web项目访问hbase,新客户要求添加kerberos。刚开始是这样写的:
try{
UserGroupInformation.setConfiguration(hbConf);
UserGroupInformation.loginUserFromKeytab(userName,keyTabFile);
}catch (IOException e){
logger.error("kerbose登录报错" + e);
}
项目部署到服务器上连接正常,但是到了24h后就过期了,报错信息如下:
javax.security.sasl.SaslException: GSS initiate failed
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
at org.apache.hadoop.hbase.security.HBaseSaslRpcClient.saslConnect(HBaseSaslRpcClient.java:179)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupSaslConnection(RpcClientImpl.java:617)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.access$700(RpcClientImpl.java:162)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:743)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection$2.run(RpcClientImpl.java:740)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1614)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.setupIOstreams(RpcClientImpl.java:740)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.writeRequest(RpcClientImpl.java:909)
at org.apache.hadoop.hbase.ipc.RpcClientImpl$Connection.tracedWriteRequest(RpcClientImpl.java:873)
at org.apache.hadoop.hbase.ipc.RpcClientImpl.call(RpcClientImpl.java:1244)
at org.apache.hadoop.hbase.ipc.AbstractRpcClient.callBlockingMethod(AbstractRpcClient.java:227)
at org.apache.hadoop.hbase.ipc.AbstractRpcClient$BlockingRpcChannelImplementation.callBlockingMethod(AbstractRpcClient.java:336)
at org.apache.hadoop.hbase.protobuf.generated.ClientProtos$ClientService$BlockingStub.multi(ClientProtos.java:35444)
at org.apache.hadoop.hbase.client.MultiServerCallable.call(MultiServerCallable.java:136)
at org.apache.hadoop.hbase.client.MultiServerCallable.call(MultiServerCallable.java:52)
at org.apache.hadoop.hbase.client.RpcRetryingCaller.callWithoutRetries(RpcRetryingCaller.java:212)
at org.apache.hadoop.hbase.client.AsyncProcess$AsyncRequestFutureImpl$SingleServerRequestRunnable.run(AsyncProcess.java:771)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
... 24 common frames omitted
测试1:参考:https://www.cnblogs.com/darange/p/13693026.html,加了定时任务,验证还是24h过期。
测试2:本地idea启动项目,更改krb5.conf文件的ticket_lifetime和renew_lifetime,均没有效果。
测试3:设置crontab 定期去刷新或者linux服务器设置ticket_lifetime和renew_lifetime,均没有效果。原因可以参考:https://cloud.tencent.com/developer/article/1419272
测试4:定时任务执行 UserGroupInformation.loginUserFromKeytab(userName,keyTabFile)。还是没效果。
测试5:我项目的JDK是1.8,hbase-client对应的版本是1.3.0,强调这个版本号,是因为错误的原因就是由JDK版本和hadoop-common版本不匹配引起的。
原因可参考https://www.cnblogs.com/gaofeng-henu/archive/2020/01/14/12190580.html。
问题解决方法:
步骤1:hbase-client版本改为1.5.0
<dependency>
<groupId>org.apache.hbase</groupId>
<artifactId>hbase-client</artifactId>
<version>1.5.0</version>
</dependency>
对应引入的依赖如下:
步骤2:添加定时任务
try {
UserGroupInformation.loginUserFromKeytab(userName,keyTabFile);
long time = 24 * 60 * 60 * 1000;//24小时循环
new Timer().scheduleAtFixedRate(new TimerTask() {
@Override
public void run() {
try {
UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
} catch (IOException e) {
logger.error("kerberos reloginFromKeytab error", e);
}
}
}, 0, time);
} catch (IOException e) {
logger.error("kerberos init error", e);
}
总结:目前过了48h,项目运行正常。