从java连接到kerberized配置单元时sasl协商失败

6l7fqoea  于 2021-06-26  发布在  Hive
关注(0)|答案(0)|浏览(992)

我有clouderavm,在那里我启用了kerberos,我在windows机器上编写了一个java应用程序来获得配置单元连接。但我有以下例外。我遵循了许多示例和文档来获得到hive的连接,但是我无法获得连接。

ERROR StatusLogger No log4j2 configuration file found. Using default configuration: logging only errors to the console.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/C:/Users/lamadipen/.m2/repository/org/apache/logging/log4j/log4j-slf4j-impl/2.4.1/log4j-slf4j-impl-2.4.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/Users/lamadipen/.m2/repository/org/slf4j/slf4j-log4j12/1.7.5/slf4j-log4j12-1.7.5.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Debug is  true storeKey false useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is cmf.keytab refreshKrb5Config is false principal is cloudera@CLOUDERA tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal is cloudera@CLOUDERA
Will use keytab
Commit Succeeded 

16:15:35.153 [main] ERROR org.apache.thrift.transport.TSaslTransport - SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211) ~[?:1.8.0_144]
    at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94) ~[libthrift-0.9.3.jar:0.9.3]
    at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271) [libthrift-0.9.3.jar:0.9.3]
    at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) [libthrift-0.9.3.jar:0.9.3]
    at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52) [hive-shims-common-2.0.0.jar:2.0.0]
    at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49) [hive-shims-common-2.0.0.jar:2.0.0]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144]
    at javax.security.auth.Subject.doAs(Subject.java:422) [?:1.8.0_144]
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628) [hadoop-common-2.6.0.jar:?]
    at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49) [hive-shims-common-2.0.0.jar:2.0.0]
    at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:181) [hive-jdbc-2.0.0.jar:2.0.0]
    at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:152) [hive-jdbc-2.0.0.jar:2.0.0]
    at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:107) [hive-jdbc-2.0.0.jar:2.0.0]
    at java.sql.DriverManager.getConnection(DriverManager.java:664) [?:1.8.0_144]
    at java.sql.DriverManager.getConnection(DriverManager.java:270) [?:1.8.0_144]
    at com.dipen.sch.HiveConnection.run(App.java:146) [classes/:?]
    at com.dipen.sch.HiveConnection.run(App.java:1) [classes/:?]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144]
    at javax.security.auth.Subject.doAs(Subject.java:422) [?:1.8.0_144]
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628) [hadoop-common-2.6.0.jar:?]
    at com.dipen.sch.App.authentication(App.java:96) [classes/:?]
    at com.dipen.sch.App.main(App.java:50) [classes/:?]
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Clock skew too great (37) - PROCESS_TGS)
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770) ~[?:1.8.0_144]
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) ~[?:1.8.0_144]
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) ~[?:1.8.0_144]
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) ~[?:1.8.0_144]
    ... 21 more
Caused by: sun.security.krb5.KrbException: Clock skew too great (37) - PROCESS_TGS
    at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73) ~[?:1.8.0_144]
    at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251) ~[?:1.8.0_144]
    at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262) ~[?:1.8.0_144]
    at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308) ~[?:1.8.0_144]
    at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126) ~[?:1.8.0_144]
    at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458) ~[?:1.8.0_144]
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693) ~[?:1.8.0_144]
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) ~[?:1.8.0_144]
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) ~[?:1.8.0_144]
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) ~[?:1.8.0_144]
    ... 21 more
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) ~[?:1.8.0_144]
    at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) ~[?:1.8.0_144]
    at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) ~[?:1.8.0_144]
    at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55) ~[?:1.8.0_144]
    at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251) ~[?:1.8.0_144]
    at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262) ~[?:1.8.0_144]
    at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308) ~[?:1.8.0_144]
    at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126) ~[?:1.8.0_144]
    at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458) ~[?:1.8.0_144]
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693) ~[?:1.8.0_144]
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) ~[?:1.8.0_144]
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) ~[?:1.8.0_144]
    at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) ~[?:1.8.0_144]
    ... 21 more
Exception in thread "main" java.lang.reflect.UndeclaredThrowableException
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1643)
    at com.dipen.sch.App.authentication(App.java:96)
    at com.dipen.sch.App.main(App.java:50)
Caused by: java.sql.SQLException: Could not open client transport with JDBC Uri: jdbc:hive2://quickstart.cloudera:10000/;principal=hive/cloudera@CLOUDERA: GSS initiate failed
    at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:207)
    at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:152)
    at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:107)
    at java.sql.DriverManager.getConnection(DriverManager.java:664)
    at java.sql.DriverManager.getConnection(DriverManager.java:270)
    at com.dipen.sch.HiveConnection.run(App.java:146)
    at com.dipen.sch.HiveConnection.run(App.java:1)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)
    ... 2 more
Caused by: org.apache.thrift.transport.TTransportException: GSS initiate failed
    at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
    at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:316)
    at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
    at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
    at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)
    at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
    at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:181)
    ... 11 more

我在控制台上收到提交成功消息,这是否意味着我已通过身份验证。

public static void authentication() throws LoginException, IOException, InterruptedException, PrivilegedActionException
{
         System.setProperty("hadoop.home.dir", "C:\\hadoop-common-2.2.0");
    System.setProperty("java.security.auth.login.config", "gss-jaas.conf");
    System.setProperty("java.security.krb5.realm","CLOUDERA");
    System.setProperty("java.security.krb5.kdc","169.254.56.203");
    System.setProperty("java.security.krb5.conf", "krb5.conf");
    System.setProperty("javax.security.auth.useSubjectCredOnly","false");

    LoginContext loginContext = new LoginContext("com.sun.security.jgss.initiate");

    loginContext.login();

    Subject subject = loginContext.getSubject();
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "Kerberos");
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation ugi = UserGroupInformation.getUGIFromSubject(subject);

    HiveConnection hc = new HiveConnection();
    ugi.doAs(hc);
    //Subject.doAs(subject, hc);
    System.out.println("Before Getting connection");
    Connection con = hc.con;

    System.out.println("After Getting connection"); 
}

我试图使用usergroupinformation调用privilegedexceptionaction并获得连接,我也厌倦了同样的主题,但无论走哪条路,我都会遇到同样的问题。

class HiveConnection implements PrivilegedExceptionAction<Void>{
    private static String driverName = "org.apache.hive.jdbc.HiveDriver";
    Connection con=null;

    public Void run() throws ClassNotFoundException, SQLException, IOException {
        Class.forName(driverName);
        con = DriverManager.getConnection("jdbc:hive2://quickstart.cloudera:10000/;principal=hive/cloudera@CLOUDERA");
        return null;
    }   
}

krb5.conf文件

[libdefaults]
default_realm = CLOUDERA
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
udp_preference_limit = 1
kdc_timeout = 3000
[realms]
CLOUDERA = {
kdc = 169.254.56.203
admin_server = 169.254.56.203
}
[domain_realm]

gss-jaas.conf文件

com.sun.security.jgss.initiate {

com.sun.security.auth.module.Krb5LoginModule required
    principal="cloudera@CLOUDERA"
    useKeyTab= true
    keyTab="cmf.keytab"
    storeKey=false
    doNotPrompt=false
    renewTGT=false
    useTicketCache=false
    debug=true;

};

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题