CDH禁用kerberos

参考:

https://blog.csdn.net/weixin_38367214/article/details/84970258

http://blog.sina.com.cn/s/blog_6dd718930102xqa2.html

https://blog.csdn.net/lvtula/article/details/89021036(为重新启用kerberos认证,除了配置之外最关键一步)

 

之前在集群中配置了kerberos认证,组内同事不习惯,权限管控太严了,操作hbase等都需要进行kinit认证,而他们并不会。是故,我把CDH 集群 上的kerberos进行禁用处理。主要有以下几个步骤

 

1、zookeeper enableSecurity 设置为false。配置kerberos时候是需要勾选该选项的


CDH禁用kerberos_第1张图片

2、hbase 设置 hbase.security.authentication 为false

CDH禁用kerberos_第2张图片

取消勾选 hbase.security.authorizatio

CDH禁用kerberos_第3张图片
3、hdfs 

设置 hadoop.security.authentication 为simple

CDH禁用kerberos_第4张图片

取消勾选 hadoop.security.authorization

CDH禁用kerberos_第5张图片
重置dn address 端口为50010

dfs.datanode.address = 50010

CDH禁用kerberos_第6张图片
 

重置 dn http端口为 50075

dfs.datanode.http.address 修改为50075

CDH禁用kerberos_第7张图片
4、hue

Hue实例中删除Kerberos Ticket Renewer

CDH禁用kerberos_第8张图片
 

5、重启集群前,删除zk 下的/hbase 节点

(1)Zookeeper添加参数(跳过zk目录权限检查): java Configuration Options for Zookeeper Server : 

-Dzookeeper.skipACL=yes 

(2)删除zk元数据目录:hbase zkcli;rmr /hbase  或者直接 zookeeper-client ; rmr /hbase

CDH禁用kerberos_第9张图片
如果不执行以上操作,将会执行以下错误:

org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /hbase/running

    at org.apache.zookeeper.KeeperException.create(KeeperException.

    at org.apache.zookeeper.KeeperException.create(KeeperException.

    at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.

    at org.apache.hadoop.hbase.zookeeper.RecoverableZooKeeper.getData(RecoverableZooKeeper.

    at org.apache.hadoop.hbase.zookeeper.ZKUtil.getDataInternal(ZKUtil.

    at org.apache.hadoop.hbase.zookeeper.ZKUtil.getDataAndWatch(ZKUtil.

    at org.apache.hadoop.hbase.zookeeper.ZooKeeperNodeTracker.start(ZooKeeperNodeTracker.

    at org.apache.hadoop.hbase.regionserver.HRegionServer.(HRegionServer.

    at org.apache.hadoop.hbase.master.HMaster.(HMaster.

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.

    at

    at org.apache.hadoop.hbase.master.HMaster.constructMaster(HMaster.

    at org.apache.hadoop.hbase.master.HMasterCommandLine.startMaster(HMasterCommandLine.

    at org.apache.hadoop.hbase.master.HMasterCommandLine.run(HMasterCommandLine.

    at org.apache.hadoop.util.ToolRunner.run(ToolRunner.

    at org.apache.hadoop.hbase.util.ServerCommandLine.doMain(ServerCommandLine.

    at org.apache.hadoop.hbase.master.HMaster.main(HMaster.

2018-06-15 03:04:47,499 FATAL org.apache.hadoop.hbase.master.HMaster: Unexpected exception during initialization, aborting

org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /hbase/running

    at org.apache.zookeeper.KeeperException.create(KeeperException.

    at org.apache.zookeeper.KeeperException.create(KeeperException.

    at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.

    at org.apache.hadoop.hbase.zookeeper.RecoverableZooKeeper.getData(RecoverableZooKeeper.

    at org.apache.hadoop.hbase.zookeeper.ZKUtil.getDataInternal(ZKUtil.

    at org.apache.hadoop.hbase.zookeeper.ZKUtil.getDataAndWatch(ZKUtil.

    at org.apache.hadoop.hbase.zookeeper.ZooKeeperNodeTracker.start(ZooKeeperNodeTracker.

    at org.apache.hadoop.hbase.regionserver.HRegionServer.(HRegionServer.

    at org.apache.hadoop.hbase.master.HMaster.(HMaster.

    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.

    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.

    at

    at org.apache.hadoop.hbase.master.HMaster.constructMaster(HMaster.

    at org.apache.hadoop.hbase.master.HMasterCommandLine.startMaster(HMasterCommandLine.

    at org.apache.hadoop.hbase.master.HMasterCommandLine.run(HMasterCommandLine.

    at org.apache.hadoop.util.ToolRunner.run(ToolRunner.

    at org.apache.hadoop.hbase.util.ServerCommandLine.doMain(ServerCommandLine.

    at org.apache.hadoop.hbase.master.HMaster.main(HMaster.

 

抛出以上错误的原因是:

zookeeper和hbase启用kerberos后,/hbase目录权限属于hbase。

getAcl /hbase/table

'world,'anyone

: r

'sasl,'hbase

: cdrwa

网上参考的解决方案:

重新启用kerberos,然后手动将zookeeper中/hbase下所有znode权限设置为world:anyone:cdrwa。

使用hbase账号,然后在hbase zkcli中进行修改。如果启动zkcli时报jline相关错误,只需将zookeeper/lib目录下0.9版本删除,然后拷贝1.1.2版本到此目录即可解决。

---

某并未使用以上方案解决,只用了之上的第一个方案,在zk server中添加跳过ACL检查的代码,然后删除/hbase节点.

重启集群 !

CDH禁用kerberos_第10张图片
 

 

   参考 :

https://www.jianshu.com/p/9aef0be5cc43

http://wzktravel.github.io/2016/03/05/Disable-kerberos-in-CDH/

https://blog.csdn.net/xiao_jun_0820/article/details/39375819

 

你可能感兴趣的:(Hbase)