[关闭]
@zhangyy 2021-01-07T13:11:18.000000Z 字数 1944 阅读 144

CDH6.3.2 集成 Freeipa 的kerberos

大数据运维专栏


  • 一:系统环境
  • 二:CDH6.3.2 集成freeipa 的Kerberos

一:系统环境

1.2 系统配置

  1. 要求大数据的所有主机注入到FreeIPA当中
  2. cdh 最低版本为CDH6.3.2 版本

image_1eh1ndtgq17r513njk5ivuf1oci9.png-309.9kB


二:CDH6.3.2 集成freeipa 的Kerberos

2.1 修改Kerberos 的 krb5.conf 文件

  1. vim /etc/krb5.conf
  2. ----
  3. #File modified by ipa-client-install
  4. includedir /etc/krb5.conf.d/
  5. includedir /var/lib/sss/pubconf/krb5.include.d/
  6. [libdefaults]
  7. default_realm = VPC.UNIONDRUG.COM
  8. dns_lookup_realm = false
  9. dns_lookup_kdc = false
  10. rdns = false
  11. dns_canonicalize_hostname = false
  12. ticket_lifetime = 24h
  13. forwardable = true
  14. udp_preference_limit = 0
  15. renew_lifetime = 7d
  16. renewable = true
  17. # default_ccache_name = KEYRING:persistent:%{uid}
  18. [realms]
  19. VPC.UNIONDRUG.COM = {
  20. kdc = rc07bigdata.vpc.uniondrug.com:88
  21. master_kdc = rc07bigdata.vpc.uniondrug.com:88
  22. admin_server = rc07bigdata.vpc.uniondrug.com:749
  23. kpasswd_server = rc07bigdata.vpc.uniondrug.com:464
  24. default_domain = vpc.uniondrug.com
  25. pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  26. pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
  27. }
  28. [domain_realm]
  29. .vpc.uniondrug.com = VPC.UNIONDRUG.COM
  30. vpc.uniondrug.com = VPC.UNIONDRUG.COM
  31. rc01bigdata.vpc.uniondrug.com = VPC.UNIONDRUG.COM
  32. -----
  33. renew_lifetime = 7d
  34. renewable = true
  35. # default_ccache_name = KEYRING:persistent:%{uid}
  36. 所有大数据主机节点注释掉这行

image_1eh1nkfl7qupe1e6uu1f6o10n716.png-140.7kB

2.2 在FreeIPA 当中创建cdh的管理角色

  1. 创建一个cloudera-role的角色

image_1egkn1126mk618gh1a53d5012p513.png-571kB

  1. cloudera-role 创建权限

image_1egkn3pg57sm1da410v7jse9qe1g.png-176kB

image_1egkn71ne1j8sl1bqqm1egr1fcf1t.png-225kB

  1. FreeIPA上创建一个cloudera-scm的用户
  2. 密码为:cloudera-scm

image_1egknb54j1k041qb1jal1vp81rn32a.png-215.6kB

  1. 点击“角色” cloudera-scm 添加角色

image_1egkncfq713gejcc1g9s1isb1b722n.png-350.8kB

image_1egknegg5ikk14k110s1cto1bb734.png-146.5kB

image_1eh20sj8h1ep81b741lbk1pel105c9.png-224.6kB

  1. 在节点上面添加测试 cloudera-scm Kerberos 账号

image_1eh20um2q5qf1g9cldvhpn1epom.png-139.6kB

  1. 添加所有DNS 解析到 freeIPA 当中

image_1eh21dgmfk041dad2op1j4uqav13.png-191.8kB

image_1eh21e8d110f8l97p3v1vvu1l9m1g.png-210.9kB


2.3 在cdh6.3.2 启用 FreeIPA 角色

  1. 登陆CM,进入Administration->Security,准备启动安全

image_1eid0ljjs1fb511s21ufm5r92f39.png-463.6kB

image_1eid0mc2dcfg154mc4u11pi5qam.png-179kB

  1. 在设置KDC页面中,KDC Type选择Redhat IPA,然后依次填写配置相关的KDC信息,包括类型、KDC服务器、KDC Realm、加密类型以及待创建的Service Principalhdfsyarn,,hbasehive等)的更新生命期等,填写完成后点击下一步

image_1eid0na8nvkd3iupl1olpi6d13.png-471.5kB

image_1eid0p4qvhg219es1hhn1adh11km1g.png-227.9kB

image_1eid0rnv91i8136o1j0s19fu1vqa1t.png-186kB

image_1eid0snck167u1c05aht15316t82a.png-203.6kB

image_1eid0tgb91qsd1m091k8o1qhc9ms2n.png-148.8kB

image_1eid0u8r79si1sdrkd91lccpod34.png-322.8kB

image_1eid0urho1jle139p1gu71tm9v573h.png-275.7kB

image_1eida1pt115tpc9jft8ltpm809.png-315.9kB

image_1eida2p1d19v52b6705qlsj3tm.png-158kB

  1. FreeIPA 会在服务器上面 生成 kerberos 的所有的principals

image_1eh154mmkftk1o1j17ut18oiadm37.png-314.7kB

image_1eh13ilrj3er1ovj1bl71t3n2ss20.png-260.1kB

  1. 这个报错的解决方法:
  2. ipa service-allow-retrieve-keytab HTTP/master02.health.bigdata.com@REALM --users=cmadmin-21cba8ff

image_1erdk1mmh1rbdcrkvc15up1b2j9.png-830.5kB


  1. 导出所有的常用大数据角色的prinicipals
  2. kadmin.local
  3. xst -kt /root/cdh.keytab -norandkey hdfs/rc01bigdata.vpc.uniondrug.com@VPC.UNIONDRUG.COM
  4. xst -kt /root/cdh.keytab -norandkey hive/rc02bigdata.vpc.uniondrug.com@VPC.UNIONDRUG.COM
  5. xst -kt /root/cdh.keytab -norandkey
  6. impala/rc01bigdata.vpc.uniondrug.com@VPC.UNIONDRUG.COM

image_1eh1505tu17dkqjuoc71rqdgio2d.png-563.5kB

image_1eh150s5f53i5kr7hq1np31ge82q.png-454.1kB


添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注