zeppelin未提供有效的凭据（机制级别：找不到任何Kerberos tgt）

Question

我在使用zeppelin0.8.1。将蜂巢与kerberos连接时遇到问题，它出现以下错误“ javax.security.sasl.SaslException：GSS启动失败[由GSSException引起：没有提供有效的凭据（机制级别：找不到任何Kerberos tgt）“

我的集群是CDH6.2.0，而jdk版本是1.8.0_131。

有些错误信息

ERROR [2019-07-25 03:46:19,513] ({pool-2-thread-2} JDBCInterpreter.java[open]:197) - zeppelin will be ignored. driver.zeppelin and zeppelin.url is mandatory.
 WARN [2019-07-25 03:46:19,524] ({pool-2-thread-2} JDBCInterpreter.java[appendProxyUserToURL]:494) - User impersonation for hive has changed please refer: http://zeppe
lin.apache.org/docs/latest/interpreter/jdbc.html#apache-hive
 INFO [2019-07-25 03:46:19,837] ({pool-3-thread-1} KerberosInterpreter.java[call]:143) - runKerberosLogin failed for 1 time(s).
 INFO [2019-07-25 03:46:19,837] ({pool-3-thread-1} KerberosInterpreter.java[call]:143) - runKerberosLogin failed for 2 time(s).
 INFO [2019-07-25 03:46:19,837] ({pool-3-thread-1} KerberosInterpreter.java[call]:143) - runKerberosLogin failed for 3 time(s).
 INFO [2019-07-25 03:46:19,838] ({pool-3-thread-1} KerberosInterpreter.java[call]:143) - runKerberosLogin failed for 4 time(s).
 INFO [2019-07-25 03:46:19,838] ({pool-3-thread-1} KerberosInterpreter.java[call]:143) - runKerberosLogin failed for 5 time(s).
 INFO [2019-07-25 03:46:19,838] ({pool-3-thread-1} KerberosInterpreter.java[call]:143) - runKerberosLogin failed for 6 time(s).
 INFO [2019-07-25 03:46:19,838] ({pool-3-thread-1} KerberosInterpreter.java[call]:143) - runKerberosLogin failed for 7 time(s).
 INFO [2019-07-25 03:46:19,840] ({pool-3-thread-1} KerberosInterpreter.java[call]:143) - runKerberosLogin failed for 8 time(s).
 INFO [2019-07-25 03:46:19,840] ({pool-3-thread-1} KerberosInterpreter.java[call]:143) - runKerberosLogin failed for 9 time(s).
 INFO [2019-07-25 03:46:19,840] ({pool-3-thread-1} KerberosInterpreter.java[call]:143) - runKerberosLogin failed for 10 time(s).
ERROR [2019-07-25 03:46:19,841] ({pool-3-thread-1} KerberosInterpreter.java[call]:146) - runKerberosLogin failed for  max attempts, calling close interpreter.
 INFO [2019-07-25 03:46:20,060] ({pool-2-thread-2} UserGroupInformation.java[loginUserFromKeytab]:1147) - Login successful for user hive/sdwsdn2@DWSP.COM using keytab
file /usr/local/zeppelin-0.8.0-bin-all/conf/hive.sdwsdn2.keytab. Keytab auto renewal enabled : false
 INFO [2019-07-25 03:46:20,146] ({pool-2-thread-2} Utils.java[parseURL]:324) - Supplied authorities: sdwsmn1:10000
 INFO [2019-07-25 03:46:20,146] ({pool-2-thread-2} Utils.java[parseURL]:443) - Resolved authority: sdwsmn1:10000
ERROR [2019-07-25 03:46:20,174] ({pool-2-thread-2} TSaslTransport.java[open]:313) - SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
        at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
        at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
        at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
        at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
        at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1875)
        at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
        at org.apache.hive.jdbc.HiveConnection.openTransport(HiveConnection.java:229)
        at org.apache.hive.jdbc.HiveConnection.<init>(HiveConnection.java:184)
        at org.apache.hive.jdbc.HiveDriver.connect(HiveDriver.java:107)
        at java.sql.DriverManager.getConnection(DriverManager.java:664)
        at java.sql.DriverManager.getConnection(DriverManager.java:208)
        at org.apache.commons.dbcp2.DriverManagerConnectionFactory.createConnection(DriverManagerConnectionFactory.java:79)
        at org.apache.commons.dbcp2.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:205)
        at org.apache.commons.pool2.impl.GenericObjectPool.create(GenericObjectPool.java:861)
        at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:435)
        at org.apache.commons.pool2.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:363)
        at org.apache.commons.dbcp2.PoolingDriver.connect(PoolingDriver.java:129)
        at java.sql.DriverManager.getConnection(DriverManager.java:664)
        at java.sql.DriverManager.getConnection(DriverManager.java:270)
        at org.apache.zeppelin.jdbc.JDBCInterpreter.getConnectionFromPool(JDBCInterpreter.java:410)
        at org.apache.zeppelin.jdbc.JDBCInterpreter.access$000(JDBCInterpreter.java:91)
        at org.apache.zeppelin.jdbc.JDBCInterpreter$2.run(JDBCInterpreter.java:459)
        at org.apache.zeppelin.jdbc.JDBCInterpreter$2.run(JDBCInterpreter.java:456)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1875)
        at org.apache.zeppelin.jdbc.JDBCInterpreter.getConnection(JDBCInterpreter.java:456)
        at org.apache.zeppelin.jdbc.JDBCInterpreter.executeSql(JDBCInterpreter.java:673)
        at org.apache.zeppelin.jdbc.JDBCInterpreter.interpret(JDBCInterpreter.java:801)
        at org.apache.zeppelin.interpreter.LazyOpenInterpreter.interpret(LazyOpenInterpreter.java:103)
        at org.apache.zeppelin.interpreter.remote.RemoteInterpreterServer$InterpretJob.jobRun(RemoteInterpreterServer.java:633)
        at org.apache.zeppelin.scheduler.Job.run(Job.java:188)
        at org.apache.zeppelin.scheduler.ParallelScheduler$JobRunner.run(ParallelScheduler.java:162)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:748)
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
        at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
        at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
        at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)
        ... 43 more

