YARN & HDFS2 安装和配置Kerberos
今天尝试在Hadoop 2.x开发集群上配置Kerberos,遇到一些问题,记录一下
设置hadoop security
core-site.xml
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>
hadoop.security.authentication默认是simple方式,也就是基于文件系统的验证方式,这里我们改为kerberos
<property>
<name>dfs.block.access.token.enable</name>
<value>true</value>
</property>
<property>
<name>dfs.https.enable</name>
<value>false</value>
</property>
<property>
<name>dfs.namenode.https-address</name>
<value>dev80.hadoop:50470</value>
</property>
<property>
<name>dfs.https.port</name>
<value>50470</value>
</property>
<property>
<name>dfs.namenode.keytab.file</name>
<value>/etc/hadoop.keytab</value>
</property>
<property>
<name>dfs.namenode.kerberos.principal</name>
<value>hadoop/_HOST@DIANPING.COM</value>
</property>
<property>
<name>dfs.namenode.kerberos.https.principal</name>
<value>host/_HOST@DIANPING.COM</value>
</property>
<property>
<name>dfs.namenode.secondary.http-address</name>
<value>dev80.hadoop:50090</value>
</property>
<property>
<name>dfs.namenode.secondary.https-port</name>
<value>50470</value>
</property>
<property>
<name>dfs.namenode.secondary.keytab.file</name>
<value>/etc/hadoop.keytab</value>
</property>
<property>
<name>dfs.namenode.secondary.kerberos.principal</name>
<value>hadoop/_HOST@DIANPING.COM</value>
</property>
<property>
<name>dfs.namenode.secondary.kerberos.https.principal</name>
<value>host/_HOST@DIANPING.COM</value>
</property>
<property>
<name>dfs.datanode.data.dir.perm</name>
<value>700</value>
</property>
<property>
<name>dfs.datanode.address</name>
<value>0.0.0.0:1003</value>
</property>
<property>
<name>dfs.datanode.http.address</name>
<value>0.0.0.0:1007</value>
</property>
<property>
<name>dfs.datanode.https.address</name>
<value>0.0.0.0:1005</value>
</property>
<property>
<name>dfs.datanode.keytab.file</name>
<value>/etc/hadoop.keytab</value>
</property>
<property>
<name>dfs.datanode.kerberos.principal</name>
<value>hadoop/_HOST@DIANPING.COM</value>
</property>
<property>
<name>dfs.datanode.kerberos.https.principal</name>
<value>host/_HOST@DIANPING.COM</value>
</property>
<property>
<name>dfs.datanode.data.dir.perm</name>
<value>700</value>
</property>
<property>
<name>dfs.datanode.address</name>
<value>0.0.0.0:1003</value>
</property>
<property>
<name>dfs.datanode.http.address</name>
<value>0.0.0.0:1007</value>
</property>
<property>
<name>dfs.datanode.https.address</name>
<value>0.0.0.0:1005</value>
</property>
<property>
<name>dfs.datanode.keytab.file</name>
<value>/etc/hadoop.keytab</value>
</property>
<property>
<name>dfs.datanode.kerberos.principal</name>
<value>hadoop/_HOST@DIANPING.COM</value>
</property>
<property>
<name>dfs.datanode.kerberos.https.principal</name>
<value>host/_HOST@DIANPING.COM</value>
</property>
<property>
<name>dfs.web.authentication.kerberos.principal</name>
<value>HTTP/_HOST@DIANPING.COM</value>
</property>
<property>
<name>dfs.web.authentication.kerberos.keytab</name>
<value>/etc/hadoop.keytab</value>
<description>
The Kerberos keytab file with the credentials for the
HTTP Kerberos principal used by Hadoop-Auth in the HTTP endpoint.
