Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
0.10.0
-
None
-
None
-
hdp 2.7.3, edge node
kerberos client - krb5-workstation-1.15.1-50.el7.x86_64
Description
Registered in the shiro.ini config all parameters as required by the documentation.
However, there is an error in the logs: WARN [2021-11-03 16: 31: 50,124] ({qtp681094281-59} KerberosRealm.java [doKerberosAuth]: 525) - Authentication exception: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
tcpdump -i any -s0 -A port 88 shows that no calls to the kerberos server occur during SPNEGO authentication.
As I understand it, you need to specify when starting jaas.conf, but what application name should you specify in it?
I specified com.sun.security.jgss.krb5.initiate but no positive changes.
With this, zeppelin successfully authenticates to hadoop hdfs.
The environment variables are specified in zeppelin-env.sh:
export JAVA_HOME = '/ usr / lib / jvm / jre-1.8.0'
export KRB5_CONFIG = / etc / krb5.conf
export HADOOP_HOME = / usr / hdp / current / hadoop-client /
export HADOOP_CONF_DIR = '/ etc / hadoop / conf'
shiro.ini:
[users]
password = password
user = user
[main]
krbRealm = org.apache.zeppelin.realm.kerberos.KerberosRealm
krbRealm.keytab = / etc / security / keytabs / zeppelin.service.keytab
krbRealm.cookiePath = /
krbRealm.signatureSecretFile = / etc / security / http_secret
krbRealm.nameRules = DEFAULT
krbRealm.tokenValidity = 36000
krbRealm.cookieDomain = xxx.com
krbRealm.principal=HTTP/zeppelin.xxx.com@XXX
authc = org.apache.zeppelin.realm.kerberos.KerberosAuthenticationFilter
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $ sessionManager
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = / api / login
[roles]
perms = *
role = role
[urls]
/ api / version = anon
/ ** = authc