持续创作,加速成长!这是我参与「掘金日新计划 · 10 月更文挑战」的第3天,点击查看活动详情
书接上文
问题
impalad启动报错
报错:
Failed to obtain Kerberos ticket for principal: root/master.am.com@AM.COM. Shell cmd: 'kinit -k -t /etc/impala/conf/root-http.keytab root/master.am.com@AM.COM 2>&1' exited with error status: '1'. Stdout was: 'kinit: Permission denied while getting initial credentials
'
. Impalad exiting.
*** Check failure stack trace: ***
@ 0x1b4a2ad (unknown)
@ 0x1b4cbd6 (unknown)
...
Wrote minidump to /var/log/impala/minidumps/impalad/6cb16f39-930c-2056-76702486-2a8c8d51.dmp
解决
chown impala:impala /etc/impala/conf/impala-http.keytab
报错:
E0923 15:32:52.320331 3788567 logging.cc:121] stderr will be logged to this file.
F0923 15:32:52.332217 3788567 init.cc:197] Kerberos principal should be of the form: <service>/<hostname>@<realm> - got: impala@AM.COM
. Impalad exiting.
*** Check failure stack trace: ***
@ 0x1b4a2ad (unknown)
...
@ 0x7f1c1294e555 __libc_start_main
@ 0x80068d (unknown)
解决:创建kerberos Impala 服务主体和生成的keytab文件必须要有节点的完全限定域名以及领域名称例如impala/impala_host.example.com@TEST.EXAMPLE.COM
按要求执行配置中1到6步即可
catalog启动报错
E0923 15:48:13.755832 3809847 authentication.cc:160] SASL message (Kerberos (internal)): GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server impala/localhost@AM.COM not found in Kerberos database)
E0923 15:48:16.762388 3809847 authentication.cc:160] SASL message (Kerberos (internal)): GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server impala/localhost@AM.COM not found in Kerberos database)
F0923 15:48:19.763552 3809847 catalogd-main.cc:80] RPC Error: No more data to read.
. Impalad exiting.
*** Check failure stack trace: ***
@ 0x1b4a2ad (unknown)
...
@ 0x7f268aa67555 __libc_start_main
@ 0x80068d (unknown)
解决 修改/etc/default/impala 原来:
IMPALA_CATALOG_ARGS=" -log_dir=${IMPALA_LOG_DIR}"
修改后:
IMPALA_CATALOG_ARGS=" -log_dir=${IMPALA_LOG_DIR} -state_store_host=${IMPALA_STATE_STORE_HOST} -kerberos_reinit_interval=60 -principal=impala/master.am.com@AM.COM -keytab_file=/etc/impala/conf/impala-http.keytab"
报错:
E0923 15:59:00.070447 3825300 TSaslTransport.java:296] SASL negotiation failure
Java exception follows:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1796)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:430)
......
注意
1.创建kerberos Impala 服务主体和生成的keytab文件必须要有节点的完全限定域名以及领域名称例如impala/impala_host.example.com@TEST.EXAMPLE.COM
2./etc/default/impala配置中IMPALA_CATALOG_ARGS
需要有 -state_store_host=${IMPALA_STATE_STORE_HOST}否则启动catalog会报错
TSaslTransport.java:296] SASL negotiation failure
Java exception follows:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
3.修改/etc/default/impala配置后
注意: 重新启动impalad和statestored以使这些配置更改生效。
集群配置
/etc/default/impala中可以使用_HOST代替当前主机,方便集群统一配置例如:
-principal=impala/_HOST@AM.COM -keytab_file=/etc/impala/conf/impala-httpx.keytab
