Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.
Cloudera CDH/CDP Could not configure server becase SASL configuration did not allow the Zookeeper server to authenticate itself properly: javax.security.auth.login.LoginException: Checksum failed
서버작업등으로 Hadoop Cluster를 재기동하면 각 서비스를 올릴때 Kerberos가 설정된 상태에서 java.io.IOException: Could not configure server becase SASL configuration did not allow the Zookeeper server to authenticate itself properly: javax.security.auth.login.LoginException: Checksum failed가 발생하면 CM->Zookeeper->Instances->대상 instance를 선택후 "Actions for Seleced"탭에서 Regenerate Keytab을 눌러서 zookeeper.keytab을 재생성하고 다시 기동하면 정상적으로 기동된다.(다른 서비스들도 각각에 맞게 동일한 메뉴에서 keytab을 재생성할 수 있는 기능을 제공함)
(서비스(예, zookeeper/host_FQDN/Realm)용 principal들은 클라우레라가 서비스를 기동할때 만들어서 제공하므로 물리적인 위치에 파일로 존재하지 않으며 파일로 저장할 필요가 없다.)
그리고 Cloudera Manager에서 관리하고 있는 서비스 principal목록은 CM->Administration->Security->Kerberos Credentials에서 확인할 수 있다.
*참고 : Kerberos
- 설치 위치 : /var/kerberos/krb5, /var/kerberos/krb5kdc
- 데몬 : /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid, /usr/sbin/kadmind -P /var/run/kadmind.pid 형태로 데몬이 뜬다.
- 관리명령어 : systemctl status krb5kdc, systemctl status kadmin
- 목록확인
sudo kadmin.local로 접근후 아래의 명령을 수행한다.
listprincs
*참고2 : java의 jre/lib/security/jaas.conf파일내용
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="zookeeper.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/nod01.gooper.com@GOOPER.COM
};
*참고3 : /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
GOOPER.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/kerb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal
max_renewable_life = 7d
udp_preference_limit = 1
}
*참고4 : vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5lib.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
[libdefaults]
default_realm = GOOPER COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 1
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[realms]
GOOPER.COM = {
kdc = node01.gooper.com:88
kdc = node02.gooper.com:88
admin_server = node01.gooper.com:749
}
DEV.GOOPER.COM = {
kdc = node01.dev.gooper.com:88
kdc = node02.dev.gooper.com:88
admin_server = node01.dev.gooper.com:749
}
[domain_realm]
.gooper.com = GOOPER.COM
goopercom = GOOPER.COM
.dev.gooper.com = DEV.GOOPER.COM
dev.goopercom = DEV.GOOPER.COM
*참고5 : 서비스별 jaas.conf설정
Create the following JAAS configuration files on the HBase Master, RegionServer, and HBase client host machines.
These files must be created under the
$HBASE_CONF_DIRdirectory:where
$HBASE_CONF_DIRis the directory that stores the HBase configuration files, such as/etc/hbase/conf.On your HBase Master host machine, create the
hbase-server.jaasfile under the/etc/hbase/confdirectory and add the following content:Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/etc/security/keytabs/hbase.service.keytab" principal="hbase/$HBase.Master.hostname"; };On each RegionServer host machine, create the
regionserver.jaasfile under the/etc/hbase/confdirectory and add the following content:Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/etc/security/keytabs/hbase.service.keytab" principal="hbase/$RegionServer.hostname"; };On your HBase client machines, create the
hbase-client.jaasfile under the/etc/hbase/confdirectory and add the following content:Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=false useTicketCache=true; };
Create the following JAAS configuration files on the ZooKeeper Server and client host machines.
These files must be created under the
$ZOOKEEPER_CONF_DIRdirectory:where
$ZOOKEEPER_CONF_DIRis the directory that stores the HBase configuration files, such as/etc/zookeeper/conf.On the ZooKeeper server host machines, create the
zookeeper-server.jaasfile under the/etc/zookeeper/confdirectory and add the following content:Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/etc/security/keytabs/zookeeper.service.keytab" principal="zookeeper/$ZooKeeper.Server.hostname"; };On each ZooKeeper client host machine, create the
zookeeper-client.jaasfile under the/etc/zookeeper/confdirectory and add the following content:Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=false useTicketCache=true; };
Edit the
hbase-env.shfile on your HBase server to add the following information:export HBASE_OPTS ="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase-client.jaas" export HBASE_MASTER_OPTS ="-Djava.security.auth.login.config=$HBASE_CONF_DIR/hbase-server.jaas" export HBASE_REGIONSERVER_OPTS="-Djava.security.auth.login.config=$HBASE_CONF_DIR/regionserver.jaas"
where
HBASE_CONF_DIRis the HBase configuration directory. For example,/etc/hbase/conf.Edit the
zoo.cfgfile on your ZooKeeper server to add the following information:authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000 kerberos.removeHostFromPrincipal=true kerberos.removeRealmFromPrincipal=true
Edit the
zookeeper-env.shfile on your ZooKeeper server to add the following information:export SERVER_JVMFLAGS ="-Djava.security.auth.login.config=$ZOOKEEPER_CONF_DIR/zookeeper-server.jaas" export CLIENT_JVMFLAGS ="-Djava.security.auth.login.config=$ZOOKEEPER_CONF_DIR/zookeeper-client.jaas"
where
$ZOOKEEPER_CONF_DIRis the ZooKeeper configuration directory. For example,/etc/zookeeper/conf.