我的配置单元解释器配置如下：

default.driver=org.apache.hive.jdbc.HiveDriver
default.url=jdbc:hive2://sdwsmn1:10000/default;principal=hive/sdwsmn1@DWSP.COM
zeppelin.jdbc.auth.type=KERBEROS
zeppelin.jdbc.keytab.location=/usr/local/zeppelin-0.8.0-bin-all/conf/hive.sdwsdn2.keytab
zeppelin.jdbc.principal=hive/sdwsdn2@DWSP.COM

当我查看日志文件时，发现kerberos身份验证成功，但是我没有获得票证。

INFO [2019-07-25 03:46:20,060] ({pool-2-thread-2} UserGroupInformation.java[loginUserFromKeytab]:1147) - Login successful for user hive/sdwsdn2@DWSP.COM using keytab
file /usr/local/zeppelin-0.8.0-bin-all/conf/hive.sdwsdn2.keytab. Keytab auto renewal enabled : false

当我第一次不使用此配置单元解释器时，此信息在日志文件中。

INFO [2019-07-23 23:07:14,248] ({pool-2-thread-2} JDBCSecurityImpl.java[createSecureConfiguration]:60) - The user has already logged in using Keytab and principal, no
 action required

当我检查源代码这一部分中的身份验证信息时。

public static void createSecureConfiguration(Properties properties,
      AuthenticationMethod authType) {
    switch (authType) {
      case KERBEROS:
        Configuration conf = new
            org.apache.hadoop.conf.Configuration();
        conf.set("hadoop.security.authentication", KERBEROS.toString());
        UserGroupInformation.setConfiguration(conf);
        try {
          // Check TGT before calling login
          // Ref: https://github.com/apache/hadoop/blob/release-3.0.1-RC1/hadoop-common-project/
          // hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L1232
          if (!UserGroupInformation.isSecurityEnabled()
              || UserGroupInformation.getCurrentUser().getAuthenticationMethod() != KERBEROS
              || !UserGroupInformation.isLoginKeytabBased()) {
            UserGroupInformation.loginUserFromKeytab(
                properties.getProperty("zeppelin.jdbc.principal"),
                properties.getProperty("zeppelin.jdbc.keytab.location"));
          } else {
            LOGGER.info("The user has already logged in using Keytab and principal, " +
                "no action required");
          }
        } catch (IOException e) {
          LOGGER.error("Failed to get either keytab location or principal name in the " +
              "interpreter", e);
        }
    }
  }

此用户应该成功登录。为什么此错误仍然发生？我的蜂巢解释器配置是否有误？我需要您的帮助，谢谢。