【kerberos權限認證】

集羣CDH5.14基於Kerberos做的權限認證，本地瀏覽器訪問yarn日誌，出現問題：

這是權限問題。

1. 安裝64-bit MSI Installer kfw-4.1-amd64.msi 默認路徑即可，C盤

2. 在環境變量的PATH路徑中，將kfw的路徑向前移，至少保證在JDK之前

3. 將krb5.ini（來自服務器）文件放入C:\ProgramData\MIT\Kerberos5\krb5.ini

kinit -kt D:\hebj.keytab [email protected]即可

krb5.ini文件是集羣上經過配置的Kerberos相關信息。

4. firefox瀏覽器打開配置about:config

network.negotiate-auth.trusted-uris加入 相關url，例如：ydc-161,ydc-162,ydc-171,ydc-172,ydc-173,ydc-174,ydc-175,ydc-176,ydc-177,ydc-178,ydc-179,ydc-180,ydc-181,ydc-182,10.200.70.161,http://ydc-162:8088

network.auth.use-sspi 設置爲false

5. session經過一定時間就會過期，可以重新登陸：kinit -kt D:\document\keytab\hebj.keytab [email protected]

 

 

# Configuration snippets may be placed in this directory as well
[libdefaults]
 default_realm = XX.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 # Importatnt !!! 
 # use default_ccache_name = FILE:/tmp/krb5cc_%{uid} to 
 # make beeline, hdfs, hbase shell can get kerberos ticket
 # otherwise beeline, hdfs, hbase .. shell will throw can not get kerberos ticket error
 #
 #default_ccache_name = KEYRING:persistent:%{uid}
 #default_ccache_name = FILE:/tmp/krb5cc_%{uid}
 
 udp_preference_limit = 1000000
 # following 3 lines is important, without these lines, sometime, kadmin auth will be incredibly slow.
 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc des3-cbc-sha1
 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc des3-cbc-sha1
 permitted_enctypes = arcfour-hmac-md5 des-cbc-md5 des-cbc-crc des3-cbc-sha1

[realms]
 XX.COM = {
  kdc = 10.20.70.2
  admin_server = 10.20.7.16
 }

[domain_realm]
 .xx.com = XX.COM
 xx.com = XX.COM

3. firefox瀏覽器打開配置about:config

network.negotiate-auth.trusted-uris加入 相關url，例如

network.auth.use-sspi 設置爲false

 

如下看到，時間限制，因此，若驗證失敗，重新執行kinit -kt D:\document\keytab\hebj.keytab [email protected]

C:\Users\hebaojing>kinit -kt D:\document\keytab\hebj.keytab [email protected]

C:\Users\hebaojing>klist
Ticket cache: API:krb5cc
Default principal: [email protected]

Valid starting     Expires            Service principal
10/11/19 15:00:04  10/12/19 15:00:04  krbtgt/[email protected]
        renew until 10/18/19 15:00:04

C:\Users\hebaojing>klist

 

 

參考文章：

https://www.cnblogs.com/kischn/p/7443343.html