推荐:博主历时三年倾注大量心血创作的《大数据平台架构与原型实现:数据中台建设实战》一书已由知名IT图书品牌电子工业出版社博文视点出版发行,真诚推荐给每一位读者!点击《重磅推荐:建大数据平台太难了!给我发个工程原型吧!》了解图书详情,扫码进入京东手机购书页面!
Java应用/JDBC/Squirrel在Kerberos认证时报Unable to obtain Principal Name for authentication的解决方法
关于如何在Windows本地安装配置Kerberos客户端,以及进行相关的配置,网上有很多现成的文档可以参考,其中: https://841809077.github.io/2018/12/19/Windows%E6%9C%AC%E5%9C%B0%E5%AE%89%E8%A3%85%E9%85%8D%E7%BD%AEKerberos%E5%AE%A2%E6%88%B7%E7%AB%AF.html 这篇文章比较详实,可以拿来参考,此外,还有以下两篇文章也可以作为补充:
https://www.simba.com/products/Impala/doc/JDBC_InstallGuide/content/jdbc/hi/kerberos.htm
https://justnumbersandthings.com/post/2017-05-06-dbeaver-hive/
但是,当我们按这些文章进行完所有的操作时,在启动某些基于java的应用时,例如:Squirrel,并不能成功的通过Kerberos认证,而是报:Unable to obtain Principal Name for authentication 错误! 这个问题很让人困惑。
我们要通过Squirrel(实际上任何使用JDBC的数据库客户端都是一样的)来连接受Kerberos保护的Hive数据库,为了找出错误原因, 我们特意打开了Kerberos相关的debug日志,具体作法是:打开squirrel-sql.bat文件,在原启动命令行中添加-Dsun.security.krb5.debug=true, 内容如下:
start "SQuirreL SQL Client" /B "%LOCAL_JAVA%" -Dsun.security.krb5.debug=true -Dsun.awt.nopixfmt=true -Dsun.java2d.noddraw=true -cp %CP% -splash:"%SQUIRREL_SQL_HOME%/icons/splash.jpg" net.sourceforge.squirrel_sql.client.Main %TMP_PARMS%
然后启动squirrel, 查看日志文件%USERPROFILE%\.squirrel-sql\logs\squirrel-sql.log,发现如下内容:
2019-07-12 10:44:55,370 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - >>>KinitOptions cache name is C:\Users\YOUR-USERNAME\krb5cc_YOUR-USERNAME
2019-07-12 10:44:55,374 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - >> Acquire default native Credentials
2019-07-12 10:44:55,375 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - Java config name: null
2019-07-12 10:44:55,376 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - Native config name: C:\windows\krb5.ini
2019-07-12 10:44:55,377 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - Loaded from native config
2019-07-12 10:44:55,465 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - default etypes for default_tkt_enctypes: 18.
2019-07-12 10:44:55,467 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - >>> Found no TGT's in LSA
最后一行表明:squirrel并没有得到TGT,而Native config name: C:\windows\krb5.ini给了我们一个暗示!就是当前的squirrel正在通过JDK自带的krb工具来读取keytab文件以及与KDC进行通信,而不是在使用MIT kerberos for windows客户端,这样,通过MIT kerberos for windows客户端的kinit来创建的凭证就不会被使用!这才是问题的关键!至于为什么在我的机器上会出现这个问题让人很费解,因为团队中的其他人在安装了MIT kerberos for windows客户端之后都没有出现这个问题!
原因找到之后,解题思路也就出来了,既然无法纠正squirrel或者说java应用程序使用MIT kerberos for windows客户端,那就还是回到JDK自带的kinit工具来重新获取凭证!具体做法说就是:
-
先将C:\ProgramData\MIT\Kerberos5\krb5.ini复制到C:\Windows,这是 java默认的读取krb5.ini的地方
-
使用JDK的kinit工具重新获取凭证:
cd %JAVA_HOME%\bin\
kinit.exe -k -t C:\KrbConfig\hive.keytab hive@YOUR-KRB-REALM
New ticket is stored in cache file C:\Users\YOUR-USERNAME\krb5cc_YOUR-USERNAME
hive@YOUR-KRB-REALM是我们要获取的凭证,我们需要通过JDBC访问Hive。这个命令行成功之后,会有一个很重要的输出信息:New ticket is stored in cache file C:\Users\YOUR-USERNAME\krb5cc_YOUR-USERNAME, 这说明JDK的kinit生成的cache文件是放在C:\Users\YOUR-USERNAME\krb5cc_YOUR-USERNAME这个位置上的,这和前面日志第一行去取的cache文件名完全一致, 也从侧面印证了squirrel就是在使用JDK的krb工具在工作。
完成这个操作之后,重启squirrel就可以连上hive了!squirrel日志的内容也显示连接成功:
2019-07-12 10:59:13,635 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - >>> KrbCreds found the default ticket granting ticket in credential cache.
2019-07-12 10:59:13,636 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - >>> Obtained TGT from LSA: Credentials:
2019-07-12 10:59:13,636 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - client=hive@YOUR-KRB-REALM
2019-07-12 10:59:13,637 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - server=krbtgt/YOUR-KRB-REALM@YOUR-KRB-REALM
2019-07-12 10:59:13,637 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - authTime=20190712025341Z
2019-07-12 10:59:13,637 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - endTime=20190713025341Z
2019-07-12 10:59:13,638 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - renewTill=null
2019-07-12 10:59:13,638 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - flags=INITIAL
2019-07-12 10:59:13,638 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - EType (skey)=18
2019-07-12 10:59:13,639 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - (tkt key)=18
2019-07-12 10:59:13,642 [pool-3-thread-1] INFO net.sourceforge.squirrel_sql.fw.util.log.SystemOutToLog - Found ticket for hive@YOUR-KRB-REALM to go to krbtgt/YOUR-KRB-REALM@YOUR-KRB-REALM expiring on Sat Jul 13 10:53:41 CST 2019