Hadoop Kerberos : hdfs command 'Failed to find any Kerberos tgt' even though I had got one ticket using kinit

Question

我为 Hadoop 集群设置了 Kerberos 身份验证。当我尝试使用 kinit 获取 kerberos 票证时，它将票证存储在 krb5cc_0 中

$ sudo klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hduser/stwhdrm01@FDATA.COM

Valid starting       Expires              Service principal 
01/04/2018 10:15:14  01/05/2018 10:15:14  krbtgt/FDATA.COM@FDATA.COM

但是当我尝试在命令行上列出 HDFS 目录时，出现以下错误:

$ hdfs dfs -ls /
openjdk version "1.8.0_151"
OpenJDK Runtime Environment (build 1.8.0_151-b12)
OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode)

Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
>>>KinitOptions cache name is /tmp/krb5cc_1001
18/01/04 10:07:48 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
18/01/04 10:07:48 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

我的/etc/krb5.conf:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = FDATA.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_ccache_name = FILE:/tmp/krb5cc_0

[realms]
FDATA.COM = {
kdc = kdc.fdata.com
admin_server = kdc.fdata.com
}

[domain_realm]
.fdata.com = FDATA.COM
fdata.com = FDATA.COM

• 操作系统:Centos 7
• Kerberos:MIT Kerberos 1.5.1
• Hadoop:Apache Hadoop 2.7.3

为什么 hdfs 和 kinit 使用不同的 kerberos ccache 文件？

Answer 1

因为你用 sudo 调用 kinit 而不是你自己。您的 klist 输出显示了 root 的 Kerberos 票证。