PCF Spring 引导 webhdfs Kerebros 身份验证:KDC 不支持加密类型 (14) - BAD_ENCRYPTION_TYPE
PCF Spring Boot webhdfs Kerebros Authentication: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE
我们正在尝试使用此处给出的示例在微服务中连接到 webhdfs URL
https://www.ibm.com/support/knowledgecenter/en/SSPT3X_3.0.0/com.ibm.swg.im.infosphere.biginsights.admin.doc/doc/kerberos_httpfs.html
我已经为它创建了 conf 文件并保存在资源位置
[libdefaults]
allow_weak_crypto = true
default_realm = CLOUD.CORP.XXXXXX.XXX
# kdc will be obtained through DNS SRV
dns_lookup_kdc = true
dns_lookup_realm = true
forwardable = true
default_tkt_enctypes = aes256-cts aes128-cts
default_etypes = aes256-cts aes128-cts
default_tgs_enctypes = aes256-cts aes128-cts
permitted_enctypes = aes256-cts aes128-cts
ticket_lifetime = 24h
rdns = true
[realms]
CLOUD.CORP.XXXXXX.XXX = {
kdc = abc-dv-def0.cloud.corp.XXXXXX.XXX:88
master_kdc = abc-dv-def0.cloud.corp.XXXXXX.XXX:88
}
[domain_realm]
.cloud.corp.XXXXXX.XXX = CLOUD.CORP.XXXXXX.XXX
cloud.corp.XXXXXX.XXX = CLOUD.CORP.XXXXXX.XXX
abc-dv-def0.cloud.corp.XXXXXX.XXX = CLOUD.CORP.XXXXXX.XXX
java代码段如下
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos");
conf.set("hadoop.home.dir", "/");
UserGroupInformation.setConfiguration(conf);
System.out.println("--------------loginWithKeytab--------");
UserGroupInformation loginUser = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytabUrl);
UserGroupInformation.setLoginUser(loginUser);
String user = UserGroupInformation.getCurrentUser().getUserName();
System.out.println("Starting the connection for User:::"+user);
try {
System.out.println("Starting the connection::"+UserGroupInformation.getLoginUser());
URL url = new URL("http://lb-abcdef-dv-abc.cloud.corp.xxxxxxx.xxx:14000/webhdfs/v1/user/xxx-xxxxx/xxxxx/data.txt?op=OPEN");
HttpURLConnection connection = UserGroupInformation.getLoginUser()
.doAs(new PrivilegedExceptionAction<HttpURLConnection>() {
public HttpURLConnection run() throws Exception {
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
return new AuthenticatedURL().openConnection(url,token);
}
});
connection.setRequestMethod("POST");
connection.setDoInput(true);
connection.setDoOutput(true);
System.out.println("Connection Established:::"+connection.getResponseCode());
System.out.println("Connection Established:::"+connection.getResponseMessage());
InputStream in = connection.getInputStream();
int ch;
while((ch=in.read())!=-1)
{
System.out.println("File received...");
System.out.println((char)ch);
}
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
我已经创建了自己的构建包以部署到 PCF 并添加了 local_policy.jar 以实现无限强度 (JCE),以便它在 PCF 中解包时得到覆盖。 https://github.com/sivacham/java-buildpack
但是我一直收到同样的错误
2018-08-13T12:32:27.660+05:30 [APP/PROC/WEB/0] [OUT] Starting the connection for User:::xxx-xxxxx@CLOUD.CORP.XXXXXX.XXX : **After the Auth , I print the Current user Using UserGroupInformation**
2018-08-13T12:32:27.660+05:30 [APP/PROC/WEB/0] [OUT] Starting the connection::xxx-xxxxx@CLOUD.CORP.XXXXXX.XXX (auth:KERBEROS) : **After the Auth , I print the Current user Using UserGroupInformation**
2018-08-13T12:32:27.745+05:30 [APP/PROC/WEB/0] [OUT] Found ticket for xxx-xxxxx@CLOUD.CORP.XXXXXX.XXX to go to krbtgt/CLOUD.CORP.XXXXXX.XXX@CLOUD.CORP.XXXXXX.XXX expiring on Tue Aug 14 07:02:27 UTC 2018 : Ticket is created with 1 day expiry
2018-08-13T12:32:27.746+05:30 [APP/PROC/WEB/0] [OUT] Entered Krb5Context.initSecContext with state=STATE_NEW
2018-08-13T12:32:27.747+05:30 [APP/PROC/WEB/0] [OUT] Service ticket not found in the subject : **Does this mean that the Ticket is not passed to the URL ?**
2018-08-13T12:32:27.747+05:30 [APP/PROC/WEB/0] [OUT] >>> Credentials acquireServiceCreds: same realm
2018-08-13T12:32:27.747+05:30 [APP/PROC/WEB/0] [OUT] default etypes for default_tgs_enctypes: 18 17.
