doris使用ranger权限管理,报错java.lang.IllegalArgumentException: Can't get Kerberos realm
试错
尝试在ranger-doris-security.xml添加配置
参考位置:org.apache.ranger.admin.client.AbstractRangerAdminClient#forceNonKerberos 添加配置ranger.plugin.doris.forceNonKerberos
参考位置:org.apache.ranger.plugin.service.RangerBasePlugin#RangerBasePlugin(org.apache.ranger.authorization.hadoop.config.RangerPluginConfig)中的boolean initUgi = pluginConfig.getBoolean(ugiPrefix + ".initialize", false);,添加配置 ranger.plugin.doris.ugi.initialize
经过测试后,添加如下两个配置都不成功,仍然报错。
<property>
<name>ranger.plugin.doris.ugi.initialize</name>
<value>false</value>
</property>
<property>
<name>ranger.plugin.doris.forceNonKerberos</name>
<value>true</value>
</property>
报错内容:
2026-01-22 18:09:40,461 INFO (main|15) [Config.getNativeFileName():942] Native config name: /etc/krb5.conf
2026-01-22 18:09:40,461 INFO (main|15) [Config.loadConfigFile():676] Loading config file from /etc/krb5.conf
2026-01-22 18:09:40,462 INFO (main|15) [Config.<init>():238] Loaded from native config
2026-01-22 18:09:40,462 ERROR (main|15) [RangerRolesProvider.loadUserGroupRolesFromAdmin():200] RangerRolesProvider(serviceName=doris-prod): failed to refresh roles. Will continue to use last known version of roles (lastKnowRoleVersion= -1
java.lang.IllegalArgumentException: Can't get Kerberos realm
at org.apache.hadoop.security.HadoopKerberosName.setConfiguration(HadoopKerberosName.java:71) ~[hadoop-common-3.3.6.jar:?]
at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:315) ~[hadoop-common-3.3.6.jar:?]
at org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:300) ~[hadoop-common-3.3.6.jar:?]
at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:665) ~[hadoop-common-3.3.6.jar:?]
at org.apache.ranger.audit.provider.MiscUtil.getLoginUser(MiscUtil.java:888) ~[ranger-plugins-audit-2.4.0.jar:2.4.0]
at org.apache.ranger.audit.provider.MiscUtil.getUGILoginUser(MiscUtil.java:521) ~[ranger-plugins-audit-2.4.0.jar:2.4.0]
at org.apache.ranger.admin.client.RangerAdminRESTClient.getRolesIfUpdatedWithCred(RangerAdminRESTClient.java:1200) ~[ranger-plugins-common-2.4.0.jar:2.4.0]
at org.apache.ranger.admin.client.RangerAdminRESTClient.getRolesIfUpdated(RangerAdminRESTClient.java:167) ~[ranger-plugins-common-2.4.0.jar:2.4.0]
at org.apache.ranger.plugin.util.RangerRolesProvider.loadUserGroupRolesFromAdmin(RangerRolesProvider.java:183) ~[ranger-plugins-common-2.4.0.jar:2.4.0]
at org.apache.ranger.plugin.util.RangerRolesProvider.loadUserGroupRoles(RangerRolesProvider.java:123) ~[ranger-plugins-common-2.4.0.jar:2.4.0]
at org.apache.ranger.plugin.util.PolicyRefresher.loadRoles(PolicyRefresher.java:495) ~[ranger-plugins-common-2.4.0.jar:2.4.0]
at org.apache.ranger.plugin.util.PolicyRefresher.startRefresher(PolicyRefresher.java:144) ~[ranger-plugins-common-2.4.0.jar:2.4.0]
at org.apache.ranger.plugin.service.RangerBasePlugin.init(RangerBasePlugin.java:245) ~[ranger-plugins-common-2.4.0.jar:2.4.0]
at org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisPlugin.<init>(RangerDorisPlugin.java:30) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController.<init>(RangerDorisAccessController.java:61) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController.getInstance(RangerDorisAccessController.java:74) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController.getInstance(RangerDorisAccessController.java:68) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.mysql.privilege.AccessControllerManager.<init>(AccessControllerManager.java:62) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.catalog.Env.<init>(Env.java:750) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.catalog.EnvFactory.createEnv(EnvFactory.java:71) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.catalog.Env$SingletonHolder.<clinit>(Env.java:681) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.catalog.Env.getCurrentEnv(Env.java:842) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.DorisFE.start(DorisFE.java:187) ~[doris-fe.jar:1.2-SNAPSHOT]
at org.apache.doris.DorisFE.main(DorisFE.java:97) ~[doris-fe.jar:1.2-SNAPSHOT]
Caused by: java.lang.IllegalArgumentException: KrbException: Cannot locate default realm
at javax.security.auth.kerberos.KerberosPrincipal.<init>(KerberosPrincipal.java:199) ~[java.security.jgss:?]
