基础准备

支持JCE的jdk

重新安装JCE的jdk(已正确配置跳过)

删除/usr/java/下面的jdk,然后通过CM->管理->安全->安装Java无限制...

重新安装后,配置Java(可选)

主机->主机配置->搜java->Java主目录配置路径

主机->所有主机->设置->高级:Java

配置Kerberos

安装KDC服务并启用Kerberos

Kerberos加密类型选项要和/var/kerberos/krb5kdc/kdc.conf里的master_key_type保持一致

如果没有响应的aes加密算法,那就是你的java没有配置JCE

问题汇总

Yarn启动报错container-executor权限问题code 13,目录权限为root yarn权限为0650,使用

usermod -G yarn yarn

Hue启动报错,hue ticket renewer失败,使用以下命令,并保持配置文件正确,然后重启

vi /etc/krb5.conf

如果报错 Client cannot authenticate via:[TOKEN, KERBEROS,则注释

# default_ccache_name = KEYRING:persistent:%{uid}

vi /var/kerberos/krb5kdc/kdc.conf

# 进入kadmin.local
modprinc -maxrenewlife 90day krbtgt/你的realm
modprinc -maxrenewlife 90day +allow_renewable hue/master@你的realm
quit
systemctl restart krb5kdc
systemctl restart kadmin

浏览器访问开启kerberos的hdfs,yarn等web服务

下载Kerberos客户端

修改配置文件C:\ProgramData\MIT\Kerberos5\krb5.ini

# Configuration snippets may be placed in this directory as well
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
 default_realm = EXAMPLE.COM
# default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
  kdc = test.master
  admin_server = test.master
 }

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 .test.master = EXAMPLE.COM
 test.master = EXAMPLE.COM