HBase Zookeeper AUTH_FAILED - 找不到任何 Kerberos tgt

HBase Zookeeper AUTH_FAILED - Failed to find any Kerberos tgt

环境

错误

将 Zookeeper 配置为使用 Kerberos 并配置 HBase jaas.conf 登录配置后收到以下错误

...在hbase-master.log

ERROR org.apache.zookeeper.ClientCnxn: SASL authentication with Zookeeper Quorum member failed:
 javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException:
 javax.security.sasl.SaslException: GSS initiate failed 
               [Caused by GSSException: No valid credentials provided 
                (Mechanism level: Failed to find any Kerberos tgt)]) 
               occurred when evaluating Zookeeper Quorum Member's  received SASL token. 
               Zookeeper Client will go to AUTH_FAILED state.

HBase jaas.conf

 Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    useTicketCache=true
    storeKey=true
    keyTab="/etc/security/keytabs/hbase.keytab"
    principal="hbase/@REALM.COM";
 };

hbase-env.sh

export HBASE_OPTS="-Djava.security.auth.login.config=/opt/hbase/conf/jaas.conf"

问题在hbase-env.sh,hbase需要多于java.security.auth.login.config设置在HBASE_OPTS

配置Zookeeper的正确方法jaas.conf:

export HBASE_SERVER_JAAS_OPTS="-Djava.security.auth.login.config=/opt/hbase/conf/jaas.conf"
export HBASE_MASTER_OPTS="$HBASE_MASTER_OPTS -Djava.security.auth.login.config=/opt/hbase/conf/jaas.conf"

如果您在 masterregion 之间有单独的密钥表,您将需要两个 JAAS 文件并且必须同时指定两者

  • HBASE_SERVER_JAAS_OPTS
  • HBASE_MASTER_OPTS

如果您只对所有 hbase 使用 1 个 kerberos 主体,则只需设置 HBASE_SERVER_JAAS_OPTS