[关闭]
@zhangyy 2020-02-28T16:35:11.000000Z 字数 3449 阅读 142

cdh5.12.2 开启kerberos认证

大数据平台构建


一: kdc 服务的安装与配置

1.1 安装kdc服务

  1. # yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation -y

image_1c7gba54f1in2ng016uhcta1mf99.png-549.8kB

1.2 配置kdc 服务

  1. vim /etc/krb5.conf
  2. ---
  3. includedir /etc/krb5.conf.d/
  4. [logging]
  5. default = FILE:/var/log/krb5libs.log
  6. kdc = FILE:/var/log/krb5kdc.log
  7. admin_server = FILE:/var/log/kadmind.log
  8. [libdefaults]
  9. dns_lookup_kdc = false
  10. dns_lookup_realm = false
  11. ticket_lifetime = 24h
  12. renew_lifetime = 7d
  13. forwardable = true
  14. rdns = false
  15. default_realm = GEMS.COM
  16. default_tgs_enctypes = rc4-hmac
  17. default_tkt_enctypes = rc4-hmac
  18. permitted_enctypes = rc4-hmac
  19. udp_preference_limit = 1
  20. kdc_timeout = 3000
  21. # default_ccache_name = KEYRING:persistent:%{uid}
  22. [realms]
  23. GEMS.COM = {
  24. kdc = node01.yangyang.com
  25. admin_server = node01.yangyang.com
  26. }
  27. [domain_realm]
  28. .node01.yangyang.com = GEMS.COM
  29. node01.yangyang.com = GEMS.COM

1.3 修改/var/kerberos/krb5kdc/kadm5.acl

  1. vim /var/kerberos/krb5kdc/kadm5.acl
  2. */admin@GEMS.COM *

image_1c7gbmlbldac1nlhqp4p994c61j.png-65.2kB

1.4 修改/var/kerberos/krb5kdc/kdc.conf

  1. vim /var/kerberos/krb5kdc/kdc.conf
  2. ----
  3. [kdcdefaults]
  4. kdc_ports = 88
  5. kdc_tcp_ports = 88
  6. [realms]
  7. GEMS.COM = {
  8. #master_key_type = aes256-cts
  9. max_renewable_life = 7d
  10. max_life = 1d
  11. acl_file = /var/kerberos/krb5kdc/kadm5.acl
  12. dict_file = /usr/share/dict/words
  13. admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  14. supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  15. default_principal_flags = +renewable, +forwardable
  16. }

image_1c8hpf7pg1s85nmr1pj81k9m1q4mp.png-274.3kB

1.5 创建Kerberos数据库

  1. # kdb5_util create -r GEMS.COM -s
  2. ---
  3. Loading random data
  4. Initializing database '/var/kerberos/krb5kdc/principal' for realm 'GEMS.COM',
  5. master key name 'K/M@GEMS.COM'
  6. You will be prompted for the database Master Password.
  7. It is important that you NOT FORGET this password.
  8. Enter KDC database master key:
  9. Re-enter KDC database master key to verify:
  10. ---
  11. 输入认证的密码为: GEMS.COM

image_1c7gc2lvv14a8r4dmke1mn01asm3d.png-235.9kB

1.6 创建Kerberos的管理账号

  1. # kadmin.local
  2. Authenticating as principal root/admin@GEMS.COM with password.
  3. kadmin.local: addprinc admin/admin@GEMS.COM
  4. WARNING: no policy specified for admin/admin@GEMS.COM; defaulting to no policy
  5. Enter password for principal "admin/admin@GEMS.COM": [输入密码]
  6. Re-enter password for principal "admin/admin@GEMS.COM": [输入密码]
  7. Principal "admin/admin@GEMS.COM" created.
  8. kadmin.local: exit

image_1c7gc906l1jp31i8ds7v1haf1hrl3q.png-257.5kB

1.7 启动krb5 的 服务

  1. service krb5kdc start
  2. service kadmin start
  3. chkconfig krb5kdc on
  4. chkconfig kadmin on

1.8 测试kerberos 的管理员账号

  1. kinit admin/admin@GEMS.COM
  2. ---> 输入密码:admin
  3. # klist

image_1c7gch1l41trm2h91lti18tk48t47.png-345.6kB

二:集群所有节点安装Kerberos客户端(包括CM)

  1. 全部节点都要安装:
  2. yum -y install krb5-libs krb5-workstation (所有节点都要安装)
  3. CM节点安装额外组件
  4. yum -y install openldap-clients kdc-server 节点安装)

image_1c7gcpgki1qmm1pjm1kds34t14p95h.png-360.9kB
image_1c7gcogiu1n0hqs11cvo124g11eg54.png-444kB

2.1 节点同步krb5.conf 文件

  1. scp /etc/krb5.conf node02:/etc
  2. scp /etc/krb5.conf node03:/etc

image_1c7gcsgjge5h1h4onqm1c891q455u.png-177kB

三: CDH集群启用Kerberos

3.1 配置jdk 的 jce_policy-8.zip

  1. # unzip jce_policy-8.zip
  2. # cd UnlimitedJCEPolicyJDK8/
  3. # cp -p *.jar /usr/java/jdk1.8.0_151/jre/lib/security/
  4. # scp *.jar node02:/usr/java/jdk1.8.0_151/jre/lib/security/
  5. # scp *.jar node03:/usr/java/jdk1.8.0_151/jre/lib/security/

image_1c7gd5pk019r51u351jf0g84g2s75.png-207.1kB

image_1c7gd4v0d11141bp748scho1q646o.png-740.9kB

3.2 打开CM 的 界面配置启用kerberos

  1. kadmin.local
  2. ---
  3. Authenticating as principal admin/admin@GEMS.COM with password.
  4. kadmin.local: addprinc cloudera-scm/admin@GEMS.COM
  5. WARNING: no policy specified for cloudera-scm/admin@GEMS.COM; defaulting to no policy
  6. Enter password for principal "cloudera-scm/admin@GEMS.COM": [输入密码]
  7. Re-enter password for principal "cloudera-scm/admin@GEMS.COM": [输入密码]
  8. Principal "cloudera-scm/admin@GEMS.COM" created.
  9. 密码为: Cloudera-scm
  10. ---

image_1c7gdsebj1m70uh7ojc1t021hitda.png-280.9kB

image_1c7gdiuvogjb49a1rih1lvj1h37b6.png-156.9kB

image_1c7gdk5a64sh3rf8k1smm8ldbj.png-310.5kB

image_1c7gdlk654n614e1jhm19n11eenc0.png-240.3kB

image_1c7gdmhb915s21vo8dcc142hvfmct.png-178.3kB

image_1c7ge2dd9pdo37kp6kjl81lvdft.png-172.6kB

image_1c7ge3e791g6f19ff1mtshms1lnrga.png-220.4kB

image_1c7ge45u9a9po0c163umnu1dongn.png-301.2kB

image_1c7ge51vedm61uemcrj1kh51fjqh4.png-271.3kB

image_1c7gee06i1cvo169b1gvs13mo1r98hh.png-378kB

image_1c7geev4r9u81tf79511mldsqhu.png-144.8kB

image_1c7gefumt4m97hu1tue7a3a7nib.png-385.4kB

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注