反馈已提交
网络繁忙
1) Kerberos authentication is a universal authentication method in the Hadoop ecosystem.
2) There are two ways to configure Kerberos authentication:
Directly use Kerberos authentication in the data connection configuration interface: mainly used for authentication connections of Hive, HBase and other drivers.
After configuring the JVM parameters, enter the data connection configuration interface for authentication: it is mainly used to fill in the data connection configuration interface according to the requirements. The authentication is successful, and the connection creation still throws an error, such as databases such as CDH's Impala.
FineBI supports Kerberos authentication when configuring the specified data connection. The supported database types are shown in the figure below:
Database
Apache Impala
Note: Only method two can be used, not method one
Hadoop Hive
Spark
Transwarp Inceptor(Star ring)
Apache Phoenix
HBase
1) Download the configuration files krb5.conf, XXX.keytab, principal on the environment.
2) The principal is the name of the client that has registered the KDC. The format is usually: username/department@company.
3) XXX.keytab is the key table file, and the corresponding location of the file needs to be found on the application server that provides the Kerberos service. The file name of keytab may be different on different servers, so use XXX instead.
Take Hadoop Hive as an example.
Put krb5.conf and XXX.keytab in the same directory, for example, put them in the %FineBI%\webapps\webroot\WEB-INF\resources directory.
Note: When there are multiple Kerberos authentications, it is best not to put all the keytab files in the reources directory, which may cause authentication conflicts. At this time, you can create a new folder under resources and place the corresponding authentication file.
Configure the local hosts file, for example, configure the remote mapping under the path C:\Windows\System32\drivers\etc\hosts: 192.168.5.127 quickstart.cloudera. The mapping format is "IP machine name". As shown below:
1) Select the authentication method of the data connection configuration panel as "Kerberos authentication", fill in the client principal and keytab key path as required, and modify the keytab name according to the actual situation. Others follow the instructions in Configure Data Connection for data connection. Note that the client principal needs to be added after the URL. Examples of data connection information are as follows:
Options
URL
jdbc:hive2://192.168.5.127:10000/default;principal=hive/quickstart.cloudera@QUICKSTART.CLOUDERA
Client principal
hive/quickstart.cloudera@QUICKSTART.CLOUDERA
keytab key path
%FineBI%\webapps\webroot\WEB-INF\resources\hive.keytab
As shown below:
Note: Here you need to ensure that krb5.conf and XXX.keytab are placed in the same directory.
2) Click Test Connection, the connection is successful as shown in the figure below:
Take Apache Impala as an example. Here is an example of BI under local deployment. If it is a project deployed under Tomcat, the configuration steps are the same, and you only need to modify the address to the corresponding address under Tomcat.
Download the configuration files krb5.conf and impala.keytab on the environment and place them in the %FineBI%\webapps\webroot\WEB-INF\resources directory.
Prepare the krb5.ini file, and place the krb5.ini file in the %FineBI%\webapps\webroot\WEB-INF\resources directory. The content is as follows:
Client { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt = true useKeyTab = true keyTab = "%FineBI%\webapps\webroot\WEB-INF\resources\XXX.keytab" principal = "dummy@SOME.REALM" debug = true;};
1) Enter the FineBI installation directory %FineBI%\bin, find the finebi.vmoptions file, edit the file, and add the following two JVM parameters, as shown below:
-Djava.security.krb5.conf=%FineBI%\webapps\webroot\WEB-INF\resources\krb5.conf-Djava.security.auth.login.config=%FineBI%\webapps\webroot\WEB-INF\resources\krb5.ini
Note: The values of the two parameters are the absolute paths of the krb5.conf and krb5.ini files.
An example of the edited finebi.vmoptions file is as follows:
-Djava.security.krb5.conf=%FineBI%\webapps\webroot\WEB-INF\resources\krb5.conf -Djava.security.auth.login.config=%FineBI%\webapps\webroot\WEB-INF\resources\krb5.ini -Xmx4018m -Dfile.encoding=UTF-8 -Djava.io.tmpdir=.\temp
Note: If you are not using the stand-alone version, but the Spider distributed engine, you need to add another parameter to the file: -Dzookeeper.sasl.client=false, because the zookeeper default authentication mode will be affected by the kerberos configuration. Causes BI to fail to start.
2) At this time, it is also necessary to configure the remote mapping, which is consistent with Method 1. For details, please refer to the second point of chapter 2.1 of this article.
