zookeeper配置kerberos认证的坑
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了zookeeper配置kerberos认证的坑相关的知识,希望对你有一定的参考价值。
zookeeper配置了kerberos之后,zkCli.sh 连接认证死活不通过
连接命令: zkCli.sh
报错如下:
WatchedEvent state:SyncConnected type:None path:null 2017-08-21 10:11:42,054 [myid:] - ERROR [main-SendThread(localhost:2181):[email protected]] - An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member‘s received SASL token. Zookeeper Client will go to AUTH_FAILED state. 2017-08-21 10:11:42,054 [myid:] - ERROR [main-SendThread(localhost:2181):[email protected]] - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member‘s received SASL token. Zookeeper Client will go to AUTH_FAILED state.
查了很久,终于在kdc的日志中找到了蛛丝马迹,如下
Aug 21 10:11:42 master krb5kdc[21935](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.100.144: LOOKING_UP_SERVER: authtime 0, [email protected] for zookeeper/[email protected], Server not found in Kerberos database
原因分析:1、在zookeeper的认证请求中,zookeeper端的默认principall应该是zookeeper/<hostname>@<realm>
2、当采用zkCli.sh 的方式请求中,默认的host应该是localhost
因此在kdc中才会发现客户端的请求和 zookeeper/[email protected] 这个principal进行认证,但是在kerberos的database中却没有这个principal。
解决方法: 使用zkCli.sh -server host:port 访问。 同时zookeeper配置文件中sever部分的principal必须为zookeeper/<hostname>@<your realm>
以上是关于zookeeper配置kerberos认证的坑的主要内容,如果未能解决你的问题,请参考以下文章
hadoophbasezookeeper集成kerberos认证
zookeeperzookeeper 如何 关闭 kerberos认证 Exception while determining if ZooKeeper is secure