HBase Zookeeper AUTH_FAILED - 找不到任何 Kerberos tgt
HBase Zookeeper AUTH_FAILED - Failed to find any Kerberos tgt
环境
HBase 1.5Hadoop 2.9.2Zookeeper 3.5.6
错误
将 Zookeeper 配置为使用 Kerberos 并配置 HBase jaas.conf 登录配置后收到以下错误
...在hbase-master.log
ERROR org.apache.zookeeper.ClientCnxn: SASL authentication with Zookeeper Quorum member failed:
javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException:
javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided
(Mechanism level: Failed to find any Kerberos tgt)])
occurred when evaluating Zookeeper Quorum Member's received SASL token.
Zookeeper Client will go to AUTH_FAILED state.
HBase jaas.conf
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=true
storeKey=true
keyTab="/etc/security/keytabs/hbase.keytab"
principal="hbase/@REALM.COM";
};
hbase-env.sh
export HBASE_OPTS="-Djava.security.auth.login.config=/opt/hbase/conf/jaas.conf"
问题在hbase-env.sh,hbase需要多于java.security.auth.login.config设置在HBASE_OPTS。
配置Zookeeper的正确方法jaas.conf:
export HBASE_SERVER_JAAS_OPTS="-Djava.security.auth.login.config=/opt/hbase/conf/jaas.conf"
export HBASE_MASTER_OPTS="$HBASE_MASTER_OPTS -Djava.security.auth.login.config=/opt/hbase/conf/jaas.conf"
如果您在 master 和 region 之间有单独的密钥表,您将需要两个 JAAS 文件并且必须同时指定两者
HBASE_SERVER_JAAS_OPTSHBASE_MASTER_OPTS
如果您只对所有 hbase 使用 1 个 kerberos 主体,则只需设置 HBASE_SERVER_JAAS_OPTS
环境
HBase 1.5Hadoop 2.9.2Zookeeper 3.5.6
错误
将 Zookeeper 配置为使用 Kerberos 并配置 HBase jaas.conf 登录配置后收到以下错误
...在hbase-master.log
ERROR org.apache.zookeeper.ClientCnxn: SASL authentication with Zookeeper Quorum member failed:
javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException:
javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided
(Mechanism level: Failed to find any Kerberos tgt)])
occurred when evaluating Zookeeper Quorum Member's received SASL token.
Zookeeper Client will go to AUTH_FAILED state.
HBase jaas.conf
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=true
storeKey=true
keyTab="/etc/security/keytabs/hbase.keytab"
principal="hbase/@REALM.COM";
};
hbase-env.sh
export HBASE_OPTS="-Djava.security.auth.login.config=/opt/hbase/conf/jaas.conf"
问题在hbase-env.sh,hbase需要多于java.security.auth.login.config设置在HBASE_OPTS。
配置Zookeeper的正确方法jaas.conf:
export HBASE_SERVER_JAAS_OPTS="-Djava.security.auth.login.config=/opt/hbase/conf/jaas.conf"
export HBASE_MASTER_OPTS="$HBASE_MASTER_OPTS -Djava.security.auth.login.config=/opt/hbase/conf/jaas.conf"
如果您在 master 和 region 之间有单独的密钥表,您将需要两个 JAAS 文件并且必须同时指定两者
HBASE_SERVER_JAAS_OPTSHBASE_MASTER_OPTS
如果您只对所有 hbase 使用 1 个 kerberos 主体,则只需设置 HBASE_SERVER_JAAS_OPTS