Hadoop Kerberos:Datanode无法连接到Namenode。由jsvc启动Datanode以绑定特权端口(不使用SASL)

时间:2018-01-08 10:04:10

标签: hadoop authentication hdfs kerberos

我已经设置了一个有效的HA Hadoop集群。但是在添加Kerberos身份验证后,datanode无法连接到namenode。

验证Namenode服务器是否成功启动并且没有记录错误。我使用用户' hduser'

启动所有服务
$ sudo netstat -tuplen
...
tcp        0      0 10.28.94.150:8019       0.0.0.0:*               LISTEN      1001       20218      1518/java         
tcp        0      0 10.28.94.150:50070      0.0.0.0:*               LISTEN      1001       20207      1447/java         
tcp        0      0 10.28.94.150:9000       0.0.0.0:*               LISTEN      1001       20235      1447/java         

的Datanode

以root身份启动datanode,使用jsvc将服务绑定到特权端口(参见。  Secure Datanode

$ sudo -E sbin/hadoop-daemon.sh start datanode
starting datanode, logging to /opt/hadoop-2.7.3/logs//hadoop-hduser-datanode-STWHDDN01.out

收到datanode无法连接到namenodes的错误:

...
2018-01-08 09:25:40,051 INFO org.apache.hadoop.hdfs.server.datanode.DataNode: dnUserName = hduser
2018-01-08 09:25:40,052 INFO org.apache.hadoop.hdfs.server.datanode.DataNode: supergroup = supergroup
2018-01-08 09:25:40,114 INFO org.apache.hadoop.ipc.CallQueueManager: Using callQueue class java.util.concurrent.LinkedBlockingQueue
2018-01-08 09:25:40,125 INFO org.apache.hadoop.ipc.Server: Starting Socket Reader #1 for port 50020
2018-01-08 09:25:40,152 INFO org.apache.hadoop.hdfs.server.datanode.DataNode: Opened IPC server at /0.0.0.0:50020
2018-01-08 09:25:40,219 INFO org.apache.hadoop.hdfs.server.datanode.DataNode: Refresh request received for nameservices: ha-cluster
2018-01-08 09:25:41,189 INFO org.apache.hadoop.hdfs.server.datanode.DataNode: Starting BPOfferServices for nameservices: ha-cluster
2018-01-08 09:25:41,226 INFO org.apache.hadoop.ipc.Server: IPC Server Responder: starting
2018-01-08 09:25:41,227 INFO org.apache.hadoop.ipc.Server: IPC Server listener on 50020: starting
2018-01-08 09:25:42,297 INFO org.apache.hadoop.ipc.Client: Retrying connect to server: STWHDRM02/10.28.94.151:9000. Already tried 0 time(s); retry policy is RetryUpToMaximumCountWithFixedSleep(maxRetries=10, sleepTime=1000 MILLISECONDS)
2018-01-08 09:25:42,300 INFO org.apache.hadoop.ipc.Client: Retrying connect to server: STWHDRM01/10.28.94.150:9000. Already tried 0 time(s); retry policy is RetryUpToMaximumCountWithFixedSleep(maxRetries=10, sleepTime=1000 MILLISECONDS)    


datanode hdfs-site.xml(摘录):

<property>
  <name>dfs.block.access.token.enable</name>
  <value>true</value>
</property>
<property>
  <name>dfs.datanode.keytab.file</name>
  <value>/opt/hadoop/etc/hadoop/hdfs.keytab</value>
</property>
<property>
  <name>dfs.datanode.kerberos.principal</name>
  <value>hduser/_HOST@FDATA.COM</value>
</property>
<property>
    <name>dfs.datanode.address</name>
    <value>0.0.0.0:1004</value>
</property>
<property>
    <name>dfs.datanode.http.address</name>
    <value>0.0.0.0:1006</value>
</property>
<property>
    <name>dfs.datanode.data.dir.perm</name>
    <value>700</value>
</property>


我在hadoop-env.sh中设置了HADOOP_SECURE_DN_USER = hduser和JSVC_HOME


datanode上的 hdfs.keytab:

$ klist -ke etc/hadoop/hdfs.keytab                                                             Keytab name: FILE:etc/hadoop/hdfs.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 hduser/stwhddn01@FDATA.COM (aes256-cts-hmac-sha1-96)
   1 hduser/stwhddn01@FDATA.COM (aes128-cts-hmac-sha1-96)
   1 hduser/stwhddn01@FDATA.COM (des3-cbc-sha1)
   1 hduser/stwhddn01@FDATA.COM (arcfour-hmac)
   1 hduser/stwhddn01@FDATA.COM (des-hmac-sha1)
   1 hduser/stwhddn01@FDATA.COM (des-cbc-md5)
   1 HTTP/stwhddn01@FDATA.COM (aes256-cts-hmac-sha1-96)
   1 HTTP/stwhddn01@FDATA.COM (aes128-cts-hmac-sha1-96)
   1 HTTP/stwhddn01@FDATA.COM (des3-cbc-sha1)
   1 HTTP/stwhddn01@FDATA.COM (arcfour-hmac)
   1 HTTP/stwhddn01@FDATA.COM (des-hmac-sha1)
   1 HTTP/stwhddn01@FDATA.COM (des-cbc-md5)  
操作系统:Centos 7
Hadoop:2.7.3
Kerberos:麻省理工学院1.5.1

我以root用户身份运行datanode时,它不会使用kerberos进行身份验证。

有什么想法吗?

1 个答案:

答案 0 :(得分:1)

我发现了问题。需要更改/ etc / hosts才能将127.0.0.1映射到localhost。

127.0.0.1 STWHDDD01
127.0.0.1 localhost
...

127.0.0.1 localhost
...

我仍然想知道为什么旧映射在没有Kerberos身份验证的情况下工作。