kerberos安裝詳見:https://www.cnblogs.com/barneywill/p/10394164.html
一 為CM創建用戶
# kadmin.local -q "addprinc scm/admin"
名字和密碼任意,后續配置中會使用
二 CM配置過程
1 啟用Kerberos
2 全部選中
3 按照/etc/krb5.conf填寫
4
5 填寫剛才創建的用戶名密碼
6 下一步
7 下一步
8
可以查看cm創建的用戶
# kadmin.local -q 'listprincs'
三 可能的問題
如果安裝過程中有問題,有些組件可能會啟動失敗,
1)impala
statestored啟動報錯
SASL message (Kerberos (internal)): Couldn't find mech GSSAPI
或者catalogd和impalad啟動報錯
I0219 00:31:16.314851 857 statestore-subscriber.cc:238] statestore registration unsuccessful: Couldn't open transport for $server2.bj:24000 (No more data to read.)
F0219 00:31:16.314926 857 catalogd-main.cc:88] Couldn't open transport for $server2.bj:24000 (No more data to read.)
. Impalad exiting.
檢查如下library是否安裝
# yum install cyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-gssapi
2)hue
hue實例 Kerberos Ticket Renewer 啟動失敗
INFO kt_renewer
Renewing kerberos ticket to work around kerberos 1.8.1: /bin/kinit -R -c /var/run/hue/hue_krb5_ccache
ERROR kt_renewer
Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/$server1@ANYTHING.COM' is still renewable:
$ klist -f -c /var/run/hue/hue_krb5_ccache
If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/$server1@ANYTHING.COM' and `krbtgt' principals.
[19/Feb/2019 07:32:04 ] settings INFO Welcome to Hue 3.9.0
重現問題
# klist -f -c /var/run/hue/hue_krb5_ccache
Ticket cache: FILE:/var/run/hue/hue_krb5_ccache
Default principal: hue/$server1@ANYTHING.COMValid starting Expires Service principal
02/19/2019 10:06:50 02/20/2019 10:06:50 krbtgt/ANYTHING.COM@ANYTHING.COM
Flags: FI
# /bin/kinit -R -c /var/run/hue/hue_krb5_ccache
kinit: KDC can't fulfill requested option while renewing credentials
檢查:
1)檢查配置文件
# vi /etc/krb5.conf
ticket_lifetime = 24h
renew_lifetime = 7d
# vi /var/kerberos/krb5kdc/kdc.conf
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +renewable
2)檢查krbtgt用戶的Maximum renewable life
# kadmin.local -q 'getprinc krbtgt/ANYTHING.COM@ANYTHING.COM'
Principal: krbtgt/ANYTHING.COM@ANYTHING.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Feb 18 22:02:42 CST 2019 (db_creation@ANYTHING.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 9
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 1, des3-cbc-sha1
Key: vno 1, arcfour-hmac
Key: vno 1, camellia256-cts-cmac
Key: vno 1, camellia128-cts-cmac
Key: vno 1, des-hmac-sha1
Key: vno 1, des-cbc-md5
Key: vno 1, des-cbc-crc
MKey: vno 1
Attributes: LOCKDOWN_KEYS
Policy: [none]
重點是
Maximum renewable life: 0 days 00:00:00
修改krbtgt的maxrenewlife
# kadmin.local -q 'modprinc -maxrenewlife "7d" krbtgt/ANYTHING.COM'
如果有必要,修改其他用戶的maxrenewlife
# kadmin.local -q 'modprinc -maxrenewlife "7d" +allow_renewable $user/$host@ANYTHING.COM'
刪除cache
# /bin/rm /var/run/hue/hue_krb5_ccache
重啟Kerberos Ticket Renewer
3)
Activity Monitor 報錯
ERROR Main
Failed to start Firehose
java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.io.IOException: Login failure for hue/$server1@ANYTHING.COM from keytab cmon.keytab
...
Caused by: KrbException: no supported default etypes for default_tkt_enctypes
查找default_tkt_enctypes
# vi /etc/krb5.conf
default_tkt_enctypes = aes256-cts
查找cmon.keytab
# find /opt -name cmon.keytab
/opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab
查看keytab中的principal
# klist -k /opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab
Keytab name: FILE:/opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 hue/$server1@ANYTHING.COM (aes256-cts-hmac-sha1-96)
2 hue/$server1@ANYTHING.COM (aes128-cts-hmac-sha1-96)
2 hue/$server1@ANYTHING.COM (des3-cbc-sha1)
2 hue/$server1@ANYTHING.COM (arcfour-hmac)
2 hue/$server1@ANYTHING.COM (camellia256-cts-cmac)
2 hue/$server1@ANYTHING.COM (camellia128-cts-cmac)
2 hue/$server1@ANYTHING.COM (des-hmac-sha1)
2 hue/$server1@ANYTHING.COM (des-cbc-md5)
發現確實沒有 aes256-cts,修改
# vi /etc/krb5.conf
default_tgs_enctypes = aes256-cts des3-cbc-sha1
default_tkt_enctypes = aes256-cts des3-cbc-sha1
permitted_enctypes = aes256-cts des3-cbc-sha1
重啟Activity Monitor
4)如果遇到
[javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]
請見:https://www.cnblogs.com/barneywill/p/10540008.html