[关闭]
@zhangyy 2021-11-24T17:34:25.000000Z 字数 2738 阅读 161

CDH6.3.2 集成 openldap 配置

大数据运维专栏



一: hive 集成 openldap

1.1 CDH6.3.2 的主机节点安装openldap的客户端

  1. openldap 服务端已经配置完成,不会看flyfish 博文 https://blog.51cto.com/flyfish225/4562546 在此不做部署:
  2. 安装openldap-client 装包:
  3. yum -y install openldap-clients sssd authconfig nss-pam-ldapd

image_1fk4abcmuqpq7gv126hfk4o6a19.png-176.4kB

  1. 编辑配置文件:
  2. vim /etc/openldap/ldap.conf
  3. ---
  4. BASE dc=flyfish,dc=com
  5. URI ldap://192.168.100.14
  6. #SIZELIMIT 12
  7. #TIMELIMIT 15
  8. #DEREF never
  9. TLS_CACERTDIR /etc/openldap/certs
  10. # Turning this off breaks GSSAPI used with krb5 when rdns = false
  11. SASL_NOCANON on
  12. ----

image_1fk4afqi7l07eqk139l10c5sjd1m.png-79.5kB


  1. openldap 客户端验证:
  2. ldapsearch -D "cn=admin,dc=flyfish,dc=com" -W |grep dn

image_1fk4ah5191du11v2fv7d1g9v1aut23.png-111.5kB

1.2 hive 集成openldap

  1. 1.登录CMWeb控制台,进入Hive服务,关闭Hive的模拟功能
  2. hive.server2.enable.doAs =false

image_1fk4akrhh1n1q1kebahul2ssp730.png-257.3kB

  1. 修改LDAP相关配置,通过这里可以进行全局配置,配置后所有的HiveServer2服务均使用该配置
  2. 启用 LDAP 身份验证 =true
  3. hive.server2.authentication.ldap.url=ldap://192.168.100.14
  4. hive.server2.authentication.ldap.baseDN= ou=cdh,dc=flyfish,dc=com

image_1fk4am2iecvgauf1gda1fooa053d.png-396.8kB

  1. openldap 创建 条目 hive uid

image_1fk4arq3m4641nob8u4csl1ses47.png-561.8kB

  1. 下面从新启动CDH hive 服务:

image_1fk4atjadus4s7v1bvqnng16sa4k.png-362.6kB

image_1fk4av0i51au91l0d1mmnkp6mk851.png-281kB

  1. 登录测试:
  2. beeline
  3. beeline> !connect jdbc:hive2://192.168.100.11:10000
  4. Connecting to jdbc:hive2://192.168.100.11:10000
  5. Enter username for jdbc:hive2://192.168.100.11:10000: hive
  6. Enter password for jdbc:hive2://192.168.100.11:10000: ******

image_1fk4b3tenjafgp2ef0tp619i05e.png-245.9kB

image_1fk4b4bdl186qfo517j6isndn45r.png-164.9kB

二:impala 集成 openldap

  1. 1.登录CMWeb控制台,进入Impala服务,修改LDAP配置
  2. enable_ldap_auth = true
  3. ldap_uri = ldap://192.168.100.14
  4. ldap_baseDN = ou=cdh,dc=flyfish,dc=com

image_1fk4gknin1hlf1cb43gfl9v9au9.png-336kB

  1. Impala Daemon 命令行参数高级配置代码段
  2. --ldap_passwords_in_clear_ok

image_1fk4glcsn1i2d152j1qpialo1qu4m.png-216.9kB

  1. 设置 impalaopenldap 的用户

image_1fk4bnksl15krvcv17e11cbs178sa0.png-462.8kB

image_1fk4boan0pd81nj61lho1ntc19a4ad.png-136.1kB

image_1fk4gn3u41aev1tvr19821vc21rde13.png-353.8kB

  1. 从新启动impala

image_1fk4bsboulg61jchm35632njec7.png-353.2kB

image_1fk4c049b1k7o1dck1vc21shtk32ck.png-410kB

  1. impala 登录测试:
  2. impala-shell -i flyfishsrvs01 -u hive -d default
  3. 登录测试输入错误
  4. Error connecting: TTransportException, TSocket read 0 bytes

image_1fk4gpq068pgrf0vvdaju1mal20.png-156.9kB

  1. impala-shell -i flyfishsrvs01 -u hive -d default -l -u impala --auth_creds_ok_in_clear

