cdh5.12.2 开启kerberos认证

大数据平台构建

一： kdc 服务的安装与配置

1.1 安装kdc服务

 # yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation -y

1.2 配置kdc 服务

vim /etc/krb5.conf
---
includedir /etc/krb5.conf.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 dns_lookup_kdc = false
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = GEMS.COM
 default_tgs_enctypes = rc4-hmac
 default_tkt_enctypes = rc4-hmac
 permitted_enctypes = rc4-hmac
 udp_preference_limit = 1
 kdc_timeout = 3000
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
 GEMS.COM = {
  kdc = node01.yangyang.com
  admin_server = node01.yangyang.com
 }
[domain_realm]
 .node01.yangyang.com = GEMS.COM
 node01.yangyang.com = GEMS.COM

1.3 修改/var/kerberos/krb5kdc/kadm5.acl

vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@GEMS.COM        *

1.4 修改/var/kerberos/krb5kdc/kdc.conf

vim /var/kerberos/krb5kdc/kdc.conf
----
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
[realms]
 GEMS.COM = {
  #master_key_type = aes256-cts
  max_renewable_life = 7d
  max_life = 1d
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  default_principal_flags = +renewable, +forwardable
 }

1.5 创建Kerberos数据库

# kdb5_util create -r GEMS.COM -s
---
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'GEMS.COM',
master key name 'K/M@GEMS.COM'
You will be prompted for the database Master Password. 
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:
---
输入认证的密码为： GEMS.COM

1.6 创建Kerberos的管理账号

# kadmin.local
Authenticating as principal root/admin@GEMS.COM with password.
kadmin.local:  addprinc admin/admin@GEMS.COM 
WARNING: no policy specified for admin/admin@GEMS.COM; defaulting to no policy
Enter password for principal "admin/admin@GEMS.COM":  [输入密码]
Re-enter password for principal "admin/admin@GEMS.COM":  [输入密码]
Principal "admin/admin@GEMS.COM" created.
kadmin.local: exit 

1.7 启动krb5 的 服务

service krb5kdc start 
service kadmin start 
chkconfig krb5kdc on 
chkconfig kadmin on 

1.8 测试kerberos 的管理员账号

kinit admin/admin@GEMS.COM
---> 输入密码：admin
# klist 

二：集群所有节点安装Kerberos客户端(包括CM)

全部节点都要安装：
yum -y install krb5-libs krb5-workstation （所有节点都要安装）
CM节点安装额外组件
yum -y install openldap-clients （kdc-server 节点安装）

2.1 节点同步krb5.conf 文件

scp /etc/krb5.conf  node02:/etc 
scp /etc/krb5.conf  node03:/etc 

三： CDH集群启用Kerberos

3.1 配置jdk 的 jce_policy-8.zip

# unzip jce_policy-8.zip
# cd UnlimitedJCEPolicyJDK8/
# cp -p *.jar /usr/java/jdk1.8.0_151/jre/lib/security/
# scp *.jar node02:/usr/java/jdk1.8.0_151/jre/lib/security/
# scp *.jar node03:/usr/java/jdk1.8.0_151/jre/lib/security/

3.2 打开CM 的 界面配置启用kerberos

• 3.2.1 配置jdk 的目录：
  
  

• 3.2.2 KDC添加Cloudera Manager管理员账号

kadmin.local
---
Authenticating as principal admin/admin@GEMS.COM with password.
kadmin.local:  addprinc cloudera-scm/admin@GEMS.COM
WARNING: no policy specified for cloudera-scm/admin@GEMS.COM; defaulting to no policy
Enter password for principal "cloudera-scm/admin@GEMS.COM": [输入密码] 
Re-enter password for principal "cloudera-scm/admin@GEMS.COM": [输入密码]
Principal "cloudera-scm/admin@GEMS.COM" created.
密码为： Cloudera-scm 
---

• 3.2.3 启用kerberos