-
I am trying to setup kerberos security in order to secure an existing HA cluster and I am running into issues after following the documentation on securing ozone. After setting the properties needed for kerberos to work with ozone as per the documentation, OM fails to start up citing: java.lang.IllegalArgumentException: Can't get Kerberos realm java.lang.IllegalArgumentException: KrbException: krb5.conf loading failed Even with the krb5.conf setup including the default_realm variable. I am wondering if it can't find the krb5.conf file. Is there a way to specify the location of the krb5.conf in the ozone-site.xml? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 3 replies
-
Location of krb5.conf file should be either by default the /etc/krb5.conf, or it should be in the place defined by the KRB5_CONFIG environment variable. Also you may enable kerberos related debug logging in the jvm (-Dsun.security.krb5.debug=true in OZONE_OPTS env var should do it), and see if the kerberos layer gives more info on what is missing. Based on what you have shared from the exception itself, I tend to believe that there is a syntax problem within the krb5.conf file. |
Beta Was this translation helpful? Give feedback.
-
Based on the code I could find quickly for In the kerberos debug output search for lines like: |
Beta Was this translation helpful? Give feedback.
-
In the /etc/krb5.conf I removed the following: includedir /etc/krb5.conf.d/ Afterwards OM came up successfully |
Beta Was this translation helpful? Give feedback.
-
Dear @Dalamar32, it feels like you are solving the same problem as me. I would appreciate it if you we could make some kind of collaboration as Ozone is a cutting edge system and it's obvious that we'll face a lot of concerns on the way. Currently, could you please share core-site.xml and hdfs-site.xml (and other conf) for your setup? I'm struggling with the interesting enterprise-level setup: Apache Ozone 1.3.0 + Spark 3.2.3 (cluster mode) + Kerberos. All resides in Kubernetes. And I ended up with absence of Ozone delegation tokens for Spark workers and didn't find any meaningful errors in the logs. |
Beta Was this translation helpful? Give feedback.
In the /etc/krb5.conf I removed the following:
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
Afterwards OM came up successfully