集羣CDH5.14基於Kerberos做的權限認證,本地瀏覽器訪問yarn日誌,出現問題:
這是權限問題。
1. 安裝64-bit MSI Installer kfw-4.1-amd64.msi 默認路徑即可,C盤
2. 在環境變量的PATH路徑中,將kfw的路徑向前移,至少保證在JDK之前
3. 將krb5.ini(來自服務器)文件放入C:\ProgramData\MIT\Kerberos5\krb5.ini
kinit -kt D:\hebj.keytab [email protected]即可
krb5.ini文件是集羣上經過配置的Kerberos相關信息。
4. firefox瀏覽器打開配置about:config
network.negotiate-auth.trusted-uris加入 相關url,例如:ydc-161,ydc-162,ydc-171,ydc-172,ydc-173,ydc-174,ydc-175,ydc-176,ydc-177,ydc-178,ydc-179,ydc-180,ydc-181,ydc-182,10.200.70.161,http://ydc-162:8088
network.auth.use-sspi 設置爲false
5. session經過一定時間就會過期,可以重新登陸:kinit -kt D:\document\keytab\hebj.keytab [email protected]
# Configuration snippets may be placed in this directory as well
[libdefaults]
default_realm = XX.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# Importatnt !!!
# use default_ccache_name = FILE:/tmp/krb5cc_%{uid} to
# make beeline, hdfs, hbase shell can get kerberos ticket
# otherwise beeline, hdfs, hbase .. shell will throw can not get kerberos ticket error
#
#default_ccache_name = KEYRING:persistent:%{uid}
#default_ccache_name = FILE:/tmp/krb5cc_%{uid}
udp_preference_limit = 1000000
# following 3 lines is important, without these lines, sometime, kadmin auth will be incredibly slow.
default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
XX.COM = {
kdc = 10.20.70.2
admin_server = 10.20.7.16
}
[domain_realm]
.xx.com = XX.COM
xx.com = XX.COM
3. firefox瀏覽器打開配置about:config
network.negotiate-auth.trusted-uris加入 相關url,例如
network.auth.use-sspi 設置爲false
如下看到,時間限制,因此,若驗證失敗,重新執行kinit -kt D:\document\keytab\hebj.keytab [email protected]
C:\Users\hebaojing>kinit -kt D:\document\keytab\hebj.keytab [email protected]
C:\Users\hebaojing>klist
Ticket cache: API:krb5cc
Default principal: [email protected]
Valid starting Expires Service principal
10/11/19 15:00:04 10/12/19 15:00:04 krbtgt/[email protected]
renew until 10/18/19 15:00:04
C:\Users\hebaojing>klist
參考文章:
https://www.cnblogs.com/kischn/p/7443343.html