This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 2411dbe0e6d [doc](multi-catalog)add krb and some ertificates FAQs
(#28858)
2411dbe0e6d is described below
commit 2411dbe0e6d9e78931535472d8ff0d8ab0af5b8a
Author: slothever <18522955+w...@users.noreply.github.com>
AuthorDate: Mon Dec 25 23:05:44 2023 +0800
[doc](multi-catalog)add krb and some ertificates FAQs (#28858)
add some security docs
---
docs/en/docs/lakehouse/faq.md | 18 ++++++++++++++++++
docs/en/docs/lakehouse/multi-catalog/hive.md | 2 ++
docs/en/docs/lakehouse/multi-catalog/iceberg.md | 2 ++
docs/zh-CN/docs/lakehouse/faq.md | 19 +++++++++++++++++++
docs/zh-CN/docs/lakehouse/multi-catalog/hive.md | 2 ++
docs/zh-CN/docs/lakehouse/multi-catalog/iceberg.md | 2 ++
6 files changed, 45 insertions(+)
diff --git a/docs/en/docs/lakehouse/faq.md b/docs/en/docs/lakehouse/faq.md
index ee441961c96..3b20fa878c2 100644
--- a/docs/en/docs/lakehouse/faq.md
+++ b/docs/en/docs/lakehouse/faq.md
@@ -27,6 +27,19 @@ under the License.
# FAQ
+## Certificates
+
+1. If an error is reported: `curl 77: Problem with the SSL CA cert.`, need
update your certificate.
+ - Download the latest certificate from
`https://curl.haxx.se/docs/caextract.html`.
+ - Place the downloaded cacert-xxx.pem in the `/etc/ssl/certs/` directory.
For example: `sudo cp cacert-xxx.pem /etc/ssl/certs/ca-certificates.crt`.
+
+2. If an error is reported: `ERROR 1105 (HY000): errCode = 2, detailMessage =
(x.x.x.x)[CANCELLED][INTERNAL_ERROR]error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none`.
+
+```
+yum install -y ca-certificates
+ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/ssl/certs/ca-certificates.crt
+```
+
## Kerberos
@@ -58,6 +71,11 @@ under the License.
- The principal used must exist in the klist, use `klist -kt your.keytab`
to check.
- Ensure the catalog configuration correct, such as missing the
`yarn.resourcemanager.principal`.
- If the preceding checks are correct, the JDK version installed by yum or
other package-management utility in the current system maybe have an
unsupported encryption algorithm. It is recommended to install JDK by yourself
and set `JAVA_HOME` environment variable.
+ - Kerberos uses AES-256 by default for encryption. If you use Oracle JDK,
you must install JCE. In the case of OpenJDK, some distributions of OpenJDK
automatically provide the JCE Unlimited Strength Jurisdiction Policy Files, so
it's not need to install JCE.
+ - The JCE version corresponds to the JDK version. You need to select the
JCE according to the JDK version. Download the JCE zip package and decompress
it into `$JAVA_HOME/jre/lib/security`:
+ -
JDK6:[JCE6](http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html)
+ -
JDK7:[JCE7](http://www.oracle.com/technetwork/java/embedded/embedded-se/downloads/jce-7-download-432124.html)
+ -
JDK8:[JCE8](http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)
5. An error is reported when using KMS to access HDFS:
`java.security.InvalidKeyException: Illegal key size`
diff --git a/docs/en/docs/lakehouse/multi-catalog/hive.md
b/docs/en/docs/lakehouse/multi-catalog/hive.md
index 754c3954f52..25fddea1250 100644
--- a/docs/en/docs/lakehouse/multi-catalog/hive.md
+++ b/docs/en/docs/lakehouse/multi-catalog/hive.md
@@ -168,6 +168,8 @@ CREATE CATALOG hive PROPERTIES (
### Hive With Glue
+> When connecting Glue, if it's not on the EC2 environment, need copy the
`~/.aws` from the EC2 environment to the current environment. And can also
download and configure the [AWS Cli
tools](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html),
which also creates the `.aws` directory under the current user directory.
+
```sql
CREATE CATALOG hive PROPERTIES (
"type"="hms",
diff --git a/docs/en/docs/lakehouse/multi-catalog/iceberg.md
b/docs/en/docs/lakehouse/multi-catalog/iceberg.md
index 2baa05770ff..07325114ca1 100644
--- a/docs/en/docs/lakehouse/multi-catalog/iceberg.md
+++ b/docs/en/docs/lakehouse/multi-catalog/iceberg.md
@@ -96,6 +96,8 @@ CREATE CATALOG iceberg PROPERTIES (
#### AWS Glue
+> When connecting Glue, if it's not on the EC2 environment, need copy the
`~/.aws` from the EC2 environment to the current environment. And can also
download and configure the [AWS Cli
tools](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html),
which also creates the `.aws` directory under the current user directory.
