无法停止 Kerberos 调试日志记录
Unable to stop Kerberos debug logging
我正在为 运行 我们的 Spark 应用程序使用支持 Kerberos 的 Spark 集群。 Kerberos 之前已由该组织的其他成员设置,我不知道它是如何工作的。在最初几天,我们使用 Kerberos 调试日志来了解异常 "Unable to obtain password from user",这是由于 jre 安全的 cacerts 文件夹中缺少 JCE 证书而引发的。但是,我们不再需要日志,因此使用 -Dsun.security.krb5.debug=false 参数来禁用日志记录。但是,这没有任何效果。还有其他参数可以解决问题吗?请帮助我。
摘自 GitBook "Hadoop and Kerberos: The Madness Beyond the Gate",作者 Steve Loughran,第 Low-Level Secrets
JVM Library logging
You can turn Kerberos low-level logging on
-Dsun.security.krb5.debug=true
This doesn't come out via Log4J, or java.util logging; it just comes
out on the console. Which is somewhat inconvenient —but bear in mind
they are logging at a very low level part of the system. And it does
at least log. If you find yourself down at this level you are in
trouble. Bear that in mind.
If you want to debug what is happening in SPNEGO, another system
property lets you enable this:
-Dsun.security.spnego.debug=true
You can ask for both of these in the HADOOP_OPTS environment variable
export HADOOP_OPTS="-Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true"
Hadoop-side JAAS debugging
Set the env variable HADOOP_JAAS_DEBUG to true and UGI will set the
"debug" flag on any JAAS files it creates.
You can do this on the client, before issuing a hadoop, hdfs or yarn
command, and set it in the environment script of a YARN service to
turn it on there.
export HADOOP_JAAS_DEBUG=true
On the next Hadoop command, you'll see a trace like (.........)
警告:以 sun.security. 开头的 Java 属性适用于 Sun/Oracle Java 运行-time,也适用于 OpenJDK 运行-时间及其变体。但不是 IBM Java,等等
摘自 Java 8 文档 Troubleshooting Security
If you want to monitor security access, you can set the
java.security.debug System property.
(.......) Separate multiple options with a comma.
在专门对 Kerberos 进行故障排除时,我个人使用该组合:
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
摘自 Oracle JDK 9 Release Notes 部分 tools/launcher
JDK 9 supports a new environment variable JDK_JAVA_OPTIONS to
prepend options to those specified on the command line. The new
environment variable has several advantages over the
legacy/unsupported _JAVA_OPTIONS environment variable including the
ability to include java launcher options (...)
这两个 env 变量是一种非常肮脏(并且完全难以检测)的方式来注入 Java 系统属性,而它们不会出现在命令行上。
这对你意味着什么?好吧,你必须搜索多个 Java 系统道具和环境变量,这可能会被设置
- 对于 env 变量:全局(cf.
/etc/profile.d/*.sh),或在帐户级别(cf. ~/.bashrc 和朋友),或在 Hadoop 内部 "include files",或直接在 shell 脚本,运行 是您的 Spark 作业
- for system props: 在任何 shell-or-env 变量中,后来在 shell 脚本中开发 (...) 或任何由 Java 获取的环境变量在启动时,或在 YARN 配置文件 (使用 Spark-on-YARN 时),或直接在 Java 命令行
祝你好运。
我个人会 运行 一个虚拟的 Spark 作业,它只转储所有环境变量和 Java 系统道具;然后检查转储以检测要搜索的内容;然后 运行 在 Linux 文件系统上 find ... -exec grep ... (根据需要重复).
我正在为 运行 我们的 Spark 应用程序使用支持 Kerberos 的 Spark 集群。 Kerberos 之前已由该组织的其他成员设置,我不知道它是如何工作的。在最初几天,我们使用 Kerberos 调试日志来了解异常 "Unable to obtain password from user",这是由于 jre 安全的 cacerts 文件夹中缺少 JCE 证书而引发的。但是,我们不再需要日志,因此使用 -Dsun.security.krb5.debug=false 参数来禁用日志记录。但是,这没有任何效果。还有其他参数可以解决问题吗?请帮助我。
摘自 GitBook "Hadoop and Kerberos: The Madness Beyond the Gate",作者 Steve Loughran,第 Low-Level Secrets
JVM Library logging
You can turn Kerberos low-level logging on
-Dsun.security.krb5.debug=trueThis doesn't come out via Log4J, or java.util logging; it just comes out on the console. Which is somewhat inconvenient —but bear in mind they are logging at a very low level part of the system. And it does at least log. If you find yourself down at this level you are in trouble. Bear that in mind.
If you want to debug what is happening in SPNEGO, another system property lets you enable this:
-Dsun.security.spnego.debug=trueYou can ask for both of these in the
HADOOP_OPTSenvironment variable
export HADOOP_OPTS="-Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true"Hadoop-side JAAS debugging
Set the env variable
HADOOP_JAAS_DEBUGto true and UGI will set the "debug" flag on any JAAS files it creates.You can do this on the client, before issuing a hadoop, hdfs or yarn command, and set it in the environment script of a YARN service to turn it on there.
export HADOOP_JAAS_DEBUG=trueOn the next Hadoop command, you'll see a trace like (.........)
警告:以 sun.security. 开头的 Java 属性适用于 Sun/Oracle Java 运行-time,也适用于 OpenJDK 运行-时间及其变体。但不是 IBM Java,等等
摘自 Java 8 文档 Troubleshooting Security
If you want to monitor security access, you can set the
java.security.debugSystem property.
(.......) Separate multiple options with a comma.
在专门对 Kerberos 进行故障排除时,我个人使用该组合:
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
摘自 Oracle JDK 9 Release Notes 部分 tools/launcher
JDK 9 supports a new environment variable
JDK_JAVA_OPTIONSto prepend options to those specified on the command line. The new environment variable has several advantages over the legacy/unsupported_JAVA_OPTIONSenvironment variable including the ability to include java launcher options (...)
这两个 env 变量是一种非常肮脏(并且完全难以检测)的方式来注入 Java 系统属性,而它们不会出现在命令行上。
这对你意味着什么?好吧,你必须搜索多个 Java 系统道具和环境变量,这可能会被设置
- 对于 env 变量:全局(cf.
/etc/profile.d/*.sh),或在帐户级别(cf.~/.bashrc和朋友),或在 Hadoop 内部 "include files",或直接在 shell 脚本,运行 是您的 Spark 作业 - for system props: 在任何 shell-or-env 变量中,后来在 shell 脚本中开发 (...) 或任何由 Java 获取的环境变量在启动时,或在 YARN 配置文件 (使用 Spark-on-YARN 时),或直接在 Java 命令行
祝你好运。
我个人会 运行 一个虚拟的 Spark 作业,它只转储所有环境变量和 Java 系统道具;然后检查转储以检测要搜索的内容;然后 运行 在 Linux 文件系统上 find ... -exec grep ... (根据需要重复).