ZooKeeper身份验证错误

ttp71kqs  于 2022-12-16  发布在  Apache
关注(0)|答案(3)|浏览(323)

I'm trying to login to ZK using kerberos, and then perform some operations. However, the following doesn't work:

2016-02-19 16:31:32,572 [myid:] - INFO  [Thread-1:Login@397] -Initiating re-login for <me/hostname@EXAMPLE.COM>

2016-02-19 16:31:32,588 [myid:] - INFO  [Thread-1:Login@301] - TGT valid starting at:        Fri Feb 19 16:31:32 PST 2016
2016-02-19 16:31:32,588 [myid:] - INFO  [Thread-1:Login@302] - TGT expires:                  Fri Feb 19 16:46:32 PST 2016
2016-02-19 16:31:32,588 [myid:] - INFO  [Thread-1:Login$1@181] - TGT refresh sleeping until: Fri Feb 19 16:43:50 PST 2016

[zk: hostname(CONNECTED) 11] 
[zk: hostname(CONNECTED) 11] getAcl /zk-test
'sasl,'me/hostname@EXAMPLE.COM@: cdrwa
[zk: hostname(CONNECTED) 12] ls /zk-test
Authentication is not valid : /zk-test

Even though I've already logged in using the principal me/hostname@EXAMPLE.COM , and the ACL for /zk-test is sasl:me/hostname@EXAMPLE.COM:cdrwa , I still cannot do simple stuff like ls /zk-test . Anyone know why? Thanks.

yebdmbv4

yebdmbv41#

I wasted an hour of my life on this (thanks to poor documentation of zookeeper - everything is scattered), I want to make sure no one else does, thankfully someone who knows everything at our workplace helped me out ;)
Do this before you start zkCli -server blahblah:2181

export JVMFLAGS="-Djava.security.auth.login.config=/tmp/jaas.conf -Dsun.net.spi.nameservice.provider.1=dns,sun"

make sure you have jaas conf in tmp folder - I used something like this -

Server {
      org.apache.zookeeper.server.auth.DigestLoginModule required
      user_super="adminsecret"
      user_bob="bobsecret"
      user_dev="devpassword";
    };
    Client{
      org.apache.zookeeper.server.auth.DigestLoginModule required
      username="blah"
      password="blahblah";
    };

it will work now.

fhg3lkii

fhg3lkii2#

jaas.conf file is needed:

Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/home/myUser/myUser.keytab"
  storeKey=true
  useTicketCache=false
  principal="myUser@MYREALM.COM";
};

Set environment variables for you current session:
export JVMFLAGS="-Djava.security.auth.login.config=/home/myUser/jaas.conf"
Finally connect to server:
zookeeper-client -server myServerIp
I've written a blog pos t about this as a note to self that should be a bit more complete.

luaexgnf

luaexgnf3#

another way to start yarn is to change yarn config:

yarn.resourcemanager.zk-state-store.parent-path /rmstore
yarn.resourcemanager.ha.automatic-failover.zk-base-path /yarn-leader-election

change the path to a new location ,so that zk auth error can be avoid.
FIY: https://hadoop.apache.org/docs/r2.6.0/hadoop-yarn/hadoop-yarn-common/yarn-default.xml

相关问题