开启kerberos后HBASE client配置

开启了kerberos之后的集群,用hbase client连接需要增加相应的配置,如果配置不正确很容易出现kerberos认证失败的错误,因为网上搜到的错误原因分析五花八门,加上对kerberos原理理解不深,这个错误困扰了我快一星期,最后在同事的帮助下才尝试成功.

错误信息如下:

An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's  received SASL token. Zookeeper Client will go to AUTH_FAILED state.
17:43:50.599 [main-SendThread(ochadoop34:2181)] ERROR org.apache.zookeeper.ClientCnxn - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's  received SASL token. Zookeeper Client will go to AUTH_FAILED state.

经过测试,正确的配置为:

this.conf = HBaseConfiguration.create();
conf.set("hadoop.security.authentication", "Kerberos");
conf.set("hbase.security.authentication", "Kerberos");
conf.set("hbase.master.kerberos.principal", "hbase/hadoop111.jcloud.local@EXAMPLE.COM");
conf.set(HConstants.ZOOKEEPER_QUORUM, "hadoop111.jcloud.local");
conf.set(HConstants.ZOOKEEPER_CLIENT_PORT, "2181");
conf.set(HConstants.ZOOKEEPER_ZNODE_PARENT, "/hbase-secure");
String nsName = "mynamespace";
UserGroupInformation.setConfiguration(conf);
try{
    UserGroupInformation.loginUserFromKeytab("hbase/hadoop111.jcloud.local@EXAMPLE.COM", "/tmp/keytabs/hbase.service.keytab");
    this.connection = ConnectionFactory.createConnection(conf);
    Admin admin = this.connection.getAdmin();
    NamespaceDescriptor namespaceDescriptor = NamespaceDescriptor.create(nsName).build();
    admin.createNamespace(namespaceDescriptor);
    admin.close();
}catch(IOException e){
    logger.error("HBase namespace create fail due to: " + e.getLocalizedMessage());
    e.printStackTrace();
}finally {
    this.connection.close();
}

注意:

1. HBASE_MASTER_PRINCIPAL要设成hmaster所在机器(如hadoop111)上hbase的principal,任何别的principal都不可以.

   HBASE_MASTER_PRINCIPAL=hbase/hadoop111.jcloud.local@EXAMPLE.COM
   

2. 也可以写成HBASE_MASTER_PRINCIPAL=hbase/_HOST@EXAMPLE.COM, _HOST会被自动转换成hmaster所在主机的hostname,但是代码运行本地的hosts文件必须要配成FQDN,如果配成短名可能导致连接失败.
3. zookeeper_quorum可以配一个zookeeper server地址,也可以配多个.

   conf.set(HConstants.ZOOKEEPER_QUORUM, "hadoop111.jcloud.local,hadoop112.jcloud.local,hadoop34.jcloud.local");
   

4. 网上搜到的配置方法说法不一,很多说是client_jaas.conf配置错误导致的,经实际测试,这几个配置都不需要:

   conf.set("hbase.master.keytab.file", "/tmp/client_jaas.conf");
   conf.set("hbase.regionserver.kerberos.principal", "hbase/_HOST@EXAMPLEASIAINFO.COM");
   System.setProperty("java.security.krb5.conf", "/tmp/krb5.conf");
   

其他可能原因

1. 检查本机和kerberos server所在机器的时间差是否在5分钟以内,kerberos设置的kdc server和客户端的时间差不能超过5分钟,以防止客户端通过修改系统时间来使用已过期的票据. 如果时间差过大会报错:

Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Clock skew too great (37) - PROCESS_TGS)