kerberos

发表于

在Spark启用Kerberos之后,遇到了这个问题:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
19/12/05 11:57:49 ERROR TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:199)
        at org.apache.thrift.transport.TSaslTransport$SaslParticipant.evaluateChallengeOrResponse(TSaslTransport.java:539)
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:283)
        at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
        at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
        at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:739)
        at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:736)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:360)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1709)
        at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:736)
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:269)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:167)
        ... 14 more
Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled
        at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:522)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:273)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
        ... 17 more

一脸懵逼,在网上查各种资料,找到如下解决方法:

1
locate 'jre/lib/security' | grep 'lib/security$'

会列出如下信息

1
2
3
4
/opt/jdk1.7.0_71/jre/lib/security
/opt/jdk1.8.0_121/jre/lib/security
/usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security
/usr/lib/jvm/java-1.8.0-oracle-1.8.0.102.x86_64/jre/lib/security

根据自己使用的JDK版本,去到对应的目录,我使用的是1.8,因此去/opt/jdk1.8.0_121/jre/lib/security目录,如果不存在上面的目录,比较麻烦喽:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ cd /opt/jdk1.8.0_121/jre/lib/security
$ ll
-rw-r--r-- 1 user user  3890 Jul  6  2017 blacklist
-rw-r--r-- 1 user user 93987 Aug 28  2017 cacerts
-rw-r--r-- 1 user user   490 Jul  6  2017 cacerts.20160121
-rw-r--r-- 1 user user 93987 Aug 28  2017 cacerts-bak
-rw-r--r-- 1 user user   490 Jul  6  2017 cacerts.bak
-rw-r--r-- 1 user user   158 Jul  6  2017 javafx.policy
-rw-r--r-- 1 user user  2593 Jul  6  2017 java.policy
-rw-r--r-- 1 user user 17838 Jul  6  2017 java.security
-rw-r--r-- 1 user user    98 Jul  6  2017 javaws.policy
-rw-r--r-- 1 user user  2500 Jul  6  2017 local_policy.jar
-rw-r--r-- 1 user user     0 Jul  6  2017 trusted.libraries
-rw-r--r-- 1 user user  2487 Jul  6  2017 US_export_policy.jar

注意其中的 local_policy.jar 和 US_export_policy.jar,需要使用正确的jar。就可以解决啦。

对于没有上面目录的情况(没有试过,仅作为一种解决方法记录):
则需要下载JCE.jar文件到目录:/opt/jdk1.8.0_121/jre/lib/security。
JCE.zip文件包括如下内容(1.7版本)

1
2
3
4
5
$ ls -l UnlimitedJCEPolicy
total 16
-rw-rw-r-- 1 root root 2500 May 31  2011 local_policy.jar
-rw-r--r-- 1 root root 7289 May 31  2011 README.txt
-rw-rw-r-- 1 root root 2487 May 31  2011 US_export_policy.jar

然后就正常添加就可以了。