hue If the Impala Daemons Load Balancer parameter is specified and Kerberos is enabled, Cloudera Manager adds a principal for 'impala/<load_balancer_host>@<realm>' to the keytab for all Impala daemons. No additional configuration is required for Kerberos.