docker kerberos webhdfs AuthenticationException：未经授权 [英] docker kerberos webhdfs AuthenticationException: Unauthorized

问题描述

我有一个春天的应用程序。其中一种方法使用webhdfs从hdfs中读取文件。当我在想法中测试它时，它会起作用。但是，在构建项目并在虚拟机上本地或连接到hdfs的服务器上部署Docker镜像之后，我就可以看到。

I have a spring app. One of the methods reads a file from hdfs using webhdfs. When I test it in idea, it works. But after I build the project and deploy docker image on virtual machine locally or on a server connected to hdfs, I get.

AuthenticationException: Unauthorized

在我的本地机器上，我必须定期用

On my local machine I have to regulary initialize the token with

kinit

如果我不这样做，我会得到同样的错误。我在服务器上测试了没有docker的应用程序，它也可以工作。我认为，码头形象没有看到令牌。但我不知道该怎么做。

for autentification. If I don't, I get the same error. I tested The app without docker on server, it also works. I think, docker image does not see the token. But I don't know what to do about it.

Kerberos用于安全。

Kerberos is used for security.

任何建议？

推荐答案

Okey。我做的。有几个问题，但这是最终变种的样子。

Okey. I did it. There were a few problems, but this is how the final variant looks.

我的码头工人。 krb5.conf和keytab与我的docker文件位于同一个文件夹中。当我构建项目时，他们被添加到容器中，并在入口点处使用

My docker. krb5.conf and keytab are in the same folder as my docker file. When I build the project they are added to the container and in the entrypoint I use

-Djava.security.krb5.conf

提供krb5位置。

FROM java:8
ADD report.jar report.jar
ADD krb5.conf /etc/krb5.conf
ADD evkuzmin.keytab /etc/evkuzmin.keytab
RUN sh -c 'touch report.jar'
ENTRYPOINT ["java","-Dspring.data.mongodb.uri=mongodb://audpro_mongo/report","-Djavax.net.debug=all","-Dsun.security.spnego.debug=true","-Dsun.security.krb5.debug=true","-Djava.security.krb5.conf=/etc/krb5.conf","-jar","/report.jar"]

然后我使用 KerberosRestTemplate 连接到webhdfs

Then I use KerberosRestTemplate to connect to webhdfs

public String getReportJSON() throws URISyntaxException {
    KerberosRestTemplate restTemplate = new 
         KerberosRestTemplate("/etc/evkuzmin.keytab", "EvKuzmin@DOMAIN");
    URI uri = new URI("http" + "://" + host + ":" + port + "/webhdfs/v1" + path + "?op=OPEN");
    String json = restTemplate.getForObject(uri, String.class);
    return json;
  }

如果您想在没有docker的情况下运行应用程序，只需构建它并添加keytab与jar的方向相同。然后更改 /etc/evkuzmin.keytab ，以便它指向新的位置。

If you want to run the app without docker, just build it and add the keytab to the same direction as the jar. Then change /etc/evkuzmin.keytab so it points to the new location.

这篇关于docker kerberos webhdfs AuthenticationException：未经授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！