mac m1上使用Kerberos访问远程linux hadoop集群的正确姿势

问题描述

测试环境 Linux 上部署了3节点的Hadoop集群，并开启了 Kerberos 认证

本机 mac m1电脑，拷贝了测试 linux hadoop部署包，然后客户端命令访问HDFS失败

前置配置

mac已经配置好/etc/krb5.conf ，但在执行hadoop命令时报错：

hadoop fs -ls /tmp

异常如下：

Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:406)at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:614)at org.apache.hadoop.ipc.Client$Connection.access$2200(Client.java:410)at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:798)at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:794)at java.security.AccessController.doPrivileged(Native Method)at javax.security.auth.Subject.doAs(Subject.java:422)at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1844)at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:793)... 36 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:162)at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:189)at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192)... 45 more

通过 klist命令，可以查看mac票据：

(base) ➜  bigdata klist
Ticket cache: KCM:501
Default principal: my@HADOOP.COMValid starting       Expires              Service principal
21  8 2025 18:02:54  22  8 2025 04:02:54  krbtgt/HADOOP.COM@HADOOP.COMrenew until 28  8 2025 18:02:54

对比 linux上的 klist看下：

Ticket cache: FILE:/tmp/krb5cc_5385
Default principal: my@HADOOP.COMValid starting       Expires              Service principal
08/21/2025 18:17:01  08/22/2025 04:17:01  krbtgt/HADOOP.COM@HADOOP.COMrenew until 08/28/2025 18:17:00

注意：第一行的 cache 类型不一致

问题原因

Mac上的 Ticket cache: KCM:501 这一行， Hadoop 系统不认，

KCM (Kerberos Credential Manager) 是 macOS 系统中使用的一种现代、安全的凭证缓存机制。

问题在于，Hadoop 使用的 Java GSSAPI 库, 默认不认识 KCM 这种缓存类型。它默认会去一个叫做 FILE:/tmp/krb5cc_... 的文件里寻找票据。两者访问方式不一致，所以就造成了 Failed to find any Kerberos tgt

修复方法

使用如下变量强制统一两者的访问路径: export KRB5CCNAME=/tmp/krb5cc_$(id -u)，然后重新生成kinit就行了：

# 清理旧票据
kdestroy -Aexport KRB5CCNAME=/tmp/krb5cc_$(id -u)# 重新获取票据
kinit -kt /Users/tom/bigdata/my.keytab my#查看票据
klist# 再次尝试访问 HDFS
hadoop fs -ls /

上面的脚本跑完，mac上的ticket cache和linux上就一致，问题也就解决了

Ticket cache: FILE:/tmp/krb5cc_501
Default principal: my@HADOOP.COMValid starting       Expires              Service principal
21  8 2025 18:23:10  22  8 2025 04:23:10  krbtgt/HADOOP.COM@HADOOP.COMrenew until 28  8 2025 18:23:09