kerberos开启后服务报错Unable to obtain password from user

异常日志

022-10-09 10:26:16,230 ERROR org.apache.hadoop.hdfs.qjournal.server.JournalNode: Failed to start journalnode.
org.apache.hadoop.security.KerberosAuthException: failure to login: for principal: jn/hadoop2@EXAMPLE.COM from keytab /etc/security/keytab/jn.service.keytab javax.security.auth.login.LoginException: Unable to obtain password from user

at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1846)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1214)
at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1007)
at org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:313)
at org.apache.hadoop.hdfs.qjournal.server.JournalNode.start(JournalNode.java:226)
at org.apache.hadoop.hdfs.qjournal.server.JournalNode.run(JournalNode.java:205)
at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:76)
at org.apache.hadoop.util.ToolRunner.run(ToolRunner.java:90)
at org.apache.hadoop.hdfs.qjournal.server.JournalNode.main(JournalNode.java:415)
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run

原因及解决办法

错误提示是认证时不能获取密码。
原因是手动生成的keytab文件其owner是root,应该改成对应组件的系统用户

解决方案

cd /etc/security/keytab/
把keytab文件的owner改成对应的启动用户
chown hdfs:hadoop jn.service.keytab
chown hdfs:hadoop nn.service.keytab
chown hdfs:hadoop dn.service.keytab
发表评论

相关文章