标题翻译
Authenticating an Impala JDBC Connection in a Kerberized environment
问题
尝试在Oozie(CDH6.3.1)中启动Java操作时,遇到了GSS initiate failed错误。涉及的代码非常简单:
String impalaUrl = "jdbc:impala://pxyserver.global.ad:21050/default;SSL=1;AuthMech=1;KrbRealm=GLOBAL.AD;KrbHostFQDN=pxyserver.global.ad;KrbServiceName=Impala;sslTrustStore=/opt/cloudera/security/jks/truststore.jks;trustStorePassword=password";
Properties impalaProperties = new Properties();
impalaProperties.put("user", "svcaccount");
impalaProperties.put("password", "svcpassword");
impalaProperties.put("Driver", "com.cloudera.impala.jdbc41.Driver");
try {
setConnection(DriverManager.getConnection(impalaUrl , impalaProperties));
} catch (SQLException e) {
e.printStackTrace();
}
运行此代码将得到以下堆栈跟踪:
java.sql.SQLException: [Cloudera][ImpalaJDBCDriver](500164) 初始化或创建用于身份验证的传输时出错:[Cloudera][ImpalaJDBCDriver](500169) 无法连接到服务器:GSS 初始化失败。
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.impala.hivecommon.api.ServiceDiscoveryFactory.createClient(Unknown Source)
at com.cloudera.impala.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.impala.core.ImpalaJDBCDSIConnection.establishConnection(Unknown Source)
at com.cloudera.impala.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.impala.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.impala.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:208)
我可以通过使用Keytab进行kinit来解决此问题。但是在我们的生产环境中,Oozie在众多工作节点之一上运行此操作,它们没有有效的Kerberos票证。在这种情况下,我的选择是什么?如果可能的话,我宁愿不在我们的40个工作节点的每个节点上每天执行kinit,我是否遗漏了某个参数?
谢谢
英文翻译
When trying to launch a Java Action within Oozie (CDH6.3.1) I get a GSS initiate failed. The code in question is pretty straight forward:
String impalaUrl = "jdbc:impala://pxyserver.global.ad:21050/default;SSL=1;AuthMech=1;KrbRealm=GLOBAL.AD;KrbHostFQDN=pxyserver.global.ad;KrbServiceName=Impala;sslTrustStore=/opt/cloudera/security/jks/truststore.jks;trustStorePassword=password";
Properties impalaProperties = new Properties();
impalaProperties.put("user", "svcaccount");
impalaProperties.put("password", "svcpassword");
impalaProperties.put("Driver", "com.cloudera.impala.jdbc41.Driver");
try {
setConnection(DriverManager.getConnection(impalaUrl , impalaProperties));
} catch (SQLException e) {
e.printStackTrace();
}
Running this gives the following stack trace:
java.sql.SQLException: [Cloudera][ImpalaJDBCDriver](500164) Error initialized or created transport for authentication: [Cloudera][ImpalaJDBCDriver](500169) Unable to connect to server: GSS initiate failed.
at com.cloudera.impala.hivecommon.api.HiveServer2ClientFactory.createTransport(Unknown Source)
at com.cloudera.impala.hivecommon.api.ServiceDiscoveryFactory.createClient(Unknown Source)
at com.cloudera.impala.hivecommon.core.HiveJDBCCommonConnection.establishConnection(Unknown Source)
at com.cloudera.impala.impala.core.ImpalaJDBCDSIConnection.establishConnection(Unknown Source)
at com.cloudera.impala.jdbc.core.LoginTimeoutConnection.connect(Unknown Source)
at com.cloudera.impala.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.cloudera.impala.jdbc.common.AbstractDriver.connect(Unknown Source)
at java.sql.DriverManager.getConnection(DriverManager.java:664)
at java.sql.DriverManager.getConnection(DriverManager.java:208)
I can fix this by kiniting with a keytab. However in our production environment Oozie runs this on one of many worker nodes and they do not have valid kerberos tickets. What are my options here? If possible I'd rather not kinit every day on each of our 40 worker nodes, is there a parameter I am missing here?
Thanks
专注分享java语言的经验与见解,让所有开发者获益!
评论