浏览器端访问hdfs文件系统提示输入用户问题

在我的hadoop环境中，配置了Kerberos，hdfs-site.xml中的配置如下

<property>
       <name>dfs.webhdfs.enabled</name>
       <value>true</value>
           </property>
        <property>
        <name>dfs.web.authentication.kerberos.principal</name>
        <value>http/admin@psy.com</value>
           </property>
        <property>
        <name>dfs.web.authentication.kerberos.keytab</name>
        <value>/hadoop-data/etc/hadoop/http.service.keytab</value>
           </property>
复制代码

然后在浏览器端访问hdfs文件系统提示输入用户信息。我尝试了http/admin@psy.com以及操作系统用户hadoop都不能访问hdfs的目录
其中输入http/admin@psy.com登录后没有错，但是访问目录的时候就提示没权下了“Permission denied when trying to open /webhdfs/v1/?op=LISTSTATUS: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)”

大神们，求解释其中的原理。

提示登录页面

这里附上namenode的日志信息

2014-10-23 20:16:00,303 WARN org.apache.hadoop.security.authentication.server.AuthenticationFilter: Authentication exception: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:360)
        at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:357)
        at org.apache.hadoop.hdfs.web.AuthFilter.doFilter(AuthFilter.java:87)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
        at org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1192)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
        at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
        at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
        at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
        at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:450)
        at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.Server.handle(Server.java:326)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
        at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:928)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:549)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
        at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
        at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:327)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:309)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:309)
        ... 24 more
复制代码

是否使用了强加密

JCE policy 版本与集群jdk版本是否匹配

可以获得适当的JDK版本的JCE政策文件:
JDK 1.6 http://www.oracle.com/technetwor ... ownload-429243.html
JDK 1.7 http://www.oracle.com/technetwor ... ownload-432124.html

这个是一致了，昨天从网上下的

大概是配置的问题

<!-- General HDFS security config -->
<property>
  <name>dfs.block.access.token.enable</name>
  <value>true</value>
</property>
 
<!-- NameNode security config -->
<property>
  <name>dfs.https.address</name>
  <value><fully qualified domain name of NN>:50470</value>
</property>
<property>
  <name>dfs.https.port</name>
  <value>50470</value>
</property>
<property>
  <name>dfs.namenode.keytab.file</name>
  <value>/usr/local/hadoop/conf/hdfs.keytab</value> <!-- path to the HDFS keytab -->
</property>
<property>
  <name>dfs.namenode.kerberos.principal</name>
  <value>hdfs/_HOST@YOUR-REALM.COM</value>
</property>
<property>
  <name>dfs.namenode.kerberos.https.principal</name>
  <value>host/_HOST@YOUR-REALM.COM</value>
</property>
 
<!-- Secondary NameNode security config -->
<property>
  <name>dfs.secondary.https.address</name>
  <value><fully qualified domain name of 2NN>:50495</value>
</property>
<property>
  <name>dfs.secondary.https.port</name>
  <value>50495</value>
</property>
<property>
  <name>dfs.secondary.namenode.keytab.file</name>
  <value>/usr/local/hadoop/conf/hdfs.keytab</value> <!-- path to the HDFS keytab -->
</property>
<property>
  <name>dfs.secondary.namenode.kerberos.principal</name>
  <value>hdfs/_HOST@YOUR-REALM.COM</value>
</property>
<property>
  <name>dfs.secondary.namenode.kerberos.https.principal</name>
  <value>host/_HOST@YOUR-REALM.COM</value>
</property>
 
<!-- DataNode security config -->
<property>
  <name>dfs.datanode.data.dir.perm</name>
  <value>700</value>
</property>
<property>
  <name>dfs.datanode.address</name>
  <value>0.0.0.0:1004</value>
</property>
<property>
  <name>dfs.datanode.http.address</name>
  <value>0.0.0.0:1006</value>
</property>
<property>
  <name>dfs.datanode.keytab.file</name>
  <value>/usr/local/hadoop/conf/hdfs.keytab</value> <!-- path to the HDFS keytab -->
</property>
<property>
  <name>dfs.datanode.kerberos.principal</name>
  <value>hdfs/_HOST@YOUR-REALM.COM</value>
</property>
<property>
  <name>dfs.datanode.kerberos.https.principal</name>
  <value>host/_HOST@YOUR-REALM.COM</value>
</property>
复制代码

请问楼主用的这个Hadoop是什么版本的？！盼复！！！

这个问题最后你们是怎么解决的？！

hiqj 发表于 2014-11-11 20:27
请问楼主用的这个Hadoop是什么版本的？！盼复！！！

hadoop版本：2.4.1

hiqj 发表于 2014-11-11 20:48
这个问题最后你们是怎么解决的？！

先放到一般去了，没解决.

楼主问题解决没，哪位大侠路过解决下啊。

解决了么？