java远程连接hadoop,kerbers认证失败 报no supported default etypes for default_tkt_enctypes
@PostConstruct public void init() throws Exception { if (conn == null) { // System.setProperty("hadoop.home.dir", "G:/keyberos/hbase"); System.setProperty("java.security.krb5.conf",krbConf); conf = HBaseConfiguration.create(); conf.set("hbase.zookeeper.property.clientPort", zkPort); conf.set("hbase.zookeeper.quorum", zkHost); conf.set("hbase.master", master); // conf.addResource(hbaseSite); conf.set("hadoop.security.authentication", "kerberos"); conf.set("hbase.security.authentication", "kerberos"); conf.set("hbase.cluster.distributed", "true"); conf.set("hbase.rpc.protection", "authentication"); conf.set("hbase.master.kerberos.principal", principal); // this is needed even if you connect over rpc/zookeeper conf.set("hbase.regionserver.kerberos.principal", principal); //what principal the master/region. servers use. String principal = System.getProperty("kerberosPrincipal", kerberosPrincipal); String keytabLocation = System.getProperty("kerberosKeytab",keyberos); UserGroupInformation.setConfiguration(conf); UserGroupInformation.loginUserFromKeytab(principal, keytabLocation); conn = ConnectionFactory.createConnection(conf); } }
在 UserGroupInformation.loginUserFromKeytab(principal, keytabLocation) 处报错:
java.io.IOException: Login failure for hbase@XXXX.COM from keytab F:/hbase/hbase.keytab: javax.security.auth.login.LoginException: no supported default etypes for default_tkt_enctypes
参数分别为 hbase@XXXX.COM,F:/hbase/hbase.keytab 。
java.security.krb5.conf设置为F:/hbase/krb5.conf :
# Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = XXXX.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true default_tgs_enctypes = aes256-cts-hmac-sha1-96 default_tkt_enctypes = aes256-cts-hmac-sha1-96 permitted_enctypes = aes256-cts-hmac-sha1-96 clockskew = 120 udp_preference_limit = 1 [realms] XXXX.COM = { kdc = bdp01 admin_server = bdp01 } [domain_realm] .xxxx.com = XXXX.COM xxxx.com = XXXX.COM
处理:下载jdk8对应的JCE文件添加到jdk/jre/lib/security下
初步推测是,jdk需要相应的加密解密方式来处理hbase.keytab 文件。
参考https://blog.csdn.net/wulantian/article/details/42173095