记一次Cloudera Manager关于Kerberos的credentials missing问题
概要
我在Linux服务器上安装了MIT Kerberos server,然后在Cloudera Manager上通过Web UI向导进行启用Kerberos的初始化。
过程执行失败了,刷新CLoudera Manager的首页后发现许多Configuration Issues,提示说各个服务的Kerberos Credentials是missing的状态。
然而通过Web UI上的Generate Missing Credentials并不能顺利生成Credential文件。
查看log后发现是后台执行脚本时所需要的keytab不存在,这个keytab是给CDH Hadoop各个组件使用的。
生成这些keytab则是需要由拥有admin权限的Kerberos user(通过kadmin -q "addprinc..."命令生成)来生成。
下面记录一下排查错误的步骤。
搜索和错误相关的日志
进入Cloudera Manager(该环境版本为V6.2.1),依次进入Diagnostic –> Logs。
由于是报错说找不到credentials,所以直缩小定时间范围,指定关键字搜索。
可以看到是Cloudera Manager的server执行此脚本 –/opt/cloudera/cm/bin/gen_credentials.sh 失败导致生成不了各个Hadoop service所需的Kerberos的credential。
而脚本出错的地方在于没有成功生成keytab文件。
调查脚本出错的原因
于是到Cloudera Manager的server上找此脚本看看。
cat /opt/cloudera/cm/bin/gen_credentials.sh#!/usr/bin/env bash
# Copyright (c) 2011 Cloudera, Inc. All rights reserved.
set -e
set -x
# Explicitly add RHEL5/6, SLES11/12 locations to path
export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:$PATH
CMF_REALM=${CMF_PRINCIPAL##*\@}
KEYTAB_OUT=$1
PRINC=$2
MAX_RENEW_LIFE=$3
KADMIN="kadmin -k -t $CMF_KEYTAB_FILE -p $CMF_PRINCIPAL -r $CMF_REALM"
RENEW_ARG=""
if [ $MAX_RENEW_LIFE -gt 0 ]; then
RENEW_ARG="-maxrenewlife \"$MAX_RENEW_LIFE sec\""
fi
if [ -z "$KRB5_CONFIG" ]; then
echo "Using system default krb5.conf path."
else
echo "Using custom config path '$KRB5_CONFIG', contents below:"
cat $KRB5_CONFIG
fi
$KADMIN -q "addprinc $RENEW_ARG -randkey $PRINC"
if [ $MAX_RENEW_LIFE -gt 0 ]; then
RENEW_LIFETIME=`$KADMIN -q "getprinc -terse $PRINC" | tail -1 | cut -f 12`
if [ $RENEW_LIFETIME -eq 0 ]; then
echo "Unable to set maxrenewlife"
exit 1
fi
fi
$KADMIN -q "xst -k $KEYTAB_OUT $PRINC"
chmod 600 $KEYTAB_OUT从上面的脚本可以看出,生成各个Hadoop service用的Kerberros的keytab,需要用到CMF_KEYTAB_FILE,
而这个文件是根据我在Cloudera Manager的WebUI上输入的Kerberos Account Manager Credentials生成的。
我试着在Cloudera Manager的Web-UI上重新输入了一次在kdc server上手动创建的kdc admin账号信息,可是还是不行。
Web-UI上的入口:Cloudera Manager首页 –> 最上方的Administration –> Security –>
Kerberos Credentials –> Import Kerberos Account Manager Credentials。
可以确定的是kdc admin的账号信息没有错误。
于是对比了一下kdc server的配置文件和正常的kdc server的配置文件,发现缺少了logging部分。于是把logging部分补充上。
以下内容在kdc server的服务器上执行:
% cat /var/kerberos/krb5kdc/kdc.conf[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
SHOUNENG.COM = {
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
# supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
max_renewable_life = 30m
master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
max_life = 30d
max_renewable_life = 31d
#removed supported_enctypes aes256-cts:normal and aes128-cts:normal
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
# 以下logging部分为补充的内容
[logging]
admin_server = FILE:/var/log/kdc_admin.log
kdc = FILE:/var/log/kdc.log打开了logging之后,重新尝试创建Hadoop的service的credential,并观察kdc server的日志,发现如下错误:
% sed -n '1,50p' /var/log/kdc_admin.logOct 15 23:41:13 host-10-17-100-90 kadmind[19124](info): setting up network...
kadmind: setsockopt(10,IPV6_V6ONLY,1) worked
kadmind: setsockopt(12,IPV6_V6ONLY,1) worked
kadmind: setsockopt(14,IPV6_V6ONLY,1) worked
Oct 15 23:41:13 host-10-17-100-90 kadmind[19124](info): set up 6 sockets
Oct 15 23:41:13 host-10-17-100-90 kadmind[19124](Error): /var/kerberos/krb5kdc/kadm5.acl: syntax error at line 1 <*/admin@SHOUNENG.COM*...>
Oct 15 23:41:13 host-10-17-100-90 kadmind[19125](info): Seeding random number generator
Oct 15 23:41:13 host-10-17-100-90 kadmind[19125](info): starting
Oct 15 23:42:24 host-10-17-100-90 kadmind[19125](Notice): Request: kadm5_init, root/admin@SHOUNENG.COM, success, client=root/admin@SHOUNENG.COM, service=kadmin/host-10-17-100-90.coe.cloudera.com@SHOUNENG.COM, addr=10.17.101.160, vers=4, flavor=6
Oct 15 23:42:29 host-10-17-100-90 kadmind[19125](Notice): Unauthorized request: kadm5_get_principals, *, client=root/admin@SHOUNENG.COM, service=kadmin/host-10-17-100-90.coe.cloudera.com@SHOUNENG.COM, addr=10.17.101.160
Oct 15 23:42:46 host-10-17-100-90 kadmind[19125](Notice): Unauthorized request: kadm5_get_principals, *, client=root/admin@SHOUNENG.COM, service=kadmin/host-10-17-100-90.coe.cloudera.com@SHOUNENG.COM, addr=10.17.101.160
Oct 15 23:43:07 host-10-17-100-90 kadmind[19125](Notice): Unauthorized request: kadm5_get_policy, default, client=root/admin@SHOUNENG.COM, service=kadmin/host-10-17-100-90.coe.cloudera.com@SHOUNENG.COM, addr=10.17.101.160
Oct 15 23:43:07 host-10-17-100-90 kadmind[19125](Notice): Unauthorized request: kadm5_create_principal, zyx1@ZYX.COM, client=root/admin@SHOUNENG.COM, service=kadmin/host-10-17-100-90.coe.cloudera.com@SHOUNENG.COM, addr=10.17.101.160我看到有个语法错误:
kadmind[19124](Error): /var/kerberos/krb5kdc/kadm5.acl: syntax error at line 1 <*/admin@SHOUNENG.COM*...>于是对比正常的kdc server,发现*/admin@SHOUNENG.COM*应该改成*/admin@SHOUNENG.COM *(少了一个空格)。
修改之后重新启动kdc的service,再重新创建credentials就成功了。
