Flink SQL 在kerberos on yarn环境下提交
yarn环境中一般都会配置kerberos 用来做权限管控,flink 在 kerberos on yarn环境中提交作业时,需要做一些配置处理,用来帮助做认证。
参考文档,需要在flink-conf.yaml中配置
security.kerberos.krb5-conf.path: /etc/krb5.conf
security.kerberos.login.use-ticket-cache: true
security.kerberos.login.keytab: /data/flink.keytab
security.kerberos.login.principal: flink/api@EXAMPLE.COM
然后通过flink-client进行提交
/data/etl/ll_test/flink-1.13.5/bin/flink run -t yarn-per-job -Dyarn.application.name=kafka2hbase -Dparallelism.default=1 -Djobmanager.memory.process.size=2048mb -Dtaskmanager.memory.process.size=2048mb -Dtaskmanager.numberOfTaskSlots=1 -Drest.flamegraph.enabled=true -c cn.com.example.bigdata.index.app.IndexServiceApp /data/etl/ll_test/jars/bigdata-etl-index-3.2.0.jar 5 30 hdfs submit_test_job /data/etl/ll_test/sql.txt
即可将作业提交到yarn上。
如果没有在flink-conf.yaml中进行配置,yarn会拒绝作业的提交。
- hbase sql sink on kerberos
参考文档, 官方提供的hbase sql connector 是支持Kerberos认证的,需要设定 'properties.hbase.security.authentication' = 'kerberos'
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-FiyypfSC-1664086698726)(https://secure2.wostatic.cn/static/sMMLzm9XtB5oZnVn5zCjCr/image.png)]
那么还需要配置keytab证书嘛?
经验证是不需要的,hbase ddl可以这样
CREATE TABLE hbase_sink
(
rowkey STRING,
cf ROW<urlC STRING>,
PRIMARY KEY (rowkey) NOT ENFORCED)
WITH (
'connector' = 'hbase-1.4',
'table-name' = 'dim_hbase',
'sink.buffer-flush.max-rows' = '5',
'zookeeper.quorum' = '172.17.26.201:2181,172.17.26.202:2181,172.17.26.203:2181',
'properties.hbase.security.authentication' = 'kerberos')
在集群中是可以稳定的跑起来。
keytab是证书是有时效性的,如果失效了怎么办? 其实不需要担心,因为在flink中有一个线程会定期进行认证,保证认证的有效性。
在集群中出现过一个错误,
2022-09-16 16:49:10,144 ERROR org.apache.zookeeper.client.ZooKeeperSaslClient [] - An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.
2022-09-16 16:49:10,145 ERROR org.apache.zookeeper.ClientCnxn [] - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.
看起来是在连接zookeeper的时候认证没有成功,不是flink可以帮助做认证嘛,为什么又失败了那?
经查,可能是sasl开启导致的。
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-e4a3aQ3f-1664086698727)(https://secure2.wostatic.cn/static/gYr6HmqZgyEHeZPSzEwi4q/lQLPJxazRogkgi7NAgfNA32wadYJyPQPXHADJsqTGwAdAA_893_519.png)]
重新打开flink-conf.yaml,添加配置
# security.kerberos.login.contexts: Client,KafkaClient
#==============================================================================
# ZK Security Configuration
#==============================================================================
zookeeper.sasl.disable: true
# Below configurations are applicable if ZK ensemble is configured for security
# Override below configuration to provide custom ZK service name if configured
# zookeeper.sasl.service-name: zookeeper
# The configuration below must match one of the values set in "security.kerberos.login.contexts"
# zookeeper.sasl.login-context-name: Client
关闭sasl认证。
重新提交作业,就可以恢复了。