oozie java api提交作业，kerberos身份验证错误 [英] oozie java api submit job, kerberos Authentication error

问题描述

我有hadoop-2.7集群，oozie-4.0.1以安全模式运行(使用kerberos). 一切都很好.我可以使用cli命令提交作业，如下所示:

I hava hadoop-2.7 cluster, oozie-4.0.1 running in secure mode(with kerberos). All are well. I can use cli commands submit job as follow:

• 初始化myuser
• oozie作业-oozie https://10.1.130.10:21003/oozie -config job.properties -运行

• Kinit myuser
• oozie job -oozie https://10.1.130.10:21003/oozie -config job.properties -run

但是我使用oozie java api提交作业，发生kerberos异常.

but I use oozie java api submit job, kerberos exception occur.

线程主"中的异常身份验证:无法验证，GSSException:未提供有效的凭据(机制级别:找不到任何Kerberos tgt) 在org.apache.oozie.client.AuthOozieClient.createConnection(AuthOozieClient.java:150) 在org.apache.oozie.client.OozieClient.getSupportedProtocolVersions(OozieClient.java:577) 在org.apache.oozie.client.OozieClient.validateWSVersion(OozieClient.java:538) 在org.apache.oozie.client.OozieClient.createURL(OozieClient.java:651) 在org.apache.oozie.client.OozieClient.access $ 100(OozieClient.java:103) 在org.apache.oozie.client.OozieClient $ ClientCallable.call(OozieClient.java:803) 在org.apache.oozie.client.OozieClient.run(OozieClient.java:999) 在com.huawei.oozie.OozieMain.main(OozieMain.java:47)

Exception in thread "main" AUTHENTICATION : Could not authenticate, GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.oozie.client.AuthOozieClient.createConnection(AuthOozieClient.java:150) at org.apache.oozie.client.OozieClient.getSupportedProtocolVersions(OozieClient.java:577) at org.apache.oozie.client.OozieClient.validateWSVersion(OozieClient.java:538) at org.apache.oozie.client.OozieClient.createURL(OozieClient.java:651) at org.apache.oozie.client.OozieClient.access$100(OozieClient.java:103) at org.apache.oozie.client.OozieClient$ClientCallable.call(OozieClient.java:803) at org.apache.oozie.client.OozieClient.run(OozieClient.java:999) at com.huawei.oozie.OozieMain.main(OozieMain.java:47)

原因::org.apache.hadoop.security.authentication.client.AuthenticationException:GSSException:未提供有效的凭据(机制级别:找不到任何Kerberos tgt) 在org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:334) 在org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:206) 在org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:215) 在org.apache.oozie.client.AuthOozieClient.createConnection(AuthOozieClient.java:144) ...还有7个

Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:334) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:206) at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:215) at org.apache.oozie.client.AuthOozieClient.createConnection(AuthOozieClient.java:144) ... 7 more

原因:GSSException:未提供有效的凭据(机制级别:找不到任何Kerberos tgt) 在sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) 在sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) 在sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187) 在sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224) 在sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212) 在sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) 在org.apache.hadoop.security.authentication.client.KerberosAuthenticator $ 1.run(KerberosAuthenticator.java:313) 在org.apache.hadoop.security.authentication.client.KerberosAuthenticator $ 1.run(KerberosAuthenticator.java:288) 在java.security.AccessController.doPrivileged(本机方法) 在javax.security.auth.Subject.doAs(Subject.java:422) 在org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:288) ...还有10个

Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187) at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:313) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:288) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:288) ... 10 more

我的Java代码如下:

my java code as follow:

System.setProperty("java.security.auth.login.config", System.getProperty("user.dir") + File.separator + "conf"
            + File.separator + "jaas.conf ");
    System.setProperty("java.security.krb5.conf", System.getProperty("user.dir") + File.separator + "conf"
            + File.separator + "krb5.conf ");

    String url = "https://10.137.60.60:21003/oozie";
    AuthOozieClient wc = new AuthOozieClient(url);

    wc.setDebugMode(1);

    Properties conf = wc.createConfiguration();
    FileReader fr = new FileReader("conf/job.properties");
    conf.load(fr);

    System.out.println(conf.toString());
    String jobId = wc.run(conf);
    System.out.println("Workflow job submitted");

    while (wc.getJobInfo(jobId).getStatus() == WorkflowJob.Status.RUNNING)
    {
        System.out.println("Workflow job running ...");
        Thread.sleep(3 * 1000);
    }

    System.out.println("Workflow job completed ...");
    System.out.println(wc.getJobInfo(jobId));

我的conf/jaas.conf如下:

my conf/jaas.conf as follow:

Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="D:/workspace/4.4-billing/Oozie/conf/oozie.keytab"
principal="oozie@HADOOP.COM"
useTicketCache=false
storeKey=true
debug=true;
};

有人可以帮助我吗?我知道oozie使用hadoop-auth jar.但是如何设置密钥表，编写身份验证代码，我做不到.

can anyone help me ? I know oozie use hadoop-auth jar. but how to set keytab, write authenticate code, I cannot.

推荐答案

将您的kerberos用户帐户设置为

set your kerberos user account as

conf.setProperty(OozieClient.USER_NAME, "xyz");
oozieClient.run(conf);

这篇关于oozie java api提交作业，kerberos身份验证错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！