问题描述
我们正在开发一个可与hadoop组件(例如HDFS,HBase和Impala)交互的Web应用程序.集群已使用kerberized,我们正在使用JAAS config进行身份验证.我们将在VM参数中配置JAAS,如下所示:
We are developing a web application that interacts with hadoop components such as HDFS, HBase and Impala.The cluster is kerberized, we are authenticating with JAAS config.We are configuring JAAS in VM arguments as below
-Djava.security.auth.login.config=/user/gss-jaas.conf
-Djava.security.krb5.conf=/user/krb5.ini
-Djavax.security.auth.useSubjectCredsOnly=false
我们的JAAS配置如下
Our JAAS config is as below
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false
doNotPrompt=true
useKeyTab=true
keyTab="file:C:/blah/blah/dummy.keytab"
principal="[email protected]"
debug=false;
};
当连接到hbase和Hdfs时,它工作正常.但是,在与Impala连接时,我们面临着问题.将com.sun.security.jgss.initiate
更改为Client
时,我们可以与Impala连接但是我们不想在Jaas配置之间进行更改或切换.
It works fine when connecting to hbase and Hdfs. But while connecting with Impala, we are facing problems.We can connect with Impala when we change com.sun.security.jgss.initiate
to Client
But we don't want to change or switch between Jaas configs.
有什么办法可以对所有服务使用相同的JAAS配置文件?我们不想使用System.setProperties来执行此操作.当在JAAS配置之间切换时,我们也会遇到异常.因此,使用相同的配置文件会更好.
Is there any way we can use the same JAAS config file for all service? We don't want to use System.setProperties to do this. and also when switching between JAAS configs we are getting exceptions. So using the same config file would be better.
有帮助吗?
推荐答案
您不必切换.两者都使用!
您是否想知道为什么有两个强制性;
?一个在最后一个参数之后,另一个在大括号之后?这是因为您可以在同一配置文件的部分(从第1到最后一次尝试)中定义多种机制,并在同一配置文件中定义多个部分(名称不同).
Did you wonder why there are two mandatory ;
-- one after the last parameter, and one after the brace? That's because you can have multiple mechanisms defined inside the section (tried from 1st to last), and multiple sections (with different names) in the same config file.
例如,查看Kafka文档,他们如何在同一文件中为代理和客户端应用程序设置JAAS配置: http://docs.confluent.io/current/kafka/sasl.html
Look into the Kafka documentation for example, how they set the JAAS configuration for both the broker and the client apps in the same file: http://docs.confluent.io/current/kafka/sasl.html
如果您对多种机制感到好奇,请查看Java文档(但请注意,这些东西是调整和调试的噩梦...) https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
And in case you are curious about the multiple mechanisms, look into the Java documentation (but be careful, that stuff is a nightmare to tweak and debug...) https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
这篇关于连接到Impala和HBase的Kerberos错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!