Question

由于此处有多个活动部件，因此不确定发生了什么。我们有一个用于hdfs，hadoop，impala，hbase的cloudera集群。我们在所有impala服务器前都有一个F5负载均衡器。我们正在尝试使用Kerberos保护服务器/集群。我的同事使用MIT KDC设置了Kerberos。当我们直接向服务器查询impala时，此设置可以正常工作，但是当我们通过F5负载均衡器查询impala时，此设置无效。

我们运行kinit获取预先创建的密钥表文件的票证。

kinit -k -t /blah/keytabs/first.last.keytab first.last

当我运行klist时，会显示所有这些票证：

$ klist
Ticket cache: FILE:/tmp/krb5cc_14377
Default principal: first.last@MADEUPNAME

Valid starting     Expires            Service principal
08/23/17 11:32:02  08/24/17 11:32:02  krbtgt/MADEUPNAME@MADEUPNAME
    renew until 08/23/17 11:32:02
08/23/17 11:33:39  08/24/17 11:32:02  impala/hslave32101.company.com@MADEUPNAME
    renew until 08/23/17 11:32:02

当我运行我的impala-shell命令时，它可以正常工作：

$ impala-shell -i hslave32101.company.com:21000 -k -q "select 1"
Starting Impala Shell using Kerberos authentication
Using service name 'impala'
Connected to hslave32101.company.com:21000
Server version: impalad version 2.7.0-cdh5.9.2 RELEASE (build 2f7871169d894fab16f8a2fb99f2e34f0df8763d)
Query: select 1
Query submitted at: 2017-08-23 13:08:34 (Coordinator: http://hslave32101.company.com:25000)
Query progress can be monitored at: http://hslave32101.company.com:25000/query_plan?query_id=4940ca8ca2f267c5:5eeb29af00000000
+---+
| 1 |
+---+
| 1 |
+---+
Fetched 1 row(s) in 0.01s

然而，当我通过F5负载均衡器运行我的命令时，它不起作用，因为它所寻找的票证与klist中的票据不匹配，因为由于某种原因，它取代了部分内容。

impala-shell -i bdaudit.company.com:21000 -d bigdata -k -q "select 1"
Starting Impala Shell using Kerberos authentication
Using service name 'impala'
Error connecting: TTransportException, Could not start SASL: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server krbtgt/COMPANY.COM@MADEUPNAME not found in Kerberos database)
Not connected to Impala, could not execute queries.

问题在于这一行

(Server krbtgt/COMPANY.COM@MADEUPNAME not found in Kerberos database)

不知何故，当通过F5 VIP时，它会将first.last@MADEUPNAME更改为COMPANY.COM@MADEUPNAME。有谁知道为什么它取代了这部分票？

Answer 1

根据Cloudera的说明找到了如何使用F5设置Impala的原因here和here

以下是PDF的摘录：

In Cloudera Manager, navigate to the Impala service, select the Configuration pane, then search for “balancer” to
find the Impala Daemons Load Balancer parameter. The load balancer should be specified in host:port format,
where host is your virtual server’s FQDN and port. These values are used by Cloudera Manager and are also passed
to Hue

If the Impala Daemons Load Balancer parameter is specified and Kerberos is enabled, Cloudera Manager adds a
principal for 'impala/<load_balancer_host>@<realm>' to the keytab for all Impala daemons. No additional
configuration is required for Kerberos.

服务主体名称在kerberos中发生变化

1 个答案: