zookeeper配置了kerberos之后,zkCli.sh 连接认证死活不通过
连接命令: zkCli.sh
报错如下:
|
1
2
3
|
WatchedEvent state:SyncConnected type:None path:
null
2017
-
08
-
21
10
:
11
:
42
,
054
[myid:] - ERROR [main-SendThread(localhost:
2181
):ZooKeeperSaslClient
@308
] - An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (
7
) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.
2017
-
08
-
21
10
:
11
:
42
,
054
[myid:] - ERROR [main-SendThread(localhost:
2181
):ClientCnxn$SendThread
@1072
] - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (
7
) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.
|
查了很久,终于在kdc的日志中找到了蛛丝马迹,如下
|
1
|
Aug
21
10
:
11
:
42
master krb5kdc[
21935
](info): TGS_REQ (
6
etypes {
18
17
16
23
1
3
})
192.168
.
100.144
: LOOKING_UP_SERVER: authtime
0
, zkcli
@NETEASE
.COM
for
zookeeper/localhost
@NETEASE
.COM, Server not found in Kerberos database
|
原因分析:1、在zookeeper的认证请求中,zookeeper端的默认principall应该是zookeeper/<hostname>@<realm>
2、当采用zkCli.sh 的方式请求中,默认的host应该是localhost
因此在kdc中才会发现客户端的请求和 zookeeper/localhost@NETEASE.COM 这个principal进行认证,但是在kerberos的database中却没有这个principal。
解决方法: 使用zkCli.sh -server host:port 访问。 同时zookeeper配置文件中sever部分的principal必须为zookeeper/<hostname>@<your realm>
本文转自 落花非有意 51CTO博客,原文链接:http://blog.51cto.com/1992zhong/1958018,如需转载请自行联系原作者