</description>
</property>
dfs.datanode.address表示data transceiver RPC server所绑定的hostname或IP地址,如果开启security,端口号必须小于1024,否则的话启动datanode时候会报“Cannot start secure cluster without privileged resources”错误
jsvc: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
# The jsvc implementation to use. Jsvc is required to run secure datanodes.
export JSVC_HOME=/usr/local/hadoop/hadoop-2.1.0-beta/libexec
# On secure datanodes, user to run the datanode as after dropping privileges
export HADOOP_SECURE_DN_USER=hadoop
# The directory where pid files are stored. /tmp by default
export HADOOP_SECURE_DN_PID_DIR=/usr/local/hadoop
# Where log files are stored in the secure data environment.
export HADOOP_SECURE_DN_LOG_DIR=/data/logs
ON
"
<property>
<name>yarn.resourcemanager.keytab</name>
<value>/etc/hadoop.keytab</value>
</property>
<property>
<name>yarn.resourcemanager.principal</name>
<value>hadoop/_HOST@DIANPING.COM</value>
</property>
<property>
<name>yarn.nodemanager.keytab</name>
<value>/etc/hadoop.keytab</value>
</property>
<property>
<name>yarn.nodemanager.principal</name>
<value>hadoop/_HOST@DIANPING.COM</value>
</property>
<property>
<name>yarn.nodemanager.container-executor.class</name>
<value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>
</property>
<property>
<name>yarn.nodemanager.linux-container-executor.group</name>
<value>hadoop</value>
</property>
Caused by: org.apache.hadoop.util.Shell$ExitCodeException: File /usr/local/hadoop/hadoop-2.1.0-beta/etc/hadoop must be owned by root, but is owned by 500
at org.apache.hadoop.util.Shell.runCommand(Shell.java:458)
at org.apache.hadoop.util.Shell.run(Shell.java:373)
at org.apache.hadoop.util.Shell$ShellCommandExecutor.execute(Shell.java:578)
at org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor.init(LinuxContainerExecutor.java:147)
/container-executor.cfg
min.user.id=499
<property>
<name>mapreduce.jobhistory.keytab</name>
<value>/etc/hadoop.keytab</value>
</property>
<property>
<name>mapreduce.jobhistory.principal</name>
<value>hadoop/_HOST@DIANPING.COM</value>
</property>
[hadoop@dev80 hadoop]$ kinit -r 24l -k -t /home/hadoop/.keytab hadoop
[hadoop@dev80 hadoop]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: hadoop@DIANPING.COM
Valid starting Expires Service principal
09/11/13 15:25:34 09/12/13 15:25:34 krbtgt/DIANPING.COM@DIANPING.COM
renew until 09/12/13 15:25:34
其中/tmp/krb5cc_500就是ticket cache file, 500表示hadoop帐号的uid,默认会读取
13/09/11 16:21:35 ERROR security.UserGroupInformation: PriviledgedActionException as:hadoop (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
附上keytab中的principal
[hadoop@dev80 hadoop]$ klist -k -t /etc/hadoop.keytab
Keytab name: WRFILE:/etc/hadoop.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 06/17/12 22:01:24 hadoop/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 hadoop/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 hadoop/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 hadoop/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 hadoop/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 hadoop/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 host/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 host/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 host/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 host/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 host/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 host/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 HTTP/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 HTTP/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 HTTP/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 HTTP/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 HTTP/dev80.hadoop@DIANPING.COM
1 06/17/12 22:01:24 HTTP/dev80.hadoop@DIANPING.COM
YARN & HDFS2 安装和配置Kerberos的更多相关文章
- (转)RedHat/CentOS安装和配置kerberos
RedHat/CentOS安装和配置kerberos 需要在kerberos server和客户端都先安装ntp (Internet时间协议,保证服务器和客户机时间同步 ) 1 kerberos 服 ...
- CentOS6安装各种大数据软件 第九章:Hue大数据可视化工具安装和配置
相关文章链接 CentOS6安装各种大数据软件 第一章:各个软件版本介绍 CentOS6安装各种大数据软件 第二章:Linux各个软件启动命令 CentOS6安装各种大数据软件 第三章:Linux基础 ...
- Hadoop-2.6.0 集群的 安装与配置
1. 配置节点bonnie1 hadoop环境 (1) 下载hadoop- 2.6.0 并解压缩 [root@bonnie1 ~]# wget http://apache.fayea.com/had ...
