zoukankan      html  css  js  c++  java
  • 【原创】大叔经验分享(30)CM开启kerberos

    kerberos安装详见:https://www.cnblogs.com/barneywill/p/10394164.html 

     

    一 为CM创建用户

    # kadmin.local -q "addprinc scm/admin"

    名字和密码任意,后续配置中会使用

    二 CM配置过程

    1 启用Kerberos

    2 全部选中

    3 按照/etc/krb5.conf填写

     

    5 填写刚才创建的用户名密码

    6 下一步

    7 下一步

    可以查看cm创建的用户

    # kadmin.local -q 'listprincs'

    三 可能的问题

    如果安装过程中有问题,有些组件可能会启动失败,

    1)impala

    statestored启动报错

    SASL message (Kerberos (internal)): Couldn't find mech GSSAPI

    或者catalogd和impalad启动报错

    I0219 00:31:16.314851 857 statestore-subscriber.cc:238] statestore registration unsuccessful: Couldn't open transport for $server2.bj:24000 (No more data to read.)
    F0219 00:31:16.314926 857 catalogd-main.cc:88] Couldn't open transport for $server2.bj:24000 (No more data to read.)
    . Impalad exiting.

    检查如下library是否安装

    # yum install cyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-gssapi

    2)hue

    hue实例 Kerberos Ticket Renewer 启动失败

    INFO kt_renewer
    Renewing kerberos ticket to work around kerberos 1.8.1: /bin/kinit -R -c /var/run/hue/hue_krb5_ccache
    ERROR kt_renewer
    Couldn't renew kerberos ticket in order to work around Kerberos 1.8.1 issue. Please check that the ticket for 'hue/$server1@ANYTHING.COM' is still renewable:
    $ klist -f -c /var/run/hue/hue_krb5_ccache
    If the 'renew until' date is the same as the 'valid starting' date, the ticket cannot be renewed. Please check your KDC configuration, and the ticket renewal policy (maxrenewlife) for the 'hue/$server1@ANYTHING.COM' and `krbtgt' principals.
    [19/Feb/2019 07:32:04 ] settings INFO Welcome to Hue 3.9.0

    重现问题

    # klist -f -c /var/run/hue/hue_krb5_ccache
    Ticket cache: FILE:/var/run/hue/hue_krb5_ccache
    Default principal: hue/$server1@ANYTHING.COM

    Valid starting Expires Service principal
    02/19/2019 10:06:50 02/20/2019 10:06:50 krbtgt/ANYTHING.COM@ANYTHING.COM
    Flags: FI
    # /bin/kinit -R -c /var/run/hue/hue_krb5_ccache
    kinit: KDC can't fulfill requested option while renewing credentials

    检查:

    1)检查配置文件

    # vi /etc/krb5.conf
    ticket_lifetime = 24h
    renew_lifetime = 7d
    # vi /var/kerberos/krb5kdc/kdc.conf
    max_renewable_life = 7d 0h 0m 0s
    default_principal_flags = +renewable

    2)检查krbtgt用户的Maximum renewable life

    # kadmin.local -q 'getprinc krbtgt/ANYTHING.COM@ANYTHING.COM'
    Principal: krbtgt/ANYTHING.COM@ANYTHING.COM
    Expiration date: [never]
    Last password change: [never]
    Password expiration date: [never]
    Maximum ticket life: 1 day 00:00:00
    Maximum renewable life: 0 days 00:00:00
    Last modified: Mon Feb 18 22:02:42 CST 2019 (db_creation@ANYTHING.COM)
    Last successful authentication: [never]
    Last failed authentication: [never]
    Failed password attempts: 0
    Number of keys: 9
    Key: vno 1, aes256-cts-hmac-sha1-96
    Key: vno 1, aes128-cts-hmac-sha1-96
    Key: vno 1, des3-cbc-sha1
    Key: vno 1, arcfour-hmac
    Key: vno 1, camellia256-cts-cmac
    Key: vno 1, camellia128-cts-cmac
    Key: vno 1, des-hmac-sha1
    Key: vno 1, des-cbc-md5
    Key: vno 1, des-cbc-crc
    MKey: vno 1
    Attributes: LOCKDOWN_KEYS
    Policy: [none]

    重点是

    Maximum renewable life: 0 days 00:00:00

    修改krbtgt的maxrenewlife

    # kadmin.local -q 'modprinc -maxrenewlife "7d" krbtgt/ANYTHING.COM'

    如果有必要,修改其他用户的maxrenewlife

    # kadmin.local -q 'modprinc -maxrenewlife "7d" +allow_renewable $user/$host@ANYTHING.COM'

    删除cache

    # /bin/rm /var/run/hue/hue_krb5_ccache

    重启Kerberos Ticket Renewer

    3)

    Activity Monitor 报错

    ERROR Main
    Failed to start Firehose
    java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.io.IOException: Login failure for hue/$server1@ANYTHING.COM from keytab cmon.keytab
    ...
    Caused by: KrbException: no supported default etypes for default_tkt_enctypes

    查找default_tkt_enctypes

    # vi /etc/krb5.conf
    default_tkt_enctypes = aes256-cts

    查找cmon.keytab

    # find /opt -name cmon.keytab
    /opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab

    查看keytab中的principal

    # klist -k /opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab
    Keytab name: FILE:/opt/cloudera-manager/cm-5.16.1/run/cloudera-scm-agent/process/240-cloudera-mgmt-ACTIVITYMONITOR/cmon.keytab
    KVNO Principal
    ---- --------------------------------------------------------------------------
    2 hue/$server1@ANYTHING.COM (aes256-cts-hmac-sha1-96)
    2 hue/$server1@ANYTHING.COM (aes128-cts-hmac-sha1-96)
    2 hue/$server1@ANYTHING.COM (des3-cbc-sha1)
    2 hue/$server1@ANYTHING.COM (arcfour-hmac)
    2 hue/$server1@ANYTHING.COM (camellia256-cts-cmac)
    2 hue/$server1@ANYTHING.COM (camellia128-cts-cmac)
    2 hue/$server1@ANYTHING.COM (des-hmac-sha1)
    2 hue/$server1@ANYTHING.COM (des-cbc-md5)

    发现确实没有 aes256-cts,修改

    # vi /etc/krb5.conf

    default_tgs_enctypes = aes256-cts des3-cbc-sha1
    default_tkt_enctypes = aes256-cts des3-cbc-sha1
    permitted_enctypes = aes256-cts des3-cbc-sha1

     重启Activity Monitor

    4)如果遇到

    [javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]]

    请见:https://www.cnblogs.com/barneywill/p/10540008.html

  • 相关阅读:
    caffe中的sgd,与激活函数(activation function)
    image retrieval数据集
    八卦
    caffe的损失函数
    caffe的输入
    rcnn spp_net hcp
    js实现幻灯片播放图片示例代码
    Checbox的操作含已选、未选及判断代码
    shell中case的用法学习笔记
    linux bash shell中case语句的实例
  • 原文地址:https://www.cnblogs.com/barneywill/p/10398663.html
Copyright © 2011-2022 走看看