kerberos安装详见:https://www.cnblogs.com/barneywill/p/10394164.html

一 为CM创建用户

# kadmin.local -q "addprinc scm/admin"

名字和密码任意,后续配置中会使用

二 CM配置过程

1 启用Kerberos

2 全部选中

3 按照/etc/krb5.conf填写

4

5 填写刚才创建的用户名密码

6 下一步

7 下一步

8

可以查看cm创建的用户

# kadmin.local -q 'listprincs'

三 可能的问题

如果安装过程中有问题,有些组件可能会启动失败,

1)impala

statestored启动报错

SASL message (Kerberos (internal)): Couldn't find mech GSSAPI

或者catalogd和impalad启动报错

I0219 00:31:16.314851 857 statestore-subscriber.cc:238] statestore registration unsuccessful: Couldn't open transport for $server2.bj:24000 (No more data to read.)
F0219 00:31:16.314926 857 catalogd-main.cc:88] Couldn't open transport for $server2.bj:24000 (No more data to read.)
. Impalad exiting.

检查如下library是否安装

# yum install cyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-gssapi

2)hue

hue实例 Kerberos Ticket Renewer 启动失败

INFO kt_renewer
Renewing kerberos ticket to work around kerberos 1.8.1: /bin/kinit -R -c /var/run/hue/hue_krb5_ccache
ERROR kt_renewer
Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/$server1@ANYTHING.COM' is still renewable:
$ klist -f -c /var/run/hue/hue_krb5_ccache
If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/$server1@ANYTHING.COM' and `krbtgt' principals.
[19/Feb/2019 07:32:04 ] settings INFO Welcome to Hue 3.9.0

重现问题

# klist -f -c /var/run/hue/hue_krb5_ccache
Ticket cache: FILE:/var/run/hue/hue_krb5_ccache
Default principal: hue/$server1@ANYTHING.COM

Valid starting Expires Service principal
02/19/2019 10:06:50 02/20/2019 10:06:50 krbtgt/ANYTHING.COM@ANYTHING.COM
Flags: FI
# /bin/kinit -R -c /var/run/hue/hue_krb5_ccache
kinit: KDC can't fulfill requested option while renewing credentials

检查:

1)检查配置文件

# vi /etc/krb5.conf
ticket_lifetime = 24h
renew_lifetime = 7d
# vi /var/kerberos/krb5kdc/kdc.conf
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +renewable

2)检查krbtgt用户的Maximum renewable life

# kadmin.local -q 'getprinc krbtgt/ANYTHING.COM@ANYTHING.COM'
Principal: krbtgt/ANYTHING.COM@ANYTHING.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Feb 18 22:02:42 CST 2019 (db_creation@ANYTHING.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 9
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 1, des3-cbc-sha1
Key: vno 1, arcfour-hmac
Key: vno 1, camellia256-cts-cmac
Key: vno 1, camellia128-cts-cmac
Key: vno 1, des-hmac-sha1
Key: vno 1, des-cbc-md5
Key: vno 1, des-cbc-crc
MKey: vno 1
Attributes: LOCKDOWN_KEYS
Policy: [none]

重点是

Maximum renewable life: 0 days 00:00:00

修改krbtgt的maxrenewlife

# kadmin.local -q 'modprinc -maxrenewlife "7d" krbtgt/ANYTHING.COM'

如果有必要,修改其他用户的maxrenewlife

# kadmin.local -q 'modprinc -maxrenewlife "7d" +allow_renewable $user/$host@ANYTHING.COM'

删除cache

# /bin/rm /var/run/hue/hue_krb5_ccache

重启Kerberos Ticket Renewer

3)

Activity Monitor 报错

ERROR Main
Failed to start Firehose
java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.io.IOException: Login failure for hue/$server1@ANYTHING.COM from keytab cmon.keytab
...
Caused by: KrbException: no supported default etypes for default_tkt_enctypes

查找default_tkt_enctypes

# vi /etc/krb5.conf
default_tkt_enctypes = aes256-cts

查找cmon.keytab

# find /opt -name cmon.keytab
/opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab

查看keytab中的principal

# klist -k /opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab
Keytab name: FILE:/opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 hue/$server1@ANYTHING.COM (aes256-cts-hmac-sha1-96)
2 hue/$server1@ANYTHING.COM (aes128-cts-hmac-sha1-96)
2 hue/$server1@ANYTHING.COM (des3-cbc-sha1)
2 hue/$server1@ANYTHING.COM (arcfour-hmac)
2 hue/$server1@ANYTHING.COM (camellia256-cts-cmac)
2 hue/$server1@ANYTHING.COM (camellia128-cts-cmac)
2 hue/$server1@ANYTHING.COM (des-hmac-sha1)
2 hue/$server1@ANYTHING.COM (des-cbc-md5)

发现确实没有 aes256-cts,修改

# vi /etc/krb5.conf

default_tgs_enctypes = aes256-cts des3-cbc-sha1
default_tkt_enctypes = aes256-cts des3-cbc-sha1
permitted_enctypes = aes256-cts des3-cbc-sha1

重启Activity Monitor

4)如果遇到

[javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]

请见:https://www.cnblogs.com/barneywill/p/10540008.html

【原创】大叔经验分享(30)CM开启kerberos的更多相关文章

  1. 【原创】经验分享:一个小小emoji尽然牵扯出来这么多东西?