- Spark(三): 安装与配置
参见 HDP2.4安装(五):集群及组件安装 ,安装配置的spark版本为1.6, 在已安装HBase.hadoop集群的基础上通过 ambari 自动安装Spark集群,基于hadoop yarn ...
- 在虚拟机VM中安装的Ubuntu上安装和配置Hadoop
一.系统环境: 我使用的Ubuntu版本是:ubuntu-12.04-desktop-i386.iso jdk版本:jdk1.7.0_67 hadoop版本:hadoop-2.5.0 二.下载jdk和 ...
- 完全分布式Hadoop2.3安装与配置
一.Hadoop基本介绍 Hadoop优点 1.高可靠性:Hadoop按位存储和处理数据 2.高扩展性:Hadoop是在计算机集群中完成计算任务,这个集群可以方便的扩展到几千台 3.高效性:Hadoo ...
- Mysql多实例 安装以及配置
MySQL多实例 1.什么是MySQL多实例 简单地说,Mysql多实例就是在一台服务器上同时开启多个不同的服务端口(3306.3307),同时运行多个Mysql服务进程,这些服务进程通过不同的soc ...
- 在Linux上怎么安装和配置Apache Samza
samza是一个分布式的流式数据处理框架(streaming processing),它是基于Kafka消息队列来实现类实时的流式数据处理的.(准确的说,samza是通过模块化的形式来使用kafka的 ...
- 浅谈 zookeeper 原理,安装和配置
当前云计算流行, 单一机器额的处理能力已经不能满足我们的需求,不得不采用大量的服务集群.服务集群对外提供服务的过程中,有很多的配置需要随时更新,服务间需要协调工作,那么这些信息如何推送到各个节点?并且 ...
随机推荐
- 转 释一首美国民谣:沉默之音(The Sound Of Silence)
Ask not what your country can do for you , ask what you can do for your country. 六十年代对美国而言是个多事之秋的 ...
- Three Swaps DFS
E. Three Swaps time limit per test 1 second memory limit per test 256 megabytes input standard input ...
- 通过自定义window来实现提示框效果
#import <UIKit/UIKit.h>#import <Foundation/Foundation.h> @interface ZMStatuBarHud : NSOb ...
- ios7毛玻璃效果实现
首先看效果: 核心代码: //加模糊效果,image是图片,blur是模糊度 - (UIImage *)blurryImage:(UIImage *)image withBlurLevel ...
- [cocos2d-x]用CCSpriteBatchNode进行文理贴图的优化
引言: 我们在进行手机游戏开发的过程中,由于手机的内存资源是有限的,那么对纹理贴图的优化是非常有必要的,有可能相同的功能,优化的好与不好对内存资源的消耗是非常明显的,下面我就用一个例子来说明一下. 说 ...
- 详解iOS开发之自定义View
iOS开发之自定义View是本文要将介绍的内容,iOS SDK中的View是UIView,我们可以很方便的自定义一个View.创建一个 Window-based Application程序,在其中添加 ...
- linux下内存调试工具——valgrind
1.valgrind之memcheck 最常用的工具,用来检测程序中出现的内存问题,所有对内存的读写都会被检测到,一切对malloc()/free()/new/delete的调用都会被捕获.所以,它 ...
- Android中的一些基础知识(二)
这几天在回顾Android的基础知识,就把一些常见的知识点整理一下,以后忘了也可以翻出来看一看. 简单介绍一下Activity的生命周期 在API文档中对生命周期回调的函数描述的很详细,这里我只是翻译 ...
- Python 第一章 基础知识
如果熟其他计算机语言,可能会习惯于每行以分号结束.Python则不同,一行就是一行,不管多少. 如果喜欢的话,可以加上分号,但是不会有任何作用(除非同一行还有更多的代码),而且这也不是同行的做法. & ...
- FastStone Capture(FSCapture) 注册码 _图形图像_软件教程_脚本之家
FastStone Capture(FSCapture) 注册码 _图形图像_软件教程_脚本之家 FastStone Capture 注册码 序列号: name/用户名:TEAM JiOO key/注 ...