@zhangyy
2020-08-24T03:40:13.000000Z
字数 3969
阅读 340
CDH6.3.2 开启Kerberos 认证
大数据运维专栏
一:如何安装及配置KDC服务
二:如何通过CDH启用Kerberos
三:如何登录Kerberos并访问Hadoop相关服务
一:如何安装及配置KDC服务
1.1 系统环境
1.操作系统:CentOS7.5x642.CDH6.3.23.采用root用户进行操作
1.2 KDC服务安装及配置
1.在Cloudera Manager服务器上安装KDC服务yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
2.修改/etc/krb5.conf配置vim /etc/krb5.conf----# Configuration snippets may be placed in this directory as wellincludedir /etc/krb5.conf.d/[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log[libdefaults]dns_lookup_realm = falseticket_lifetime = 24hrenew_lifetime = 7dforwardable = truerdns = falsedefault_realm = LANXIN.COM#default_ccache_name = KEYRING:persistent:%{uid}[realms]LANXIN.COM = {kdc = 192.168.11.160admin_server = 192.168.11.160}[domain_realm].lanxin.com = LANXIN.COMlanxin.com = LANXIN.COM---
3.修改/var/kerberos/krb5kdc/kadm5.acl配置vim /var/kerberos/krb5kdc/kadm5.acl----*/admin@LANXIN.COM *----
4.修改/var/kerberos/krb5kdc/kdc.conf配置[kdcdefaults]kdc_ports = 88kdc_tcp_ports = 88[realms]LANXIN.COM = {#master_key_type = aes256-ctsmax_renewable_life= 7d 0h 0m 0sacl_file = /var/kerberos/krb5kdc/kadm5.acldict_file = /usr/share/dict/wordsadmin_keytab = /var/kerberos/krb5kdc/kadm5.keytabsupported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal}
5.创建Kerberos数据库kdb5_util create –r LANXIN.COM -s密码:LANXIN.COM---Loading random dataInitializing database '/var/kerberos/krb5kdc/principal' for realm 'LANXIN.COM',master key name 'K/M@LANXIN.COM'You will be prompted for the database Master Password.It is important that you NOT FORGET this password.Enter KDC database master key:Re-enter KDC database master key to verify:---此处需要输入Kerberos数据库的密码。
6.创建Kerberos的管理账号admin/admin@LANXIN.COM----Authenticating as principal root/admin@LANXIN.COM with password.kadmin.local:kadmin.local: addprinc admin/admin@LANXIN.COMWARNING: no policy specified for admin/admin@LANXIN.COM; defaulting to no policyEnter password for principal "admin/admin@LANXIN.COM": 【输入密码为admin】Re-enter password for principal "admin/admin@LANXIN.COM":Principal "admin/admin@LANXIN.COM" created.kadmin.local:kadmin.local:kadmin.local: list_principalsK/M@LANXIN.COMadmin/admin@LANXIN.COMkadmin/admin@LANXIN.COMkadmin/changepw@LANXIN.COMkadmin/dev01.lanxintec.cn@LANXIN.COMkiprop/dev01.lanxintec.cn@LANXIN.COMkrbtgt/LANXIN.COM@LANXIN.COM----
7.将Kerberos服务添加到自启动服务,并启动krb5kdc和kadmin服务systemctl enable krb5kdcsystemctl enable kadminsystemctl start krb5kdcsystemctl start kadmin
8.测试Kerberos的管理员账号kinit admin/admin@LANXIN.COM---Password for admin/admin@LANXIN.COM:[root@dev01 ~]#[root@dev01 ~]# klistTicket cache: KEYRING:persistent:0:0Default principal: admin/admin@LANXIN.COMValid starting Expires Service principal05/26/2020 16:26:36 05/27/2020 16:26:36 krbtgt/LANXIN.COM@LANXIN.COMrenew until 06/02/2020 16:26:36---
为集群安装所有Kerberos客户端,包括Cloudera Manageryum -y install krb5-libs krb5-workstation
10.在Cloudera Manager Server服务器上安装额外的包yum -y install openldap-clients
11.将KDC Server上的krb5.conf文件拷贝到所有Kerberos客户端scp /etc/krb5.conf root@192.168.11.161:/etcscp /etc/krb5.conf root@192.168.11.162:/etc
二:CDH集群启用Kerberos
1.在KDC中给Cloudera Manager添加管理员账号cloudera/admin@LANXIN.COM----[root@dev01 ~]# kadmin.localAuthenticating as principal root/admin@LANXIN.COM with password.kadmin.local: addprinc cloudera/admin@LANXIN.COMWARNING: no policy specified for cloudera/admin@LANXIN.COM; defaulting to no policyEnter password for principal "cloudera/admin@LANXIN.COM": [密码:cloudera]Re-enter password for principal "cloudera/admin@LANXIN.COM":Principal "cloudera/admin@LANXIN.COM" created.kadmin.local: list_principalsK/M@LANXIN.COMadmin/admin@LANXIN.COMcloudera/admin@LANXIN.COMkadmin/admin@LANXIN.COMkadmin/changepw@LANXIN.COMkadmin/dev01.lanxintec.cn@LANXIN.COMkiprop/dev01.lanxintec.cn@LANXIN.COMkrbtgt/LANXIN.COM@LANXIN.COM----
2.进入Cloudera Manager的“管理”->“安全”界面
使用 xst -k 命令:将所有的principal 导入到一个 /etc/devcdh.keytab 测试kadminl.localxst -k /etc/devcdh.keytab admin/admin@LANXIN.COMxst -k /etc/devcdh.keytab cloudera/admin@LANXIN.COMxst -k /etc/devcdh.keytab hdfs/dev01.lanxintec.cn@LANXIN.COM.......
