问题描述
测试环境 Linux 上部署了3节点的Hadoop集群,并开启了 Kerberos 认证
本机 mac m1电脑,拷贝了测试 linux hadoop部署包,然后客户端命令访问HDFS失败
前置配置
mac已经配置好/etc/krb5.conf ,但在执行hadoop命令时报错:
hadoop fs -ls /tmp异常如下:
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:406)
at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:614)
at org.apache.hadoop.ipc.Client$Connection.access$2200(Client.java:410)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:798)
at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:794)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1844)
at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:793)
... 36 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:162)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:189)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
... 45 more通过 klist命令,可以查看mac票据:
(base) ➜ bigdata klist
Ticket cache: KCM:501
Default principal: my@HADOOP.COM
Valid starting Expires Service principal
21 8 2025 18:02:54 22 8 2025 04:02:54 krbtgt/HADOOP.COM@HADOOP.COM
renew until 28 8 2025 18:02:54对比 linux上的 klist看下:
Ticket cache: FILE:/tmp/krb5cc_5385
Default principal: my@HADOOP.COM
Valid starting Expires Service principal
08/21/2025 18:17:01 08/22/2025 04:17:01 krbtgt/HADOOP.COM@HADOOP.COM
renew until 08/28/2025 18:17:00注意:第一行的 cache 类型不一致
问题原因
Mac上的 Ticket cache: KCM:501 这一行, Hadoop 系统不认,
KCM (Kerberos Credential Manager) 是 macOS 系统中使用的一种现代、安全的凭证缓存机制。
问题在于,Hadoop 使用的 Java GSSAPI 库, 默认不认识 KCM 这种缓存类型。它默认会去一个叫做 FILE:/tmp/krb5cc_... 的文件里寻找票据。两者访问方式不一致,所以就造成了 Failed to find any Kerberos tgt
修复方法
使用如下变量强制统一两者的访问路径: export KRB5CCNAME=/tmp/krb5cc_$(id -u),然后重新生成kinit就行了:
# 清理旧票据
kdestroy -A
export KRB5CCNAME=/tmp/krb5cc_$(id -u)
# 重新获取票据
kinit -kt /Users/tom/bigdata/my.keytab my
#查看票据
klist
# 再次尝试访问 HDFS
hadoop fs -ls /上面的脚本跑完,mac上的ticket cache和linux上就一致,问题也就解决了
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: my@HADOOP.COM
Valid starting Expires Service principal
21 8 2025 18:23:10 22 8 2025 04:23:10 krbtgt/HADOOP.COM@HADOOP.COM
renew until 28 8 2025 18:23:09