kerberos安装详见:https://www.cnblogs.com/barneywill/p/10394164.html

一 为CM创建用户

# kadmin.local -q "addprinc scm/admin"

名字和密码任意,后续配置中会使用

二 CM配置过程

1 启用Kerberos

2 全部选中

3 按照/etc/krb5.conf填写

4

5 填写刚才创建的用户名密码

6 下一步

7 下一步

8

可以查看cm创建的用户

# kadmin.local -q 'listprincs'

三 可能的问题

如果安装过程中有问题,有些组件可能会启动失败,

1)impala

statestored启动报错

SASL message (Kerberos (internal)): Couldn't find mech GSSAPI

或者catalogd和impalad启动报错

I0219 00:31:16.314851 857 statestore-subscriber.cc:238] statestore registration unsuccessful: Couldn't open transport for $server2.bj:24000 (No more data to read.)
F0219 00:31:16.314926 857 catalogd-main.cc:88] Couldn't open transport for $server2.bj:24000 (No more data to read.)
. Impalad exiting.

检查如下library是否安装

# yum install cyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-gssapi

2)hue

hue实例 Kerberos Ticket Renewer 启动失败

INFO kt_renewer
Renewing kerberos ticket to work around kerberos 1.8.1: /bin/kinit -R -c /var/run/hue/hue_krb5_ccache
ERROR kt_renewer
Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/$server1@ANYTHING.COM' is still renewable:
$ klist -f -c /var/run/hue/hue_krb5_ccache
If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/$server1@ANYTHING.COM' and `krbtgt' principals.
[19/Feb/2019 07:32:04 ] settings INFO Welcome to Hue 3.9.0

重现问题

# klist -f -c /var/run/hue/hue_krb5_ccache
Ticket cache: FILE:/var/run/hue/hue_krb5_ccache
Default principal: hue/$server1@ANYTHING.COM

Valid starting Expires Service principal
02/19/2019 10:06:50 02/20/2019 10:06:50 krbtgt/ANYTHING.COM@ANYTHING.COM
Flags: FI
# /bin/kinit -R -c /var/run/hue/hue_krb5_ccache
kinit: KDC can't fulfill requested option while renewing credentials

检查:

1)检查配置文件

# vi /etc/krb5.conf
ticket_lifetime = 24h
renew_lifetime = 7d
# vi /var/kerberos/krb5kdc/kdc.conf
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +renewable

2)检查krbtgt用户的Maximum renewable life

# kadmin.local -q 'getprinc krbtgt/ANYTHING.COM@ANYTHING.COM'
Principal: krbtgt/ANYTHING.COM@ANYTHING.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Mon Feb 18 22:02:42 CST 2019 (db_creation@ANYTHING.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 9
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 1, des3-cbc-sha1
Key: vno 1, arcfour-hmac
Key: vno 1, camellia256-cts-cmac
Key: vno 1, camellia128-cts-cmac
Key: vno 1, des-hmac-sha1
Key: vno 1, des-cbc-md5
Key: vno 1, des-cbc-crc
MKey: vno 1
Attributes: LOCKDOWN_KEYS
Policy: [none]

重点是

Maximum renewable life: 0 days 00:00:00

修改krbtgt的maxrenewlife

# kadmin.local -q 'modprinc -maxrenewlife "7d" krbtgt/ANYTHING.COM'

如果有必要,修改其他用户的maxrenewlife

# kadmin.local -q 'modprinc -maxrenewlife "7d" +allow_renewable $user/$host@ANYTHING.COM'

删除cache

# /bin/rm /var/run/hue/hue_krb5_ccache

重启Kerberos Ticket Renewer

3)

Activity Monitor 报错

ERROR Main
Failed to start Firehose
java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.io.IOException: Login failure for hue/$server1@ANYTHING.COM from keytab cmon.keytab
...
Caused by: KrbException: no supported default etypes for default_tkt_enctypes

查找default_tkt_enctypes

# vi /etc/krb5.conf
default_tkt_enctypes = aes256-cts

查找cmon.keytab

# find /opt -name cmon.keytab
/opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab

查看keytab中的principal

# klist -k /opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab
Keytab name: FILE:/opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 hue/$server1@ANYTHING.COM (aes256-cts-hmac-sha1-96)
2 hue/$server1@ANYTHING.COM (aes128-cts-hmac-sha1-96)
2 hue/$server1@ANYTHING.COM (des3-cbc-sha1)
2 hue/$server1@ANYTHING.COM (arcfour-hmac)
2 hue/$server1@ANYTHING.COM (camellia256-cts-cmac)
2 hue/$server1@ANYTHING.COM (camellia128-cts-cmac)
2 hue/$server1@ANYTHING.COM (des-hmac-sha1)
2 hue/$server1@ANYTHING.COM (des-cbc-md5)

发现确实没有 aes256-cts,修改

# vi /etc/krb5.conf

default_tgs_enctypes = aes256-cts des3-cbc-sha1
default_tkt_enctypes = aes256-cts des3-cbc-sha1
permitted_enctypes = aes256-cts des3-cbc-sha1

重启Activity Monitor

4)如果遇到

[javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]

请见:https://www.cnblogs.com/barneywill/p/10540008.html

【原创】大叔经验分享(30)CM开启kerberos的更多相关文章

  1. 【原创】经验分享:一个小小emoji尽然牵扯出来这么多东西?