2018-08-13T12:32:27.748+05:30 [APP/PROC/WEB/0] [OUT] >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
2018-08-13T12:32:27.749+05:30 [APP/PROC/WEB/0] [OUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2018-08-13T12:32:27.750+05:30 [APP/PROC/WEB/0] [OUT] >>> KrbKdcReq send: kdc=dhb2b-dv-kdsc0.cloud.corp.XXXXXX.XXX UDP:88, timeout=30000, number of retries =3, #bytes=735
2018-08-13T12:32:27.750+05:30 [APP/PROC/WEB/0] [OUT] >>> KDCXXXmunication: kdc=dhb2b-dv-kdsc0.cloud.corp.XXXXXX.XXX UDP:88, timeout=30000,Attempt =1, #bytes=735
2018-08-13T12:32:27.770+05:30 [APP/PROC/WEB/0] [OUT] >>> KrbKdcReq send: #bytes read=231
2018-08-13T12:32:27.770+05:30 [APP/PROC/WEB/0] [OUT] >>> KdcAccessibility: remove dhb2b-dv-kdsc0.cloud.corp.XXXXXX.XXX:88
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] >>> KDCRep: init() encoding tag is 126 req type is 13
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] >>>KRBError:
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] cTime is Tue Jan 15 14:05:46 UTC 1985 474645946000
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] sTime is Mon Aug 13 07:02:27 UTC 2018 1534143747000
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] suSec is 764299
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] error code is 14
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] error Message is KDC has no support for encryption type
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] cname is xxx-xxxxx@CLOUD.CORP.XXXXXX.XXX
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] sname is HTTP/lb-abcdef-dv-abc.cloud.corp.XXXXXX.XXX@CLOUD.CORP.XXXXXX.XXX
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] msgType is 30
2018-08-13T12:32:27.772+05:30 [APP/PROC/WEB/0] [ERR] KrbException: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE
我也尝试添加 rc4-hmac,但仍然得到相同的结果error.Any非常感谢帮助。
终于发现问题出在密钥表上。
我们将 keytab 指向集群中的节点,但请求正在访问负载均衡器并且它在那里失败(从 KDC 日志中观察到)。在其末端的密钥表中添加 laodbalancer 详细信息后,它工作正常,我能够创建 201。
我们正在尝试使用此处给出的示例在微服务中连接到 webhdfs URL https://www.ibm.com/support/knowledgecenter/en/SSPT3X_3.0.0/com.ibm.swg.im.infosphere.biginsights.admin.doc/doc/kerberos_httpfs.html
我已经为它创建了 conf 文件并保存在资源位置
[libdefaults]
allow_weak_crypto = true
default_realm = CLOUD.CORP.XXXXXX.XXX
# kdc will be obtained through DNS SRV
dns_lookup_kdc = true
dns_lookup_realm = true
forwardable = true
default_tkt_enctypes = aes256-cts aes128-cts
default_etypes = aes256-cts aes128-cts
default_tgs_enctypes = aes256-cts aes128-cts
permitted_enctypes = aes256-cts aes128-cts
ticket_lifetime = 24h
rdns = true
[realms]
CLOUD.CORP.XXXXXX.XXX = {
kdc = abc-dv-def0.cloud.corp.XXXXXX.XXX:88
master_kdc = abc-dv-def0.cloud.corp.XXXXXX.XXX:88
}
[domain_realm]
.cloud.corp.XXXXXX.XXX = CLOUD.CORP.XXXXXX.XXX
cloud.corp.XXXXXX.XXX = CLOUD.CORP.XXXXXX.XXX
abc-dv-def0.cloud.corp.XXXXXX.XXX = CLOUD.CORP.XXXXXX.XXX
java代码段如下
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "kerberos");
conf.set("hadoop.home.dir", "/");
UserGroupInformation.setConfiguration(conf);
System.out.println("--------------loginWithKeytab--------");
UserGroupInformation loginUser = UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytabUrl);
UserGroupInformation.setLoginUser(loginUser);
String user = UserGroupInformation.getCurrentUser().getUserName();
System.out.println("Starting the connection for User:::"+user);
try {
System.out.println("Starting the connection::"+UserGroupInformation.getLoginUser());
URL url = new URL("http://lb-abcdef-dv-abc.cloud.corp.xxxxxxx.xxx:14000/webhdfs/v1/user/xxx-xxxxx/xxxxx/data.txt?op=OPEN");
HttpURLConnection connection = UserGroupInformation.getLoginUser()
.doAs(new PrivilegedExceptionAction<HttpURLConnection>() {
public HttpURLConnection run() throws Exception {
AuthenticatedURL.Token token = new AuthenticatedURL.Token();
