在CDH中如何禁用kerberos,以及在这个过程中遇到的一些问题和具体解决方法。
操作
- Hbase修改
hbase.security.authentication
为simple
,取消勾选hbase.security.authorization
- HDFS修改
hadoop.security.authentication
为simple
,取消勾选hadoop.security.authorization
,将datanode的dfs.datanode.address
恢复为50010
,dfs.datanode.http.address
恢复为50075
- Zookeeper取消勾选
enableSecurity
- Hue实例中删除
Kerberos Ticket Renewer
- 重启集群前,手动将zookeeper /hbase下所有znode权限设置为
world:anyone:cdrwa
。使用hbase账号,然后在hbase zkcli
中进行修改。如果启动zkcli时报jline相关错误,只需将zookeeper/lib目录下0.9版本删除,然后拷贝1.1.2版本到此目录即可解决。
异常信息
1. datanodes无法启动
异常信息:
java.io.IOException: Failed on local exception: java.net.SocketException: Permission denied; Host Details : local host is: "xxxxx"; destination host is: (unknown)
解决方法:
将datanode的dfs.datanode.address
恢复为50010
,dfs.datanode.http.address
恢复为50075
。
2. 禁用kerberos后, hbase无法启动
异常信息:
禁用kerberos后,重启hbase时报Authentication is not valid : /hbase
错误
原因:
zookeeper和hbase启用kerberos后,/hbase
目录权限属于hbase。
解决方案:
重新启用kerberos,然后手动将zookeeper中/hbase下所有znode权限设置为world:anyone:cdrwa
。
使用hbase账号,然后在hbase zkcli
中进行修改。如果启动zkcli时报jline相关错误,只需将zookeeper/lib目录下0.9版本删除,然后拷贝1.1.2版本到此目录即可解决。
backing out kerberos is not an automatic process currently as there can be many services using Zookeeper and it retains those ACLs which were set while kerberos was enabled. We have developed a little java program for our customers that backs out the ACLs from ZK, but all it really does is iterate over all the znodes in /hbase and set their acls to world:anyone.
So, you can just manually do this as well. This is an example:
setAcl /hbase world:anyone:cdrwa
You would need to do that on every znode under /hbase and the master will start.
参考:
- HBase fails to start with an error “NoAuth for /hbase/
- Disabling Kerberos for CDH
- how to remove a node in zookeeper, forcibly ?
3. 禁用kerberos后,HA情况下yarn两个ResourceManager都处于standby状态
在不打patch的情况下还未解决,但是可以禁用HA,只启用单个节点。
参考https://issues.apache.org/jira/browse/YARN-2588