FineBI Version
Functional Changes
6.0
/
6.0.2
Optimized Kerberos authentication method, which allows uploading relevant files directly on the front end.
Kerberos authentication is a common authentication method in the Hadoop ecosystem.
There are two ways to configure Kerberos authentication:
Directly use the Kerberos authentication in the Data Connection configuration interface. This method is mainly used for authentication connections of drivers such as Hive and HBase.
Configure JVM parameters before going to the Data Connection configuration interface for authentication. This method is mainly used when you fill in the data connection configuration interface according to the requirements for successful authentication, but it still throws an error when creating a connection. For example, there may be something wrong in databases like Impala of Cloudera’s CDH.
The supported databases are as follows. For databases that need Kerberos authentication, a dedicated driver needs to be replaced, and the URL format also needs to be changed.
Database
Apache Impala
Hadoop Hive
Spark
Transwarp Inceptor
Apache Phoenix
HBase
Download configuration files krb5.conf, {variable}.keytab, and principal on the environment.
The file principal is the name of the client that has registered with KDC.
The {variable}.keytab is the keytab file. You need find the corresponding location of the file on the application server that provides Kerberos services. The file name of the keytab may be different on different servers. Here, it is expressed by {variable}.
Take Hive as an example.
Configure the local hosts file. For example, configure the remote mapping 192.168.5.127 quickstart.cloudera under the path C:\Windows\System32\drivers\etc\hosts.
The mapping format is {IP machine name}.
Find the corresponding driver, change the URL to the corresponding format, and switch the Authentication Method to Kerberos.
Upload the file keytab and the file krb5.conf.
Click Test Connection. Successful connection is shown as follows:
What to Check
Requirement
Check the time difference between the FineBI server and the database server.
Usually, the time difference is less than 5 minutes.
Check and configure the hosts file of the computer where the FineBI server is located.
The database server can be pinged through the hostname/domain name.
The built-in zookeeper package of FineBI needs to match the ZooKeeper version of the database server.
For example, there may be such errors when connecting to the Huawei HD platform.
Check if the principal name is correct.
The format of principal is usually {username}/{department}@{company name}. The way to confirm whether the principal is correct is to execute klist or kinit -k -t /path/to/keytab name_of_principalin the database server Shell. In addition, you can also directly connect to the authenticated service through tools such as Beeline and Impala Shell, and view the corresponding principal information.
For example, the principal corresponding to the Hive service is hive/bigdata@{company name}.COM, while the principal corresponding to the Impala service is impala/bigdata@{company name}.COM.
Check the project path of FineBI.
Make sure there are no spaces (such as Tomcat 9) because Kerberos authentication does not support paths with spaces.
1. If the connection fails, you can confirm with the platform database admin whether the security authentication configuration of the relevant service is correct, and contact FineRuan's technical support to provide relevant error logs with JVM security debugging parameters, data platform database version, corresponding driver JAR package, relevant connection information, Java authentication connection test code, or Shell tools that can connect to the authentication database.
JVM secure debugging log parameter:
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext-Djava.security.krb5.debug=true
2. In special circumstances, if you cannot connect under the Windows system, you can deploy FineBI test server on the Linux system. Ensure that the server can connect to the database through relevant Shell tools and you can view cached KGT information through klist.
Description:
CDH connection error: Unable to obtain Principal Name for authentication
Cause:
The JCE installed by default in JDK cannot handle symmetric keys larger than 128 bits.
Solution:
Update the JCE extension package for JRE.
Download and unzip the JCE extension JAR package, and then replace the file in the specified directory of JRE.
Transwarp Inceptor database error: GSS initiate failed
The driver itself performed a static global operation. After the Kerberos center is refreshed, the internal static global of the driver still remains, so the data connection cannot be established. Restart the FineBI server to see if the error still exists. If there are still issues, follow the troubleshooting steps below:
Incorrect password: The keytab file does not match the user. You can check it by running kinit -k -t keytab user on the client server.
Clock offset: The local server and remote server's time does not match. You can check the connection and synchronization of time between the local computer and a remote server using NTP protocol.
Unsupported AES: By default, AES256 is not supported by jdk/jre. You need to copy local_policy.jar and US_export_policy.jar from the /opt/huawei/Bigdata/jdk/jre/lib/security path of the remote server.
No rule: The default main format is not supported and requires adding the property hadoop.security.auth_to_local in core-site.xml with the value rule: [1:$1] rule: [2:$1].
Timeout: FineBI cannot connect to KDC server or the firewall exists in the network.
滑鼠選中內容,快速回饋問題
滑鼠選中存在疑惑的內容,即可快速回饋問題,我們將會跟進處理。
不再提示
10s後關閉
Submitted successfully
Network busy