at org.apache.hadoop.security.authentication.util.KerberosUtil.getDefaultRealm(KerberosUtil.java:120) ~[hadoop-auth-3.3.6.jar:?]
at org.apache.hadoop.security.HadoopKerberosName.setConfiguration(HadoopKerberosName.java:69) ~[hadoop-common-3.3.6.jar:?]
... 23 more
解决办法一(不推荐)
随便找一个krb5.conf,注意此配置中realms不为空。放置至/etc/目录。
解决办法二(推荐)
定位到代码
org.apache.hadoop.security.HadoopKerberosName#setConfiguration
public static void setConfiguration(Configuration conf) throws IOException {
final String defaultRule;
switch (SecurityUtil.getAuthenticationMethod(conf)) {
case KERBEROS:
case KERBEROS_SSL:
try {
KerberosUtil.getDefaultRealm();
} catch (Exception ke) {
throw new IllegalArgumentException("Can't get Kerberos realm", ke);
}
defaultRule = "DEFAULT";
break;
default:
// just extract the simple user name
defaultRule = "RULE:[1:$1] RULE:[2:$1]";
break;
}
String ruleString = conf.get(HADOOP_SECURITY_AUTH_TO_LOCAL, defaultRule);
setRules(ruleString);
String ruleMechanism = conf.get(HADOOP_SECURITY_AUTH_TO_LOCAL_MECHANISM, DEFAULT_MECHANISM);
setRuleMechanism(ruleMechanism);
}
而SecurityUtil.getAuthenticationMethod(conf)代码很简单:
public static final String HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication";
public static AuthenticationMethod getAuthenticationMethod(Configuration conf) {
String value = conf.get(HADOOP_SECURITY_AUTHENTICATION, "simple");
try {
return Enum.valueOf(AuthenticationMethod.class,
StringUtils.toUpperCase(value));
} catch (IllegalArgumentException iae) {
throw new IllegalArgumentException("Invalid attribute value for " +
HADOOP_SECURITY_AUTHENTICATION + " of " + value);
}
}
所以conf从哪里来呢?
org.apache.hadoop.security.UserGroupInformation.ensureInitialized
/**
* A method to initialize the fields that depend on a configuration.
* Must be called before useKerberos or groups is used.
*/
private static void ensureInitialized() {
if (!isInitialized()) {
synchronized(UserGroupInformation.class) {
if (!isInitialized()) { // someone might have beat us
initialize(new Configuration(), false);
}
}
}
}
其实就是空的new Configuration()
查询Configuration 的api发现它会自动加载classpath的 core-site.xml,其他的不加载。咋忘记了呢?!
Configurations are specified by resources. A resource contains a set of name/value pairs as XML data. Each resource is named by either a String or by a Path. If named by a String, then the classpath is examined for a file with that name. If named by a Path, then the local filesystem is examined directly, without referring to the classpath.
Unless explicitly turned off, Hadoop by default specifies two resources, loaded in-order from the classpath:
core-default.xml: Read-only defaults for hadoop.
core-site.xml: Site-specific configuration for a given hadoop installation.
此时想起来了目录下有这个文件,doris/fe/conf/core-site.xml,删了,重启doris-fe。不报错了。
浙公网安备 33010602011771号