3

我在 Cloudera 5 beta 上启用了安全模式。使用 cloudera manager 并从此处执行第 8 步安全启用文档后, cloudera manager 应该触发Generate Credential命令,但事实并非如此。

所以我正在做的是手动运行生成凭据,但它给了我错误日志,即。

KADMIN='kadmin -k -t /etc/cloudera-scm-server/cmf.keytab -p cloudera-scm/admin@IMP.CO.IN -r IMP.CO.IN'
+ kadmin -k -t /etc/cloudera-scm-server/cmf.keytab -p cloudera-scm/admin@IMP.CO.IN -r IMP.CO.IN -q 'addprinc -randkey hue/cdh4hdm@IMP.CO.IN'
WARNING: no policy specified for hue/cdh4hdm@IMP.CO.IN; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "hue/cdh4hdm@IMP.CO.IN".
+ kadmin -k -t /etc/cloudera-scm-server/cmf.keytab -p cloudera-scm/admin@IMP.CO.IN -r IMP.CO.IN -q 'xst -k /tmp/cmf4198733808580266866.keytab hue/cdh4hdm@IMP.CO.IN'
kadmin: Operation requires ``change-password'' privilege while changing hue/cdh4hdm@IMP.CO.IN's key
+ chmod 600 /tmp/cmf4198733808580266866.keytab
chmod: cannot access `/tmp/cmf4198733808580266866.keytab': No such file or directory

似乎 kadmin 无法创建原则。

我的问题是如何赋予 kadmin 添加原则权限或如何使用 kadmin.local 运行此命令?

有什么办法可以让我摆脱这个问题...

4

2 回答 2

5

Some configuration are needed for providing a user principal to create any principle by using kadmin.

One has to edit kadm5.acl file and add below entry in kadm5.acl file: 

*/admin@EXAMPLE.COM

Here * represents the wildcard, So the user principal who matches the string as provided in kadm5.acl will be able to create any principal for example:

root/admin@EXAMPLE.COM

After changing configuration one need to restart the Kerberos for taking the changes in effect. For more details refer this

于 2014-02-27T19:12:44.120 回答
0

我有同样的问题,并通过启动kadmind服务得到解决。

于 2016-03-31T02:00:35.720 回答