    前言 之前也分享过很多工作中踩坑的经验: 一个线上问题的思考:Eureka注册中心集群如何实现客户端请求负载及故障转移? [原创]经验分享:一个Content-Length引发的血案(almost.. ...

  2. 【原创】大叔经验分享(41)hdfs开启kerberos之后报错Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled

    hdfs开启kerberos之后,namenode报错,连不上journalnode 2019-03-15 18:54:46,504 WARN org.apache.hadoop.security.U ...

  3. 【原创】大叔经验分享(47)yarn开启日志归集

    yarn开启日志归集功能,除了配置之外 yarn.log-aggregation-enable=true 还要检查/tmp/logs目录是否存在以及权限,尤其是在开启kerberos之后,有些目录可能 ...

  4. 【原创】大叔经验分享(40)hdfs关闭kerberos

    hadoop.security.authentication: Kerberos -> Simple hadoop.security.authorization: true -> fals ...

  5. 【原创】大叔经验分享(31)CM金丝雀Canary报错

    CM金丝雀Canary报错 1 HDFS 金丝雀Canary 测试无法为 /tmp/.cloudera_health_monitoring_canary_files 创建父目录. 2 Hive Met ...

  6. 【原创】大叔经验分享(37)CM清理磁盘空间

    定期清理cloudera manager server的磁盘空间 1 停止Service Monitor和Host Monitor 2 删除日志 # /bin/rm /var/lib/cloudera ...

  7. 【原创】大叔经验分享(36)CM部署kafka

    1 下载kafka parcel http://archive.cloudera.com/kafka/parcels/latest/KAFKA-3.1.1-1.3.1.1.p0.2-el7.parce ...

  8. 【原创】大叔经验分享(50)hue访问mysql(librdbms)

    cloudera manager安装hue后想开启访问mysql(librdbms)需要在这里配置(hue_safety_valve.ini) 添加配置如下 [librdbms] # The RDBM ...

  9. 【原创】大叔经验分享(7)创建hive表时格式如何选择

    常用格式 textfile 需要定义分隔符,占用空间大,读写效率最低,非常容易发生冲突(分隔符)的一种格式,基本上只有需要导入数据的时候才会使用,比如导入csv文件: ROW FORMAT DELIM ...

随机推荐

  1. maven多模块依赖源码调试

    Maven多模块项目中,通常存在摸个模块同时依赖其他多个基础模块的情况.在eclipse中使用run-jetty-run插件调试时,常常会出现找不到被依赖模块对应源码的错误提示.举个例子,模块A同时依 ...

  2. you have mixed tabs and spaces.Fix This屏蔽

    这个功能很影响vs的速度,解决办法(VS2010版本为例),将Fix Mixed Tabs改为OFF即可.

  3. javascript获取值

    <div id='name'>张三</div> $('#name').val() $(name).val() 以上两个都可以得到值,第一种用的比较多.

  4. CC2541设置中断输入模式

    //P0.0 /* SW_6 is at P0.1 */#define HAL_KEY_SW_6_PORT P0#define HAL_KEY_SW_6_BIT BV(0)#define HAL_KE ...

  5. 9.selenium

    1.安装与入门 pip3 install selenium 将chromedriver放到一个没有权限要求的目录 from selenium import webdriver driverpath=& ...

  6. 【C++】 网络编程 01

    趁着计算机网络这门课布置了课程设计,学习下网络编程. 系统:Ubuntu 14.01... 1. 关于Socket(套接字) 1.1 套接字是存在于运输层和应用层间的抽象层,通过它来区分不同应用程序进 ...

  7. 20155324 《Java程序设计》实验五 网络编程与安全

    20155324 <Java程序设计>实验五 网络编程与安全 实验内容 任务一 编写MyBC.java实现中缀表达式转后缀表达式的功能 编写MyDC.java实现从上面功能中获取的表达式中 ...

  8. 使用PHP连接数据库实现留言板功能

    PHP实现留言板功能: 1 首先是登录页面: <!DOCTYPE html><html>    <head>        <meta charset=&qu ...

  9. windows 程序库

    静态链接库:*.lib 在程序编译时要使用的代码,会嵌入到最后生成的执行程序里. 动态链接库:*.dll 在程序运行时要使用的代码. 可在运行时载入 或 在编译时链接 引入库(*.lib)文件 进行使 ...

  10. cygwin 安装包管理器 apt-cyg

    https://github.com/transcode-open/apt-cyg apt-cyg is a simple script. To install: lynx -source https ...