    前言 之前也分享过很多工作中踩坑的经验: 一个线上问题的思考:Eureka注册中心集群如何实现客户端请求负载及故障转移? [原创]经验分享:一个Content-Length引发的血案(almost.. ...

  2. 【原创】大叔经验分享(41)hdfs开启kerberos之后报错Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled

    hdfs开启kerberos之后,namenode报错,连不上journalnode 2019-03-15 18:54:46,504 WARN org.apache.hadoop.security.U ...

  3. 【原创】大叔经验分享(47)yarn开启日志归集

    yarn开启日志归集功能,除了配置之外 yarn.log-aggregation-enable=true 还要检查/tmp/logs目录是否存在以及权限,尤其是在开启kerberos之后,有些目录可能 ...

  4. 【原创】大叔经验分享(40)hdfs关闭kerberos

    hadoop.security.authentication: Kerberos -> Simple hadoop.security.authorization: true -> fals ...

  5. 【原创】大叔经验分享(31)CM金丝雀Canary报错

    CM金丝雀Canary报错 1 HDFS 金丝雀Canary 测试无法为 /tmp/.cloudera_health_monitoring_canary_files 创建父目录. 2 Hive Met ...

  6. 【原创】大叔经验分享(37)CM清理磁盘空间

    定期清理cloudera manager server的磁盘空间 1 停止Service Monitor和Host Monitor 2 删除日志 # /bin/rm /var/lib/cloudera ...

  7. 【原创】大叔经验分享(36)CM部署kafka

    1 下载kafka parcel http://archive.cloudera.com/kafka/parcels/latest/KAFKA-3.1.1-1.3.1.1.p0.2-el7.parce ...

  8. 【原创】大叔经验分享(50)hue访问mysql(librdbms)

    cloudera manager安装hue后想开启访问mysql(librdbms)需要在这里配置(hue_safety_valve.ini) 添加配置如下 [librdbms] # The RDBM ...

  9. 【原创】大叔经验分享(7)创建hive表时格式如何选择

    常用格式 textfile 需要定义分隔符,占用空间大,读写效率最低,非常容易发生冲突(分隔符)的一种格式,基本上只有需要导入数据的时候才会使用,比如导入csv文件: ROW FORMAT DELIM ...

随机推荐

  1. windows server 2008r2x64 安全配置

    管理工具--本地安全策略 1.帐户策略--密码策略 密码长度最小值:8 强制密码历史:1 2.本地安全策略--安全选项 交互式登录:不显示最后的用户名:已启用

  2. ArcGis辅助编号(半自动)功能的插件式实现

    应邀写了一个ArcGis(ArcMap更确切一些)的辅助编号功能,其实只要想通了实现逻辑,实现的过程蛮简单的.相比挨个儿点要素写进编号或者借助“按键精灵”写入,直接操作宿主真是爽快得不能自已.无图言屌 ...

  3. List、Map、set的加载因子,默认初始容量和扩容增量

    首先,这三个概念说下.初始大小,就是创建时可容纳的默认元素个数:加载因子,表示某个阀值,用0~1之间的小数来表示,当已有元素占比达到这个阀值后,底层将进行扩容操作:扩容方式,即指定每次扩容后的大小的规 ...

  4. 二十六、Linux 进程与信号---system 函数 和进程状态切换

    26.1 system 函数 26.1.1 函数说明 system(执行shell 命令)相关函数 fork,execve,waitpid,popen #include <stdlib.h> ...

  5. Inline Route Constraints in ASP.NET Core MVC

    原文 ASP.NET MVC5和Web API2的一个新特性是attribute routing, 通过它我们可以使用[Route]来定义路由模板: public class MessagesCont ...

  6. mvc 导出execl

    mvc导出execl 必须是get方法才可以  也不能使用ajax function ComplaintsExport() { var serial = $("form").ser ...

  7. php serialize(),unserialize()

    序列化serialize()与反序列化unserialize(): 序列化serialize():就是将一个变量所代表的 “内存数据”转换为“字符串”的形式,并持久保存在硬盘(写入文件中保存)上的一种 ...

  8. I/O 流

    输入流的几个常用方法: 1,复制一个文件; import java.io.BufferedInputStream; import java.io.BufferedOutputStream; impor ...

  9. ue4网络同步概念笔记

    网络同步主要的概念是 复制.  不是以前的S,C逻辑分离.  是S复制到C通过 Switch Has Authority  将S与C的逻辑在程序内分离. 所属权:每个连接到S的C都有自己的 控制权.从 ...

  10. 第25月第3天 Mxshop项目记录01

    1.项目 https://github.com/mtianyan/VueDjangoFrameWorkShop virtualenv命令 virtualenv . virtualenv -p /ana ...