+
```sql
CREATE CATALOG glue PROPERTIES (
"type"="iceberg",
diff --git a/docs/zh-CN/docs/lakehouse/faq.md b/docs/zh-CN/docs/lakehouse/faq.md
index 8651784e2e8..7c608eb61ae 100644
--- a/docs/zh-CN/docs/lakehouse/faq.md
+++ b/docs/zh-CN/docs/lakehouse/faq.md
@@ -27,6 +27,19 @@ under the License.
# 常见问题
+## 证书问题
+
+1. 查询时报错 `curl 77: Problem with the SSL CA cert.`。说明当前系统证书过旧,需要更新本地证书。
+ - 可以从 `https://curl.haxx.se/docs/caextract.html` 下载最新的CA证书。
+ - 将下载后的cacert-xxx.pem放到`/etc/ssl/certs/`目录,例如:`sudo cp cacert-xxx.pem
/etc/ssl/certs/ca-certificates.crt`。
+
+2. 查询时报错:`ERROR 1105 (HY000): errCode = 2, detailMessage =
(x.x.x.x)[CANCELLED][INTERNAL_ERROR]error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none`.
+
+```
+yum install -y ca-certificates
+ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
/etc/ssl/certs/ca-certificates.crt
+```
+
## Kerberos
1. 连接 Kerberos 认证的 Hive Metastore 报错:`GSS initiate failed`
@@ -58,6 +71,12 @@ under the License.
- 用到的principal必须在klist中存在,使用`klist -kt your.keytab`检查。
- 检查catalog配置是否正确,比如漏配`yarn.resourcemanager.principal`。
- 若上述检查没问题,则当前系统yum或者其他包管理软件安装的JDK版本存在不支持的加密算法,建议自行安装JDK并设置`JAVA_HOME`环境变量。
+ - Kerberos默认使用AES-256来进行加密。如果使用Oracle
JDK,则必须安装JCE。如果是OpenJDK,OpenJDK的某些发行版会自动提供无限强度的JCE,因此不需要安装JCE。
+ -
JCE与JDK版本是对应的,需要根据JDK的版本来选择JCE版本,下载JCE的zip包并解压到`$JAVA_HOME/jre/lib/security`目录下:
+ -
JDK6:[JCE6](http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html)
+ -
JDK7:[JCE7](http://www.oracle.com/technetwork/java/embedded/embedded-se/downloads/jce-7-download-432124.html)
+ -
JDK8:[JCE8](http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)
+
5. 使用 KMS 访问 HDFS 时报错:`java.security.InvalidKeyException: Illegal key size`
diff --git a/docs/zh-CN/docs/lakehouse/multi-catalog/hive.md
b/docs/zh-CN/docs/lakehouse/multi-catalog/hive.md
index 16f4565522a..e75977c25f4 100644
--- a/docs/zh-CN/docs/lakehouse/multi-catalog/hive.md
+++ b/docs/zh-CN/docs/lakehouse/multi-catalog/hive.md
@@ -168,6 +168,8 @@ CREATE CATALOG hive PROPERTIES (
### Hive With Glue
+> 连接Glue时,如果是在非EC2环境,需要将EC2环境里的 `~/.aws` 目录拷贝到当前环境里。也可以下载[AWS
Cli](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)工具进行配置,这种方式也会在当前用户目录下创建`.aws`目录。
+
```sql
CREATE CATALOG hive PROPERTIES (
"type"="hms",
diff --git a/docs/zh-CN/docs/lakehouse/multi-catalog/iceberg.md
b/docs/zh-CN/docs/lakehouse/multi-catalog/iceberg.md
index 3e6a4826d02..9bf61f6d9f7 100644
--- a/docs/zh-CN/docs/lakehouse/multi-catalog/iceberg.md
+++ b/docs/zh-CN/docs/lakehouse/multi-catalog/iceberg.md
@@ -96,6 +96,8 @@ CREATE CATALOG iceberg PROPERTIES (
#### AWS Glue
+> 连接Glue时,如果是在非EC2环境,需要将EC2环境里的 `~/.aws` 目录拷贝到当前环境里。也可以下载[AWS
Cli](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)工具进行配置,这种方式也会在当前用户目录下创建`.aws`目录。
+
```sql
CREATE CATALOG glue PROPERTIES (
"type"="iceberg",
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
