HBase Zookeeper AUTH_FAILED - 找不到任何 Kerberos tgt

Question

環境

• HBase 1.5
• Hadoop 2.9.2
• Zookeeper 3.5.6

錯誤

配置 Zookeeper 使用 Kerberos 並配置 HBase jaas.conf登錄配置后收到以下錯誤

...在hbase-master.log

ERROR org.apache.zookeeper.ClientCnxn: SASL authentication with Zookeeper Quorum member failed:
 javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException:
 javax.security.sasl.SaslException: GSS initiate failed 
               [Caused by GSSException: No valid credentials provided 
                (Mechanism level: Failed to find any Kerberos tgt)]) 
               occurred when evaluating Zookeeper Quorum Member's  received SASL token. 
               Zookeeper Client will go to AUTH_FAILED state.

HBase jaas.conf

 Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    useTicketCache=true
    storeKey=true
    keyTab="/etc/security/keytabs/hbase.keytab"
    principal="hbase/@REALM.COM";
 };

hbase-env.sh

export HBASE_OPTS="-Djava.security.auth.login.config=/opt/hbase/conf/jaas.conf"

Answer 1

問題是在hbase-env.sh ，HBase的需求超過java.security.auth.login.config在集HBASE_OPTS 。

配置 Zookeeper jaas.conf正確方法：

export HBASE_SERVER_JAAS_OPTS="-Djava.security.auth.login.config=/opt/hbase/conf/jaas.conf"
export HBASE_MASTER_OPTS="$HBASE_MASTER_OPTS -Djava.security.auth.login.config=/opt/hbase/conf/jaas.conf"

如果您的master和region之間有單獨的密鑰表，則需要兩個 JAAS 文件，並且必須同時指定

• HBASE_SERVER_JAAS_OPTS
• HBASE_MASTER_OPTS

如果對所有 hbase 僅使用 1 個 kerberos 主體，則只需設置HBASE_SERVER_JAAS_OPTS