3) Select the authentication method of the data connection configuration panel as "Kerberos authentication", fill in the client principal and keytab key path as required, and modify the keytab name according to the actual situation. Others follow the instructions in Configure Data Connection for data connection. Note that three parameters, AuthMech, KrbHostFQDN, and KrbServiceName, need to be added after the URL. The data connection information is as follows:
Value
Meaning
jdbc:impala://192.168.5.127:21050/default;AuthMech=1;KrbHostFQDN=quickstart.cloudera;KrbServiceName=impala
AuthMech=1 means to use kerberos authentication;
KrbHostFQDN is impala server, which is the value of admin_server in the krb5.conf file;
KrbServiceName is the corresponding service name. For detailed explanation, please refer to: Detailed parameter explanation
impala/quickstart.cloudera@QUICKSTART.CLOUDERA
%FineBI%\webapps\webroot\WEB-INF\resources\impala.keytab
Path to store impala.keytab
The data connection interface is shown in the figure below:
4) Click to test the connection is successful. As shown below:
Note 1: Although the drivers of Apache Impala and Hive are not conflicting, Kerberos authentication for both Apache Impala and Hive is currently not supported, because the Kerberos driver itself involves global parameters. If it is used by Apache Impala, then Hive cannot be used.
Note 2: Kerberos authentication is not supported if the driver isolation plug-in is used.
Check content
Requirement
Check the system time difference between the machine where the FineBI server is located and the database server
Usually the time difference is less than 5 minutes
Check the hosts file of the machine where the FineBI server is configured
Need to confirm that the database server can be pinged through the hostname/domain name
The zookeeper package that comes with FineBI needs to match the zookeeper version of the database server
For example: such an error may occur when connecting to the Huawei HD platform
Check if the principal name is correct
The format of the principal is usually username/department@company. The way to confirm whether the principal is correct is to execute klist or kinit -k -t /path/to/keytab name_of_principal in the database server shell. Or directly connect to the certified service through beeline, impala-shell and other tools, and view the corresponding principal information
For example, the principal corresponding to the Hive service is hive /bigdata@XXX.COM, and the principal corresponding to the Impala service is impala/bigdata@XXX.COM.
Check the engineering path of FineBI
Make sure that there are no spaces (such as tomcat 9), because Kerberos authentication does not support paths with spaces.
1) If the connection fails, you can confirm with the platform database administrator whether the security authentication configuration of related services is correct, and contact Fanruan technical support and provide related error logs (add JVM security debugging parameters, as shown below), data platform database version , Corresponding driver JAR package, related connection information, Java certification connection test code or shell tool that can connect to the certification database, etc.
Jvm security debugging log parameters:
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
-Djava.security.krb5.debug=true
2) Under special circumstances, if the connection is not possible under Windows, the FineBI test server can be deployed on Linux. It is necessary to ensure that the server can be connected to the database through the relevant shell tool, and the cached kgt information can be seen through klist.
Problem Description:
cdh connection throws an error: Unable to obtain Principal Name for authentication
Cause Analysis:
The JCE installed by the JDK by default cannot handle symmetric keys with more than 128 bits.
Solution:
Update the JCE extension package of JRE.
For details of JCE installation, please refer to: Expansion Package Installation Connection. Usually go directly to step 4, download and decompress to get the JCE extended JAR package, and then go to the designated directory of the JRE to replace the file.
The Transwarp Inceptor (Star ring) database reports an error GSS initiate failed.
Troubleshooting steps:
The driver itself performs a static global operation. After the kerberos center is refreshed, the static global status inside the driver still remains, so the data connection cannot be connected. Restart the BI server to see if the error still occurs. If it still does, take the following troubleshooting steps:
(Incorrect password) The keytab file does not match the user, you can check it in the client server kinit-k-t keytab user.
The (clock offset) time of the local server and the remote server do not match, please check ntp to the remote server.
(Aes256 does not support) By default, aes256 does not support jdk/jre. You need to copy local_policy.jar and US_export_policy.jar from the remote server in the /opt/huawei/Bigdata/jdk/jre/lib/security path.
(No rules) The main body format is not supported by default, you need to add the attribute hadoop.security.auth_to_local (in core site.xml) Value rule: [1:$1] Rule: [2:$1].
(Timeout) Cannot connect to the kdc server or there is a firewall in the network.
售前咨询电话
400-811-8890转1
在线技术支持
在线QQ:800049425
热线电话:400-811-8890转2
总裁办24H投诉
热线电话:173-1278-1526
文 档反 馈
鼠标选中内容,快速反馈问题
鼠标选中存在疑惑的内容,即可快速反馈问题,我们将会跟进处理。
不再提示
10s后关闭