[关闭]
@zhangyy 2020-08-24T11:40:13.000000Z 字数 3969 阅读 160

CDH6.3.2 开启Kerberos 认证

大数据运维专栏


  • 一:如何安装及配置KDC服务

  • 二:如何通过CDH启用Kerberos

  • 三:如何登录Kerberos并访问Hadoop相关服务


一:如何安装及配置KDC服务

1.1 系统环境

  1. 1.操作系统:CentOS7.5x64
  2. 2.CDH6.3.2
  3. 3.采用root用户进行操作

1.2 KDC服务安装及配置

  1. 1.Cloudera Manager服务器上安装KDC服务
  2. yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation

image.png-78.7kB

  1. 2.修改/etc/krb5.conf配置
  2. vim /etc/krb5.conf
  3. ----
  4. # Configuration snippets may be placed in this directory as well
  5. includedir /etc/krb5.conf.d/
  6. [logging]
  7. default = FILE:/var/log/krb5libs.log
  8. kdc = FILE:/var/log/krb5kdc.log
  9. admin_server = FILE:/var/log/kadmind.log
  10. [libdefaults]
  11. dns_lookup_realm = false
  12. ticket_lifetime = 24h
  13. renew_lifetime = 7d
  14. forwardable = true
  15. rdns = false
  16. default_realm = LANXIN.COM
  17. #default_ccache_name = KEYRING:persistent:%{uid}
  18. [realms]
  19. LANXIN.COM = {
  20. kdc = 192.168.11.160
  21. admin_server = 192.168.11.160
  22. }
  23. [domain_realm]
  24. .lanxin.com = LANXIN.COM
  25. lanxin.com = LANXIN.COM
  26. ---

image.png-46.2kB


  1. 3.修改/var/kerberos/krb5kdc/kadm5.acl配置
  2. vim /var/kerberos/krb5kdc/kadm5.acl
  3. ----
  4. */admin@LANXIN.COM *
  5. ----

image.png-7.3kB

  1. 4.修改/var/kerberos/krb5kdc/kdc.conf配置
  2. [kdcdefaults]
  3. kdc_ports = 88
  4. kdc_tcp_ports = 88
  5. [realms]
  6. LANXIN.COM = {
  7. #master_key_type = aes256-cts
  8. max_renewable_life= 7d 0h 0m 0s
  9. acl_file = /var/kerberos/krb5kdc/kadm5.acl
  10. dict_file = /usr/share/dict/words
  11. admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  12. supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  13. }

image.png-32.2kB


  1. 5.创建Kerberos数据库
  2. kdb5_util create r LANXIN.COM -s
  3. 密码:LANXIN.COM
  4. ---
  5. Loading random data
  6. Initializing database '/var/kerberos/krb5kdc/principal' for realm 'LANXIN.COM',
  7. master key name 'K/M@LANXIN.COM'
  8. You will be prompted for the database Master Password.
  9. It is important that you NOT FORGET this password.
  10. Enter KDC database master key:
  11. Re-enter KDC database master key to verify:
  12. ---
  13. 此处需要输入Kerberos数据库的密码。

image.png-29.5kB

  1. 6.创建Kerberos的管理账号
  2. admin/admin@LANXIN.COM
  3. ----
  4. Authenticating as principal root/admin@LANXIN.COM with password.
  5. kadmin.local:
  6. kadmin.local: addprinc admin/admin@LANXIN.COM
  7. WARNING: no policy specified for admin/admin@LANXIN.COM; defaulting to no policy
  8. Enter password for principal "admin/admin@LANXIN.COM": 【输入密码为admin
  9. Re-enter password for principal "admin/admin@LANXIN.COM":
  10. Principal "admin/admin@LANXIN.COM" created.
  11. kadmin.local:
  12. kadmin.local:
  13. kadmin.local: list_principals
  14. K/M@LANXIN.COM
  15. admin/admin@LANXIN.COM
  16. kadmin/admin@LANXIN.COM
  17. kadmin/changepw@LANXIN.COM
  18. kadmin/dev01.lanxintec.cn@LANXIN.COM
  19. kiprop/dev01.lanxintec.cn@LANXIN.COM
  20. krbtgt/LANXIN.COM@LANXIN.COM
  21. ----

image.png-46.3kB


  1. 7.Kerberos服务添加到自启动服务,并启动krb5kdckadmin服务
  2. systemctl enable krb5kdc
  3. systemctl enable kadmin
  4. systemctl start krb5kdc
  5. systemctl start kadmin

image.png-48.5kB


  1. 8.测试Kerberos的管理员账号
  2. kinit admin/admin@LANXIN.COM
  3. ---
  4. Password for admin/admin@LANXIN.COM:
  5. [root@dev01 ~]#
  6. [root@dev01 ~]# klist
  7. Ticket cache: KEYRING:persistent:0:0
  8. Default principal: admin/admin@LANXIN.COM
  9. Valid starting Expires Service principal
  10. 05/26/2020 16:26:36 05/27/2020 16:26:36 krbtgt/LANXIN.COM@LANXIN.COM
  11. renew until 06/02/2020 16:26:36
  12. ---

image.png-30.7kB

  1. 为集群安装所有Kerberos客户端,包括Cloudera Manager
  2. yum -y install krb5-libs krb5-workstation

image.png-74.2kB


  1. 10.Cloudera Manager Server服务器上安装额外的包
  2. yum -y install openldap-clients

image.png-81.3kB


  1. 11.KDC Server上的krb5.conf文件拷贝到所有Kerberos客户端
  2. scp /etc/krb5.conf root@192.168.11.161:/etc
  3. scp /etc/krb5.conf root@192.168.11.162:/etc

image.png-21.8kB

二:CDH集群启用Kerberos

  1. 1.KDC中给Cloudera Manager添加管理员账号
  2. cloudera/admin@LANXIN.COM
  3. ----
  4. [root@dev01 ~]# kadmin.local
  5. Authenticating as principal root/admin@LANXIN.COM with password.
  6. kadmin.local: addprinc cloudera/admin@LANXIN.COM
  7. WARNING: no policy specified for cloudera/admin@LANXIN.COM; defaulting to no policy
  8. Enter password for principal "cloudera/admin@LANXIN.COM": [密码:cloudera]
  9. Re-enter password for principal "cloudera/admin@LANXIN.COM":
  10. Principal "cloudera/admin@LANXIN.COM" created.
  11. kadmin.local: list_principals
  12. K/M@LANXIN.COM
  13. admin/admin@LANXIN.COM
  14. cloudera/admin@LANXIN.COM
  15. kadmin/admin@LANXIN.COM
  16. kadmin/changepw@LANXIN.COM
  17. kadmin/dev01.lanxintec.cn@LANXIN.COM
  18. kiprop/dev01.lanxintec.cn@LANXIN.COM
  19. krbtgt/LANXIN.COM@LANXIN.COM
  20. ----

image.png-45kB


2.进入Cloudera Manager的“管理”->“安全”界面

image.png-59.3kB

image.png-181kB

image.png-129.2kB

image.png-52.6kB


image.png-71.9kB

image.png-143.5kB

image.png-140.6kB

  1. 使用 xst -k 命令:将所有的principal 导入到一个 /etc/devcdh.keytab 测试
  2. kadminl.local
  3. xst -k /etc/devcdh.keytab admin/admin@LANXIN.COM
  4. xst -k /etc/devcdh.keytab cloudera/admin@LANXIN.COM
  5. xst -k /etc/devcdh.keytab hdfs/dev01.lanxintec.cn@LANXIN.COM
  6. .......

image.png-48.2kB


添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注