[logging] default = FILE:/var/log/krb5libs.log kdc = FILE: /var/log/krb5kdc.log admin_server = FILE: /var/logdmind.log [libdefaults] default_realm = HBASE.YOUKU1 dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = kerberos.example.com1 admin_server = kerberos.example.com1 } HBASE.YOUKU = { kdc = a01.regionserver.master.hbase.bigdata.vm.m6.youku1 kdc = a01.regionserver.hbase.bigdata.m6.youku1 admin_server = a01.regionserver.master.hbase.bigdata.vm.m6.youku1 default_domain = hbase.youku1 } [domain_realm] .example.com = EXAMPLE.COM1 example.com = EXAMPLE.COM1 .hbase.youku = HBASE.YOUKU1 hbase.youku = HBASE.YOUKU1
[libdefaults] default_realm = MAOYAN.COM // The default domain, so it can be omitted in kinit allow_weak_crypto = false // Strong encryption is like weak encryption, don't understand what it means, disable it first dns_lookup_realm = false // Without DNS, the domain name resolutions of these machines have been configured with each other in hosts dns_lookup_kdc = false ticket_lifetime = 24h // ticket expiration time renew_lifetime = 7d // The time the ticket can be extended, the default is 0 forwardable = true // Whether the ticket can be forwarded. Note that the most restrictive point is the configuration on the server side udp_preference_limit = 1 // When the size exceeds this limit, the TCP is first filled; it is not clear whether the unit is bytes or what [realms] MAOYAN.COM = { kdc = dx-movie-data-hadoop05:88 // kdc server, if it is in master/slave mode, write a few more lines repeatedly admin_server = dx-movie-data-hadoop05:749 // kdc master server, if there are more than one, write a few more lines default_domain = MAOYAN.COM // should be compatible between kerberos 4 and 5 } [appdefaults]
Kerberos credentials (ticket) have two attributes, ticket_lifetime and renew_lifetime. The ticket_lifetime indicates the validity period of the certificate, which is generally 24 hours. Before the voucher expires, some vouchers can be extended for the expiration time (ie Renewable). renew_lifetime indicates the maximum time limit that the voucher can be extended, usually one week. After the credential expires, subsequent access to the security-authenticated service will fail. The first problem here is how to handle credential expiration.
Credential Expiration Handling Policy
The earliest Security features for Hadoop design made the assumption that
A Hadoop job will run no longer than 7 days (configurable) on a MapReduce cluster or accessing HDFS from the job will fail.
For general tasks, 24 A credential time limit of hours or even delayed to a week is sufficient. So most of the time, we only need to use kinit to authenticate once before executing the operation, and then start the background task for periodic credential update.
while true ; do kinit -R; sleep $((3600 * 6)) ; done &
However, for services that require resident access to the Hadoop cluster, the above assumptions do not hold. At this time, we can
expand time limit of ticket_lifetime and renew_lifetime
to solve this problem, but because Kerberos is bound to our online user login authentication, it will bring security risks, so it is not convenient to modify.
Periodically re-kinit authentication to update credentials
Instead of just extending the certification period periodically, you can simply re-certify periodically to extend the limited duration of the credential. Generally, we need to export keytab for regular authentication operations.
Hadoop encapsulates the Kerberos authentication part to a certain extent, and it does not need to be so complicated in fact. The key point here is to look at the UserGroupInformation class.
http://tech.meituan.com/hadoop-security-practice.html
error message:
17:24:56 ERROR [http-8280-exec-1] org.apache.hadoop.security.UserGroupInformation(UserGroupInformation.java:1494) - PriviledgedActionException as:yule/[email protected] (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 17:24:57 ERROR [http-8280-exec-1] org.apache.hadoop.security.UserGroupInformation(UserGroupInformation.java:1494) - PriviledgedActionException as:yule/[email protected] (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 17:24:59 ERROR [http-8280-exec-1] org.apache.hadoop.security.UserGroupInformation(UserGroupInformation.java:1494) - PriviledgedActionException as:yule/[email protected] (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
http://blog.csdn.net/lalaguozhe/article/details/11570009