记一次Cloudera Manager关于Kerberos的credentials missing问题

1,330 阅读4分钟

阅读原文,体验更佳。

概要

我在Linux服务器上安装了MIT Kerberos server,然后在Cloudera Manager上通过Web UI向导进行启用Kerberos的初始化。 过程执行失败了,刷新CLoudera Manager的首页后发现许多Configuration Issues,提示说各个服务的Kerberos Credentials是missing的状态。

然而通过Web UI上的Generate Missing Credentials并不能顺利生成Credential文件。 查看log后发现是后台执行脚本时所需要的keytab不存在,这个keytab是给CDH Hadoop各个组件使用的。 生成这些keytab则是需要由拥有admin权限的Kerberos user(通过kadmin -q "addprinc..."命令生成)来生成。

下面记录一下排查错误的步骤。

搜索和错误相关的日志

进入Cloudera Manager(该环境版本为V6.2.1),依次进入Diagnostic --> Logs。

ClouderaManager Web-UI Logs

由于是报错说找不到credentials,所以直缩小定时间范围,指定关键字搜索。

Cloudera Kerberos No keytab Error

可以看到是Cloudera Manager的server执行此脚本 -- /opt/cloudera/cm/bin/gen_credentials.sh 失败导致生成不了各个Hadoop service所需的Kerberos的credential。

而脚本出错的地方在于没有成功生成keytab文件。

调查脚本出错的原因

于是到Cloudera Manager的server上找此脚本看看。

cat /opt/cloudera/cm/bin/gen_credentials.sh
#!/usr/bin/env bash

# Copyright (c) 2011 Cloudera, Inc. All rights reserved.

set -e
set -x

# Explicitly add RHEL5/6, SLES11/12 locations to path
export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:$PATH

CMF_REALM=${CMF_PRINCIPAL##*\@}

KEYTAB_OUT=$1
PRINC=$2
MAX_RENEW_LIFE=$3

KADMIN="kadmin -k -t $CMF_KEYTAB_FILE -p $CMF_PRINCIPAL -r $CMF_REALM"
RENEW_ARG=""
if [ $MAX_RENEW_LIFE -gt 0 ]; then
  RENEW_ARG="-maxrenewlife \"$MAX_RENEW_LIFE sec\""
fi

if [ -z "$KRB5_CONFIG" ]; then
  echo "Using system default krb5.conf path."
else
  echo "Using custom config path '$KRB5_CONFIG', contents below:"
  cat $KRB5_CONFIG
fi

$KADMIN -q "addprinc $RENEW_ARG -randkey $PRINC"

if [ $MAX_RENEW_LIFE -gt 0 ]; then
  RENEW_LIFETIME=`$KADMIN -q "getprinc -terse $PRINC" | tail -1 | cut -f 12`
  if [ $RENEW_LIFETIME -eq 0 ]; then
    echo "Unable to set maxrenewlife"
    exit 1
  fi
fi

$KADMIN -q "xst -k $KEYTAB_OUT $PRINC"
chmod 600 $KEYTAB_OUT

从上面的脚本可以看出,生成各个Hadoop service用的Kerberros的keytab,需要用到CMF_KEYTAB_FILE, 而这个文件是根据我在Cloudera Manager的WebUI上输入的Kerberos Account Manager Credentials生成的。

我试着在Cloudera Manager的Web-UI上重新输入了一次在kdc server上手动创建的kdc admin账号信息,可是还是不行。

Web-UI上的入口:Cloudera Manager首页 --> 最上方的Administration --> Security --> Kerberos Credentials --> Import Kerberos Account Manager Credentials

可以确定的是kdc admin的账号信息没有错误。

于是对比了一下kdc server的配置文件和正常的kdc server的配置文件,发现缺少了logging部分。于是把logging部分补充上。

以下内容在kdc server的服务器上执行:

% cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 SHOUNENG.COM = {
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 # supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
   supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
  max_renewable_life = 30m
  master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  max_life = 30d
  max_renewable_life = 31d
  #removed supported_enctypes aes256-cts:normal and aes128-cts:normal
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }

# 以下logging部分为补充的内容
[logging]
admin_server = FILE:/var/log/kdc_admin.log
kdc = FILE:/var/log/kdc.log

打开了logging之后,重新尝试创建Hadoop的service的credential,并观察kdc server的日志,发现如下错误:

% sed -n '1,50p' /var/log/kdc_admin.log
Oct 15 23:41:13 host-10-17-100-90 kadmind[19124](info): setting up network...
kadmind: setsockopt(10,IPV6_V6ONLY,1) worked
kadmind: setsockopt(12,IPV6_V6ONLY,1) worked
kadmind: setsockopt(14,IPV6_V6ONLY,1) worked
Oct 15 23:41:13 host-10-17-100-90 kadmind[19124](info): set up 6 sockets
Oct 15 23:41:13 host-10-17-100-90 kadmind[19124](Error): /var/kerberos/krb5kdc/kadm5.acl: syntax error at line 1 <*/admin@SHOUNENG.COM*...>
Oct 15 23:41:13 host-10-17-100-90 kadmind[19125](info): Seeding random number generator
Oct 15 23:41:13 host-10-17-100-90 kadmind[19125](info): starting
Oct 15 23:42:24 host-10-17-100-90 kadmind[19125](Notice): Request: kadm5_init, root/admin@SHOUNENG.COM, success, client=root/admin@SHOUNENG.COM, service=kadmin/host-10-17-100-90.coe.cloudera.com@SHOUNENG.COM, addr=10.17.101.160, vers=4, flavor=6
Oct 15 23:42:29 host-10-17-100-90 kadmind[19125](Notice): Unauthorized request: kadm5_get_principals, *, client=root/admin@SHOUNENG.COM, service=kadmin/host-10-17-100-90.coe.cloudera.com@SHOUNENG.COM, addr=10.17.101.160
Oct 15 23:42:46 host-10-17-100-90 kadmind[19125](Notice): Unauthorized request: kadm5_get_principals, *, client=root/admin@SHOUNENG.COM, service=kadmin/host-10-17-100-90.coe.cloudera.com@SHOUNENG.COM, addr=10.17.101.160
Oct 15 23:43:07 host-10-17-100-90 kadmind[19125](Notice): Unauthorized request: kadm5_get_policy, default, client=root/admin@SHOUNENG.COM, service=kadmin/host-10-17-100-90.coe.cloudera.com@SHOUNENG.COM, addr=10.17.101.160
Oct 15 23:43:07 host-10-17-100-90 kadmind[19125](Notice): Unauthorized request: kadm5_create_principal, zyx1@ZYX.COM, client=root/admin@SHOUNENG.COM, service=kadmin/host-10-17-100-90.coe.cloudera.com@SHOUNENG.COM, addr=10.17.101.160

我看到有个语法错误:

kadmind[19124](Error): /var/kerberos/krb5kdc/kadm5.acl: syntax error at line 1 <*/admin@SHOUNENG.COM*...>

于是对比正常的kdc server,发现*/admin@SHOUNENG.COM*应该改成*/admin@SHOUNENG.COM *(少了一个空格)。

修改之后重新启动kdc的service,再重新创建credentials就成功了。