CDH-手动生成服务的Keytab文件引发的血案

版权声明：本文为博主原创文章，未经博主允许不得转载。 https://blog.csdn.net/weixin_35852328/article/details/83388060

问题描述：

今天在服务器本地使用beeline连接hive的时候，由于集群集成了kerberos服务，需要先获取服务的授权，于是手动在KDC服务器上生成了访问hive metastor server的keytab文件。

使用命令

ktadd -k /etc/hive.keytab hive/[email protected]

执行该命令后，导致hive/[email protected]这个票据的密码被修改，于是hive metastor server服务报错！

日志如下：

点30:32.506分

ERROR

HiveMetaStore

[main]: Metastore Thrift Server threw an exception... org.apache.thrift.transport.TTransportException: org.apache.hadoop.security.KerberosAuthException: Login failure for user: hive/[email protected] from keytab hive.keytab javax.security.auth.login.LoginException: Checksum failed at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.<init>(HadoopThriftAuthBridge.java:364) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge.createServer(HadoopThriftAuthBridge.java:102) at org.apache.hadoop.hive.metastore.HiveMetaStore.startMetaStore(HiveMetaStore.java:6740) at org.apache.hadoop.hive.metastore.HiveMetaStore.main(HiveMetaStore.java:6659) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.hadoop.util.RunJar.run(RunJar.java:221) at org.apache.hadoop.util.RunJar.main(RunJar.java:136) Caused by: org.apache.hadoop.security.KerberosAuthException: Login failure for user: hive/[email protected] from keytab hive.keytab javax.security.auth.login.LoginException: Checksum failed at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1130) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server.<init>(HadoopThriftAuthBridge.java:359) ... 9 more Caused by: javax.security.auth.login.LoginException: Checksum failed at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1121) ... 10 more Caused by: KrbException: Checksum failed at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102) at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94) at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:149) at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121) at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:285) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776) ... 23 more Caused by: java.security.GeneralSecurityException: Checksum failed at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451) at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272) at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76) at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100) ... 30 more

修复：

 停止hiveserver2和hive metastor server服务。点击重新生成keytab文件

然后重新启动服务后服务正常。

原因：

手残自己生成了keytab文件，导致hive/[email protected]这个票据的密码被修改，而服务进程使用的keytab文件还是旧的，所以会认证错误！

正确使用方式：

到主机上的对应服务进程目录下将keytab文件拷贝，然后使用服务时统一使用该keytab文件进行kinit。

主机目录：/var/run/cloudera-scm-agent/process/

例如HIVEMETASTORE
 

[root@beta1 990-hive-HIVEMETASTORE]# kinit -kt hive.keytab hive/beta1.hadoop.feidai.com
[root@beta1 990-hive-HIVEMETASTORE]# cd /var/run/cloudera-scm-agent/process/990-hive-HIVEMETASTORE
[root@beta1 990-hive-HIVEMETASTORE]# ll
total 136
-rw-r----- 1 hive hive   333 Oct 25 19:43 cloudera-monitor.properties
-rw-r----- 1 hive hive   339 Oct 25 19:43 cloudera-stack-monitor.properties
-rw------- 1 root root 17774 Oct 25 19:43 config.zip
-rw-r----- 1 hive hive  4077 Oct 25 19:43 core-site.xml
-rw-r----- 1 hive hive   522 Oct 25 19:43 creds.localjceks
-rw------- 1 hive hive   466 Oct 25 19:43 hive.keytab
-rw-r----- 1 hive hive   869 Oct 25 19:43 hive-log4j.properties
-rw-r----- 1 hive hive  6616 Oct 25 19:43 hive-site.xml
drwxr-x--x 2 hive hive    80 Oct 25 19:43 logs
-rw------- 1 root root  3116 Oct 25 19:43 proc.json
-rw-r----- 1 hive hive     0 Oct 25 19:43 redaction-rules.json
-rw-r----- 1 hive hive  1209 Oct 25 19:43 sentry-site.xml
-rw-r----- 1 hive hive 73186 Oct 25 19:43 service-metrics.properties
-rw------- 1 root root  3403 Oct 25 19:43 supervisor.conf
drwxr-x--x 2 hive hive   220 Oct 25 19:43 yarn-conf
[root@beta1 990-hive-HIVEMETASTORE]# kinit -kt hive.keytab hive/beta1.hadoop.feidai.com
[root@beta1 990-hive-HIVEMETASTORE]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hive/[email protected]

Valid starting     Expires            Service principal
10/25/18 23:15:31  10/26/18 23:15:31  krbtgt/[email protected]
    renew until 10/30/18 23:15:31
[root@beta1 990-hive-HIVEMETASTORE]# 

之后使用beeline连接hive测试一下

[root@beta1 990-hive-HIVEMETASTORE]# beeline
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
Java HotSpot(TM) 64-Bit Server VM warning: Using incremental CMS is deprecated and will likely be removed in a future release
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
Beeline version 1.1.0-cdh5.15.0 by Apache Hive
beeline> !connect jdbc:hive2://beta1:10000/;principal=hive/[email protected]
scan complete in 2ms
Connecting to jdbc:hive2://beta1:10000/;principal=hive/[email protected]
Connected to: Apache Hive (version 1.1.0-cdh5.15.0)
Driver: Hive JDBC (version 1.1.0-cdh5.15.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://beta1:10000/> show databases;
INFO  : Compiling command(queryId=hive_20181025231717_e0f515b0-13c8-4a8c-9026-c6df74e71cbe): show databases
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO  : Completed compiling command(queryId=hive_20181025231717_e0f515b0-13c8-4a8c-9026-c6df74e71cbe); Time taken: 0.057 seconds
INFO  : Executing command(queryId=hive_20181025231717_e0f515b0-13c8-4a8c-9026-c6df74e71cbe): show databases
INFO  : Starting task [Stage-0:DDL] in serial mode
INFO  : Completed executing command(queryId=hive_20181025231717_e0f515b0-13c8-4a8c-9026-c6df74e71cbe); Time taken: 0.177 seconds
INFO  : OK
+--------------------------+--+
|      database_name       |
+--------------------------+--+
| aggregation_db_1_kudu    |
| data_market              |
| default                  |
| fi_loanrepayreport_kudu  |
| fi_repayplan_kudu        |
| financesys_kudu          |
| importmongo              |
| test                     |
+--------------------------+--+
8 rows selected (0.307 seconds)
0: jdbc:hive2://beta1:10000/> 

测试成功！

所以下次千万记住不要手残自己去生成服务的keytab文件了，因为默认生成的时候密码是随机的，会将之前生成的keytab文件废掉！！