我试图在启用kerberos认证的安全模式下设置单节点hadoop集群。 我已经按照文档中所述创建了keytab文件。虽然与-HADOOP_OPTS调试东西Dsun.security.krb5.debug =真我看到了以下错误消息发现不支持的键类型(8)nn/hadoop-kerberos @ HADOOP-KERBEROS
Found unsupported keytype (8) for nn/[email protected]
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
Added key: 3version: 4
Found unsupported keytype (8) for nn/[email protected]
Added key: 23version: 4
Added key: 16version: 4
Added key: 17version: 4
Added key: 18version: 4
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost UDP:3738, timeout=30000, number of retries =3, #bytes=171
请注意,我有../jre/lib/security/local_policy.jar和 .../jre/lib/security/US_export_policy.jar CLASSPATH。
此外,我已在kdc.conf中以下
[kdcdefaults]
kdc_ports = 3738
kdc_tcp_ports = 3738
[realms]
HADOOP-KERBEROS = {
kadmind_port = 3739
#master_key_type = des3-hmac-sha1
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
#admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
admin_keytab = /etc/krb5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
[logging]
# By default, the KDC and kadmind will log output using
# syslog. You can instead send log output to files like this:
kdc = FILE:/home/build/log/krb5kdc.log
admin_server = FILE:/home/build/log/kadmin.log
default = FILE:/home/build/log/krb5lib.log
klist的-e显示以下输出aleksg用户我使用与hadoop的名称节点命令运行名称节点
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: [email protected]
Valid starting Expires Service principal
07/12/15 09:16:39 07/13/15 09:16:39 krbtgt/[email protected]
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt501
klist: You have no tickets cached
因此,看起来与HMAC/sha1的DES cbc模式正在用于TGT。 请问我可以如何解决这个问题?我使用hadoop-2.4.0和jdk1.7.0_25。这是否可以以某种方式与密钥表文件的权限相关联,还是应该重新生成启用了不同加密类型的密钥表文件? 谢谢!
**(A1)**太阳/ Oracle的JDK在默认情况下 “弱密钥加密” 安装(因为美国现在出口的政策已过时);你是否下载了“无限强度加密”JAR? *只要它们位于标准目录中,不用担心CLASSPATH **(A2)**您是否尝试使用OpenJDK? **(B)**一些加密算法可能被禁用,因为它们被认为是“弱”,请检查您的配置文件是否违反http://web.mit.edu/Kerberos/krb5-devel/doc/admin/enctypes.html –
嗨参孙。与A1相关。我已经下载了local_policy.jar和US_export_policy.jar并将它们添加到了CLASSPATH中。关于未来的一个问题,您在回复中提到的标准目录在哪里。 Re A2。我没有尝试过OpenJDK。 Re B.我在配置方面做了一些改动,并能解决问题。请参阅我刚发布给我的问题的答案。 –