zookeeper配置kerberos认证的坑

zookeeper配置了kerberos之后，zkCli.sh 连接认证死活不通过

连接命令： zkCli.sh

报错如下：

WatchedEvent state:SyncConnected type:None path:null2017-08-21 10:11:42,054 [myid:] - ERROR [main-SendThread(localhost:2181):ZooKeeperSaslClient@308] - An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's  received SASL token. Zookeeper Client will go to AUTH_FAILED state.2017-08-21 10:11:42,054 [myid:] - ERROR [main-SendThread(localhost:2181):ClientCnxn$SendThread@1072] - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's  received SASL token. Zookeeper Client will go to AUTH_FAILED state.

查了很久，终于在kdc的日志中找到了蛛丝马迹，如下

Aug 21 10:11:42 master krb5kdc[21935](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.100.144: LOOKING_UP_SERVER: authtime 0,  zkcli@NETEASE.COM for zookeeper/localhost@NETEASE.COM, Server not found in Kerberos database

原因分析：1、在zookeeper的认证请求中，zookeeper端的默认principall应该是zookeeper/@

2、当采用zkCli.sh 的方式请求中，默认的host应该是localhost

因此在kdc中才会发现客户端的请求和 zookeeper/localhost@NETEASE.COM 这个principal进行认证，但是在kerberos的database中却没有这个principal。

解决方法： 使用zkCli.sh -server host:port 访问。 同时zookeeper配置文件中sever部分的principal必须为zookeeper/@