docker kerberos webhdfs AuthenticationException:未经授权 [英] docker kerberos webhdfs AuthenticationException: Unauthorized
问题描述
我有一个春天的应用程序。其中一种方法使用webhdfs从hdfs中读取文件。当我在想法中测试它时,它会起作用。但是,在构建项目并在虚拟机上本地或连接到hdfs的服务器上部署Docker镜像之后,我就可以看到。
I have a spring app. One of the methods reads a file from hdfs using webhdfs. When I test it in idea, it works. But after I build the project and deploy docker image on virtual machine locally or on a server connected to hdfs, I get.
AuthenticationException: Unauthorized
在我的本地机器上,我必须定期用
On my local machine I have to regulary initialize the token with
kinit
如果我不这样做,我会得到同样的错误。我在服务器上测试了没有docker的应用程序,它也可以工作。我认为,码头形象没有看到令牌。但我不知道该怎么做。
for autentification. If I don't, I get the same error. I tested The app without docker on server, it also works. I think, docker image does not see the token. But I don't know what to do about it.
Kerberos用于安全。
Kerberos is used for security.
任何建议?
推荐答案
Okey。我做的。有几个问题,但这是最终变种的样子。
Okey. I did it. There were a few problems, but this is how the final variant looks.
我的码头工人。 krb5.conf和keytab与我的docker文件位于同一个文件夹中。当我构建项目时,他们被添加到容器中,并在入口点处使用
My docker. krb5.conf and keytab are in the same folder as my docker file. When I build the project they are added to the container and in the entrypoint I use
-Djava.security.krb5.conf
提供krb5位置。
FROM java:8
ADD report.jar report.jar
ADD krb5.conf /etc/krb5.conf
ADD evkuzmin.keytab /etc/evkuzmin.keytab
RUN sh -c 'touch report.jar'
ENTRYPOINT ["java","-Dspring.data.mongodb.uri=mongodb://audpro_mongo/report","-Djavax.net.debug=all","-Dsun.security.spnego.debug=true","-Dsun.security.krb5.debug=true","-Djava.security.krb5.conf=/etc/krb5.conf","-jar","/report.jar"]
然后我使用 KerberosRestTemplate
连接到webhdfs
Then I use KerberosRestTemplate
to connect to webhdfs
public String getReportJSON() throws URISyntaxException {
KerberosRestTemplate restTemplate = new
KerberosRestTemplate("/etc/evkuzmin.keytab", "EvKuzmin@DOMAIN");
URI uri = new URI("http" + "://" + host + ":" + port + "/webhdfs/v1" + path + "?op=OPEN");
String json = restTemplate.getForObject(uri, String.class);
return json;
}
如果您想在没有docker的情况下运行应用程序,只需构建它并添加keytab与jar的方向相同。然后更改 /etc/evkuzmin.keytab
,以便它指向新的位置。
If you want to run the app without docker, just build it and add the keytab to the same direction as the jar. Then change /etc/evkuzmin.keytab
so it points to the new location.
这篇关于docker kerberos webhdfs AuthenticationException:未经授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!