return new AuthenticatedURL().openConnection(url,token);
}
});
connection.setRequestMethod("POST");
connection.setDoInput(true);
connection.setDoOutput(true);
System.out.println("Connection Established:::"+connection.getResponseCode());
System.out.println("Connection Established:::"+connection.getResponseMessage());
InputStream in = connection.getInputStream();
int ch;
while((ch=in.read())!=-1)
{
System.out.println("File received...");
System.out.println((char)ch);
}
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
我已经创建了自己的构建包以部署到 PCF 并添加了 local_policy.jar 以实现无限强度 (JCE),以便它在 PCF 中解包时得到覆盖。 https://github.com/sivacham/java-buildpack
但是我一直收到同样的错误
2018-08-13T12:32:27.660+05:30 [APP/PROC/WEB/0] [OUT] Starting the connection for User:::xxx-xxxxx@CLOUD.CORP.XXXXXX.XXX : **After the Auth , I print the Current user Using UserGroupInformation**
2018-08-13T12:32:27.660+05:30 [APP/PROC/WEB/0] [OUT] Starting the connection::xxx-xxxxx@CLOUD.CORP.XXXXXX.XXX (auth:KERBEROS) : **After the Auth , I print the Current user Using UserGroupInformation**
2018-08-13T12:32:27.745+05:30 [APP/PROC/WEB/0] [OUT] Found ticket for xxx-xxxxx@CLOUD.CORP.XXXXXX.XXX to go to krbtgt/CLOUD.CORP.XXXXXX.XXX@CLOUD.CORP.XXXXXX.XXX expiring on Tue Aug 14 07:02:27 UTC 2018 : Ticket is created with 1 day expiry
2018-08-13T12:32:27.746+05:30 [APP/PROC/WEB/0] [OUT] Entered Krb5Context.initSecContext with state=STATE_NEW
2018-08-13T12:32:27.747+05:30 [APP/PROC/WEB/0] [OUT] Service ticket not found in the subject : **Does this mean that the Ticket is not passed to the URL ?**
2018-08-13T12:32:27.747+05:30 [APP/PROC/WEB/0] [OUT] >>> Credentials acquireServiceCreds: same realm
2018-08-13T12:32:27.747+05:30 [APP/PROC/WEB/0] [OUT] default etypes for default_tgs_enctypes: 18 17.
2018-08-13T12:32:27.748+05:30 [APP/PROC/WEB/0] [OUT] >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
2018-08-13T12:32:27.749+05:30 [APP/PROC/WEB/0] [OUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2018-08-13T12:32:27.750+05:30 [APP/PROC/WEB/0] [OUT] >>> KrbKdcReq send: kdc=dhb2b-dv-kdsc0.cloud.corp.XXXXXX.XXX UDP:88, timeout=30000, number of retries =3, #bytes=735
2018-08-13T12:32:27.750+05:30 [APP/PROC/WEB/0] [OUT] >>> KDCXXXmunication: kdc=dhb2b-dv-kdsc0.cloud.corp.XXXXXX.XXX UDP:88, timeout=30000,Attempt =1, #bytes=735
2018-08-13T12:32:27.770+05:30 [APP/PROC/WEB/0] [OUT] >>> KrbKdcReq send: #bytes read=231
2018-08-13T12:32:27.770+05:30 [APP/PROC/WEB/0] [OUT] >>> KdcAccessibility: remove dhb2b-dv-kdsc0.cloud.corp.XXXXXX.XXX:88
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] >>> KDCRep: init() encoding tag is 126 req type is 13
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] >>>KRBError:
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] cTime is Tue Jan 15 14:05:46 UTC 1985 474645946000
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] sTime is Mon Aug 13 07:02:27 UTC 2018 1534143747000
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] suSec is 764299
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] error code is 14
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] error Message is KDC has no support for encryption type
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] cname is xxx-xxxxx@CLOUD.CORP.XXXXXX.XXX
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] sname is HTTP/lb-abcdef-dv-abc.cloud.corp.XXXXXX.XXX@CLOUD.CORP.XXXXXX.XXX
2018-08-13T12:32:27.771+05:30 [APP/PROC/WEB/0] [OUT] msgType is 30
2018-08-13T12:32:27.772+05:30 [APP/PROC/WEB/0] [ERR] KrbException: KDC has no support for encryption type (14) - BAD_ENCRYPTION_TYPE
我也尝试添加 rc4-hmac,但仍然得到相同的结果error.Any非常感谢帮助。
终于发现问题出在密钥表上。 我们将 keytab 指向集群中的节点,但请求正在访问负载均衡器并且它在那里失败(从 KDC 日志中观察到)。在其末端的密钥表中添加 laodbalancer 详细信息后,它工作正常,我能够创建 201。