Kerberos验证:
提示:这里简述项目相关背景:
Keberos验证出现了问题,找了很久的问题,原因在于自己刚刚接触kerberos,很多东西都不清楚
在使用kerberos驗證時,如下了如下的bug:
提示:一直搞不太懂keerberos驗證失敗的原因:
如下,我想要使用yarn用戶查看一下ResourceManager HA的狀態,但是報kerberos驗證失敗的錯誤:
[root@hadoop103 ~]# sudo -i -u yarn yarn rmadmin -getServiceState rm1
2023-07-04 07:30:26,604 WARN ipc.Client: Exception encountered while connecting to the server : org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[KERBEROS]
Operation failed: DestHost:destPort hadoop102:8033 , LocalHost:localPort hadoop103/172.16.10.138:0. Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[KERBEROS]
[root@hadoop103 ~]# sudo -i -u hdfs yarn rmadmin -getServiceState rm2
2023-07-04 07:30:29,338 WARN ipc.Client: Exception encountered while connecting to the server : org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[KERBEROS]
Operation failed: DestHost:destPort hadoop103:8033 , LocalHost:localPort hadoop103/172.16.10.138:0. Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[KERBEROS]
原因分析:
kerberos验证有兩种方式,是不可以混淆的:密码认证和秘钥文件认证
1.密码认证
1)使用kinit进行主体认证,并按照提示输入密码
[root@hadoop102 ~]$ kinit test
Password for test@EXAMPLE.COM:
2)查看认证凭证
[root@hadoop102 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@EXAMPLE.COM
Valid starting Expires Service principal
10/27/2019 18:23:57 10/28/2019 18:23:57 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 11/03/2019 18:23:57
2 秘钥文件认证
1)生成主体test的keytab文件到指定目录/root/test.keytab
Xst专门用来生成密钥文件
[root@hadoop102 ~]$ kadmin.local -q "xst -norandkey -k /root/test.keytab test@EXAMPLE.COM"
注:-norandkey的作用是声明不随机生成密码,若不加该参数,会导致之前的密码失效。(后续就只能使用密钥文件登录,randkey)
2)使用keytab进行认证
[root@hadoop102 ~]$ kinit -kt /root/test.keytab test
3)查看认证凭证
[root@hadoop102 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@EXAMPLE.COM
Valid starting Expires Service principal
2023-05-15T11:34:21 2023-05-16T11:34:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM
我混淆的地方在于将这两种方式进行了混合使用,在执行了秘钥文件的命令下,又使用了kadmin.local cpw rm/hadoop102的命令去更改了rm/hadoop102 principal的密码,后面再使用kinit -kt 去验证,发现验证失败
[root@hadoop103 keytab]# kinit -kt rm.service.keytab rm/hadoop103
kinit: Password incorrect while getting initial credentials
后面我把keytab文件删除,之后再进行kinit -kt验证依旧失败
[root@hadoop103 keytab]# kinit rm/hadoop103
Password for rm/hadoop103@EXAMPLE.COM:
kinit: Password incorrect while getting initial credentials
解决方案:
提示:这里填写该问题的具体解决方案:
如果出现了以上的问题,建议:
1.先使用kadmin.local命令删除rm/hadoop102 principal
[root@hadoop102 ~]# kadmin.local
Authenticating as principal rm/admin@EXAMPLE.COM with password.
kadmin.local:
? ank delpol getpol get_principal get_strings list_policies lock modprinc renprinc
addpol change_password delprinc get_policies get_principals getstrs listpols lr purgekeys setstr
add_policy cpw delstr get_policy getprincs ktadd list_principals modify_policy q set_string
addprinc delete_policy del_string getpols getprivs ktrem listprincs modify_principal quit unlock
add_principal delete_principal exit getprinc get_privs ktremove list_requests modpol rename_principal xst
kadmin.local: delprinc
anaconda-ks.cfg .bash_logout .bashrc .cshrc .pki/ .ssh/ test.keytab
.bash_history .bash_profile .beeline/ .mysql_history .rnd .tcshrc .viminfo
kadmin.local: delprinc rm/hadoop102
kadmin.local: delprinc rm/hadoop102
2.删除相对应的keytab文件
不删除直接覆盖好像是有点问题的,所以建议是将其直接删除
[root@hadoop103 keytab]# rm -rf rm.service.keytab
3.重新执行生成principal和keytab文件
[root@hadoop103 keytab]# kadmin -padmin/admin -wNTVfPQY9kNs6 -q"xst -k /etc/security/keytab/rm.service.keytab rm/hadoop103"
Authenticating as principal admin/admin with password.
Entry for principal rm/hadoop103 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytab/rm.service.keytab.
Entry for principal rm/hadoop103 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/keytab/rm.service.keytab.
Entry for principal rm/hadoop103 with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/keytab/rm.service.keytab.
Entry for principal rm/hadoop103 with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/keytab/rm.service.keytab.
Entry for principal rm/hadoop103 with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/keytab/rm.service.keytab.
Entry for principal rm/hadoop103 with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/keytab/rm.service.keytab.
Entry for principal rm/hadoop103 with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/keytab/rm.service.keytab.
Entry for principal rm/hadoop103 with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/keytab/rm.service.keytab.
4.使用kinit -kt进行验证
[root@hadoop103 keytab]# kinit -kt rm.service.keytab rm/hadoop103
[root@hadoop103 keytab]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rm/hadoop103@EXAMPLE.COM
Valid starting Expires Service principal
07/04/2023 07:58:45 07/05/2023 07:58:45 krbtgt/EXAMPLE.COM@EXAMPLE.COM
[root@hadoop103 keytab]#
5.重新执行yarn命令
[yarn@hadoop102 keytab]$ yarn rmadmin -getServiceState rm1
standby
[yarn@hadoop102 keytab]$ yarn rmadmin -getServiceState rm2
active
总结
如果使用的是密钥文件,那么请使用kinit -kt进行认证
如果使用的是密码,那么使用输入密码进行验证