zookeeper配置kerberos認證的坑
阿新 • • 發佈:2017-08-21
zookeeper kerberos 配置
/* */] - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member‘s received SASL token. Zookeeper Client will go to AUTH_FAILED state.zookeeper配置了kerberos之後,zkCli.sh 連接認證死活不通過
連接命令: zkCli.sh
報錯如下:
WatchedEvent state:SyncConnected type:None path:null 2017-08-21 10:11:42,054 [myid:] - ERROR [main-SendThread(localhost:2181):[email protected]] - An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member‘s received SASL token. Zookeeper Client will go to AUTH_FAILED state. 2017-08-21 10:11:42,054 [myid:] - ERROR [main-SendThread(localhost:2181):[email protected]
查了很久,終於在kdc的日誌中找到了蛛絲馬跡,如下
Aug 21 10:11:42 master krb5kdc[21935](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.100.144: LOOKING_UP_SERVER: authtime 0, [email protected] for [email protected], Server not found in Kerberos database原因分析:1、在zookeeper的認證請求中,zookeeper端的默認principall應該是zookeeper/<hostname>@<realm>
2、當采用zkCli.sh 的方式請求中,默認的host應該是localhost
因此在kdc中才會發現客戶端的請求和 zookeeper/[email protected] 這個principal進行認證,但是在kerberos的database中卻沒有這個principal。
解決方法: 使用zkCli.sh -server host:port 訪問。 同時zookeeper配置文件中sever部分的principal必須為zookeeper/<hostname>@<your realm>
zookeeper配置kerberos認證的坑