@zhangyy 2021-01-07T13:11:18.000000Z 字数 1944 阅读 141

CDH6.3.2 集成 Freeipa 的kerberos

大数据运维专栏

一：系统环境

二：CDH6.3.2 集成freeipa 的Kerberos

一：系统环境

1.2 系统配置

要求大数据的所有主机注入到FreeIPA当中
cdh 最低版本为CDH6.3.2 版本

image_1eh1ndtgq17r513njk5ivuf1oci9.png-309.9kB

二：CDH6.3.2 集成freeipa 的Kerberos

2.1 修改Kerberos 的 krb5.conf 文件

vim /etc/krb5.conf 
----
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
  default_realm = VPC.UNIONDRUG.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  renew_lifetime = 7d
  renewable = true
#  default_ccache_name = KEYRING:persistent:%{uid}
[realms]
  VPC.UNIONDRUG.COM = {
    kdc = rc07bigdata.vpc.uniondrug.com:88
    master_kdc = rc07bigdata.vpc.uniondrug.com:88
    admin_server = rc07bigdata.vpc.uniondrug.com:749
    kpasswd_server = rc07bigdata.vpc.uniondrug.com:464
    default_domain = vpc.uniondrug.com
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
  }
[domain_realm]
  .vpc.uniondrug.com = VPC.UNIONDRUG.COM
  vpc.uniondrug.com = VPC.UNIONDRUG.COM
  rc01bigdata.vpc.uniondrug.com = VPC.UNIONDRUG.COM
-----
  renew_lifetime = 7d
  renewable = true
#  default_ccache_name = KEYRING:persistent:%{uid}  
所有大数据主机节点注释掉这行

image_1eh1nkfl7qupe1e6uu1f6o10n716.png-140.7kB

2.2 在FreeIPA 当中创建cdh的管理角色

创建一个cloudera-role的角色

image_1egkn1126mk618gh1a53d5012p513.png-571kB

为cloudera-role 创建权限

image_1egkn3pg57sm1da410v7jse9qe1g.png-176kB

image_1egkn71ne1j8sl1bqqm1egr1fcf1t.png-225kB

在FreeIPA上创建一个cloudera-scm的用户
密码为：cloudera-scm

image_1egknb54j1k041qb1jal1vp81rn32a.png-215.6kB

点击“角色” 为 cloudera-scm 添加角色

image_1egkncfq713gejcc1g9s1isb1b722n.png-350.8kB

image_1egknegg5ikk14k110s1cto1bb734.png-146.5kB

image_1eh20sj8h1ep81b741lbk1pel105c9.png-224.6kB

在节点上面添加测试 cloudera-scm 的Kerberos  账号

image_1eh20um2q5qf1g9cldvhpn1epom.png-139.6kB

添加所有DNS 解析到 freeIPA 当中

image_1eh21dgmfk041dad2op1j4uqav13.png-191.8kB

image_1eh21e8d110f8l97p3v1vvu1l9m1g.png-210.9kB

2.3 在cdh6.3.2 启用 FreeIPA 角色

登陆CM，进入Administration->Security，准备启动安全

image_1eid0ljjs1fb511s21ufm5r92f39.png-463.6kB

image_1eid0mc2dcfg154mc4u11pi5qam.png-179kB

在设置KDC页面中，KDC Type选择Redhat IPA，然后依次填写配置相关的KDC信息，包括类型、KDC服务器、KDC Realm、加密类型以及待创建的Service Principal（hdfs，yarn,，hbase，hive等）的更新生命期等，填写完成后点击下一步

image_1eid0na8nvkd3iupl1olpi6d13.png-471.5kB

image_1eid0p4qvhg219es1hhn1adh11km1g.png-227.9kB

image_1eid0rnv91i8136o1j0s19fu1vqa1t.png-186kB

image_1eid0snck167u1c05aht15316t82a.png-203.6kB

image_1eid0tgb91qsd1m091k8o1qhc9ms2n.png-148.8kB

image_1eid0u8r79si1sdrkd91lccpod34.png-322.8kB

image_1eid0urho1jle139p1gu71tm9v573h.png-275.7kB

image_1eida1pt115tpc9jft8ltpm809.png-315.9kB

image_1eida2p1d19v52b6705qlsj3tm.png-158kB

FreeIPA  会在服务器上面 生成 kerberos 的所有的principals

image_1eh154mmkftk1o1j17ut18oiadm37.png-314.7kB

image_1eh13ilrj3er1ovj1bl71t3n2ss20.png-260.1kB

这个报错的解决方法：
        ipa service-allow-retrieve-keytab HTTP/master02.health.bigdata.com@REALM  --users=cmadmin-21cba8ff

image_1erdk1mmh1rbdcrkvc15up1b2j9.png-830.5kB

导出所有的常用大数据角色的prinicipals 
kadmin.local
xst -kt /root/cdh.keytab -norandkey hdfs/rc01bigdata.vpc.uniondrug.com@VPC.UNIONDRUG.COM
xst -kt /root/cdh.keytab -norandkey hive/rc02bigdata.vpc.uniondrug.com@VPC.UNIONDRUG.COM
xst -kt /root/cdh.keytab -norandkey
impala/rc01bigdata.vpc.uniondrug.com@VPC.UNIONDRUG.COM

image_1eh1505tu17dkqjuoc71rqdgio2d.png-563.5kB

image_1eh150s5f53i5kr7hq1np31ge82q.png-454.1kB