image_1fk4grr311dt912t1vh31qrj1kb2t.png-186.9kB

image_1fk4gsekrqvko81m4fgh11jno3a.png-59.3kB

image_1fk4gtdcd136qii920t1haj1h2i3n.png-147.7kB

三: HUE 集成 openldap 配置

  1. 使用管理员登录CM,进入Hue配置页面,修改Hue的认证方式为LDAP

  1. 导入ldap 数据:
  2. vim group-flyfish.ldif
  3. ---
  4. dn: cn=flyfish,ou=Group,dc=flyfish,dc=com
  5. objectClass: posixGroup
  6. objectClass: top
  7. cn: flyfish
  8. userPassword: {SSHA}PFp8AcylmONN4ZWtfZ/dPvdfkY/a5JUo
  9. gidNumber: 984
  10. ---
  11. ldapadd -D "cn=admin,dc=flyfish,dc=com" -W -x -f group-flyfish.ldif

image_1fk71ffkieer72n1qde71fou9.png-61.3kB


  1. 导入用户组:
  2. vim user-ldap.ldif
  3. ---
  4. dn: uid=flyfish,ou=People,dc=flyfish,dc=com
  5. uid: flyfish
  6. cn: flyfish
  7. objectClass: account
  8. objectClass: posixAccount
  9. objectClass: top
  10. objectClass: shadowAccount
  11. userPassword: {SSHA}PFp8AcylmONN4ZWtfZ/dPvdfkY/a5JUo
  12. shadowLastChange: 17493
  13. shadowMin: 0
  14. shadowMax: 99999
  15. shadowWarning: 7
  16. loginShell: /bin/bash
  17. uidNumber: 987
  18. gidNumber: 984
  19. homeDirectory: /home/flyfish
  20. ----
  21. ldapadd -D "cn=admin,dc=flyfish,dc=com" -W -x -f user_ldap.ldif

image_1fk71nnivc5onr36vhec15an1m.png-69.2kB

  1. hue ldap 认证
  2. ldap_uri = ldap://192.168.100.14
  3. ldap_baseDN = ou=cdh,dc=flyfish,dc=com

image_1fk72eoel1ihh1868gvu1lqv1nfj33.png-199.6kB

image_1fk72nuqf991aatfhd45nidt7j.png-142.4kB

image_1fl8knfi81ghfq861ufv1274rlup.png-104.1kB

image_1fk4hpf2n1bchj7p17pb10gk1jmf6b.png-155.5kB

  1. hue_safety_valve.ini 配置:

image_1fk4j013s1j771bq214lqnkgs5ced.png-298.6kB

  1. 从新启动hue

image_1fk4hvqjk9112phuua1mc41tpj85.png-388.6kB

  1. 修改完以上配置后保存,在重启Hue服务前将认证方式修改为desktop.auth.backend.AllowFirstUserDjangoBackend

image_1fk4k3a692u59h1098t8410pvfn.png-130.5kB

  1. 重启成功后使用Hue的超级管理员登录,我们这里是hdfs用户为超级管理员
  1. 先以本地账号登录然后同步 openldap的用户:
  2. hdfs/hdfs

image_1fk4ie4f9cta1rjo171k15vi1pr2bc.png-86.9kB

image_1fk4if0ea172lr6p135e95m1c78c9.png-109.4kB

image_1fk4ifr8k108t13ob171v113c16b3cm.png-187.1kB

  1. 添加同步ldap的用户,应为启用ldap 账号之后就不能 用本地账号了

image_1fk4ihomv10te11bs1bff10epk8od3.png-342.7kB

image_1fk4ijigf1jn412ir13g412hlji6dg.png-238.2kB

  1. 添加同步用户flyfish
  2. flyfish 用户 添加为 管理员 权限 不然 HUE 启用 LDAP hdfs 的超级账号就不能用了。

image_1fk72tqv5o5s4qvprf1k8514889g.png-234.6kB

1.png-116.2kB

  1. 添加flyfish 用户组

image_1fk73emru18u0eok1t5tp61nmsds.png-218.6kB

image_1fk73f8q7ma01ut4lriil5i7le9.png-187.5kB

image_1fk73h6uf1ng6102u6boaqff7kem.png-173kB

image_1fk73i55l17o9ehp1hhuu8mgftf3.png-255.1kB

  1. 编辑flyfish 用户组

image_1fk73m5nh7k512dq4ihalh2c6gg.png-267.2kB

2.png-290.3kB

  1. 切换 hue 的认证模式 LDAP 然后重启hue

3.png-119.9kB

  1. 重启之后 hdfs的本地用户就登录不了。

image_1fk747abv1gjme1qejb1cev1fihkn.png-206.4kB

  1. 采用LDAP 用户的flyfish 登录
  2. 设置flyfish 账户密码 123456

4.png-245.2kB

  1. 使用flyfish 账号登录hue

5.png-76.1kB

image_1fk74m0ol1em01n4k1eb51ik22aboq.png-246.8kB

image_1fk74nji6s491qa8kiikeokbmpn.png-241.4kB

image_1fk75u4ltdg34391kfp16fe1e3ll.png-355.9kB

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注