Uploaded image for project: 'Livy'
  1. Livy
  2. LIVY-594

livy采用yarn-cluster模式,将driver与livy的SASL机制由DIGEST-MD5替换为GSSAPI(Kerberos)

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Duplicate
    • Affects Version/s: 0.5.0
    • Fix Version/s: 0.5.0
    • Component/s: RSC, Server
    • Labels:
    • Flags:
      Patch, Important

      Description

      DIGEST-MD5已经被业界认为是非安全的加密机制,因此根据公司安全要求,替换为GSSAPI(即kerberos认证);

      起初,只是将livy.rsc.rpc.sasl.mechanisms配置值改为GSSAPI,但是报错误: Failed to find any Kerberos credentails;于是开始了我修改源码的痛苦之旅(如果大家有可行的配置方案希望告知,万分感谢),具体步骤如下:

      1)在Rpc和RpcServer类中,将sasl的创建client和server时创建LoginContext并进行login,采用Subject.doAs封装Sasl.createSaslServer和Sasl.createSaslClient。

      2)Sasl.createSaslServer和Sasl.createSaslClient的参数,主要是将protocol修改为principal的user名称(即principal的第一段),serverName修改为主机限定名(即principal的第二段)。其他参数不变,能够login成功。

      问题:client和server能够进行通信,第一次sendHello能够成功,但是第二次由livy返回给driver的token,driver unwrap报错:Caused by GSSException: Defective token detected (Mechanism level: Wrap Token (new format):Cannot read all 12 bytes needed to form this token!)

      分析:我跟踪了livy的日志,在返回给driver的byte数组为null,经过chanel发送给driver的

      Rpc.SaslMessage对象,在unwrap时,{data is [20, 1, 0, 0], offset is 0, len is 4},driver unwrap便报错。

      实在是调不通了,求社区的大神帮忙。

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              yc_huawei yanchao
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: