我正在努力通过JDBC驱动程序连接到Impala,该Impala是kerberized CDH集群的一部分。为了进行身份验证,我需要在计算机上获取Kerberos票证。 kinit的作用就像是一种魅力。奇怪的是,当我设置指向文件的KRB5CCNAME变量时,文件在成功通过身份验证后仍然为空,但是klist显示我已通过身份验证。这是预期的行为吗?
我问这的原因是,我的Java应用程序无法连接到Impala,并且错误消息表明可能是空文件。但是,python脚本可以从同一台计算机连接到同一Impala。
这是Mac 2018。
答案 0 :(得分:0)
不应该。
Apple有自己的捆绑式kerberos实现(Heimdal),它可以执行这种奇怪的空文件操作。
我从brew安装了krb5软件包,并相应地修改了PATH,并且运行正常。
myself@mymachine:~$ brew info krb5
krb5: stable 1.16.2 (bottled) [keg-only]
Network authentication protocol
https://web.mit.edu/kerberos/
/usr/local/Cellar/krb5/1.16.2 (160 files, 3.7MB)
Poured from bottle on 2018-12-18 at 15:20:46
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/krb5.rb
==> Dependencies
Required: openssl ✔
==> Caveats
krb5 is keg-only, which means it was not symlinked into /usr/local,
because macOS already provides this software and installing another version in
parallel can cause all kinds of trouble.
If you need to have krb5 first in your PATH run:
echo 'export PATH="/usr/local/opt/krb5/bin:$PATH"' >> ~/.bash_profile
echo 'export PATH="/usr/local/opt/krb5/sbin:$PATH"' >> ~/.bash_profile
For compilers to find krb5 you may need to set:
export LDFLAGS="-L/usr/local/opt/krb5/lib"
export CPPFLAGS="-I/usr/local/opt/krb5/include"
For pkg-config to find krb5 you may need to set:
export PKG_CONFIG_PATH="/usr/local/opt/krb5/lib/pkgconfig"
==> Analytics
install: 198 (30 days), 614 (90 days), 1,986 (365 days)
install_on_request: 182 (30 days), 557 (90 days), 1,768 (365 days)
build_error: 0 (30 days)
myself@mymachine:~$ /usr/bin/klist --version
klist (Heimdal 1.5.1apple1)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs@h5l.org
在Windows上也会出现类似的问题,其中Kerberos不遵守是否设置了KRB5CCNAME环境变量。解决方案是使用旧版本。 This page提到了4.0.1版本,但是在Kerberos page上您可以找到4.1。前者将使用文件缓存,后者将使用API,很难要求不使用它。