CDH集群启用Kerberos

一、安装kdc

1.在集群中找台机器安装KDC

yum install krb5-server krb5-libs krb5-workstation

如果您的机器不能联网请使用rpm包安装：

这台机器自带了kerberos client的两个包，需要先升级再安装server

[root@bigdata27 ~]# rpm -qa | grep krb
krb5-workstation-1.10.3-10.el6_4.6.x86_64
krb5-libs-1.10.3-10.el6_4.6.x86_64
python-krbV-1.0.90-3.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
[root@bigdata27 ~]# rpm -Uvh krb5-libs-1.10.3-57.el6.x86_64.rpm krb5-workstation-1.10.3-57.el6.x86_64.rpm 
warning: krb5-libs-1.10.3-57.el6.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Preparing...                ########################################### [100%]
   1:krb5-libs              ########################################### [50%]
   2:krb5-workstation       ########################################### [100%]
[root@bigdata27 ~]# rpm -qa | grep krb
krb5-libs-1.10.3-57.el6.x86_64
python-krbV-1.0.90-3.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
krb5-workstation-1.10.3-57.el6.x86_64
[root@bigdata27 ~]# rpm -ivh krb5-server-1.10.3-57.el6.x86_64.rpm 
warning: krb5-server-1.10.3-57.el6.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Preparing...                ########################################### [100%]
   1:krb5-server            ########################################### [100%]

2.增加主机名与IP映射（别忘了发给其它节点）

[root@bigdata27 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.19.6.26    bigdata26
172.19.6.27    bigdata27
172.19.6.28    bigdata28
172.19.6.29    bigdata29
172.19.6.30    bigdata30

3.修改三个配置文件

第一个文件，修改[realms]里的kdc和admin_server所在主机。

[root@bigdata27 ~]# cat /etc/krb5.conf 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AISINO.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 AISINO.COM = {
  kdc = bigdata27
  admin_server = bigdata27
 }

[domain_realm]
 .aisino.com = AISINO.COM
 aisino.com = AISINO.COM

第二个文件，前面域名改了的话这里的域名也得改，与之对应。其余保持默认

[root@bigdata27 ~]# cat /var/kerberos/krb5kdc/kdc.conf 
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 AISINO.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

这里需要注意的是如果不下载安装JCE需把supported_enctypes = aes256-cts:normal中的aes256-cts:normal去掉，因为默认不支持这种加密算法。

第三个文件，没有的话手动建一个。Set up the KDC Access Control List (ACL)

[root@bigdata27 ~]# cat /var/kerberos/krb5kdc/kadm5.acl 
*/admin@AISINO.COM *

4.Copy the krb5.conf to every cluster node

[root@bigdata27 ~]# for i in {6,7,8,9};do scp /etc/krb5.conf root@172.19.6.2$i:/etc/;done

5.Use the utility kdb5_util to create the Kerberos database

[root@bigdata27 ~]# /usr/sbin/kdb5_util create -s -r AISINO.COM
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'AISINO.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:

出现 Loading random data 的时候另开个终端执行点消耗CPU的命令如 cat /dev/sda > /dev/urandom 可以加快随机数采集。

6.Start the KDC server and the KDC admin server

[root@bigdata27 ~]# service krb5kdc start
正在启动 Kerberos 5 KDC：                                  [确定]
[root@bigdata27 ~]# service kadmin start
正在启动 Kerberos 5 Admin Server：                         [确定]

7.Set up the KDC server to auto-start on boot

[root@bigdata27 ~]# chkconfig krb5kdc on
[root@bigdata27 ~]# chkconfig kadmin on

8.Create a KDC admin by creating an admin principal

[root@bigdata27 ~]# kadmin.local 
Authenticating as principal root/admin@AISINO.COM with password.
kadmin.local:  addprinc admin/admin@AISINO.COM
WARNING: no policy specified for admin/admin@AISINO.COM; defaulting to no policy
Enter password for principal "admin/admin@AISINO.COM": 
Re-enter password for principal "admin/admin@AISINO.COM": 
Principal "admin/admin@AISINO.COM" created.
kadmin.local:  listprincs 
K/M@AISINO.COM
admin/admin@AISINO.COM
kadmin/admin@AISINO.COM
kadmin/changepw@AISINO.COM
kadmin/bigdata27@AISINO.COM
krbtgt/AISINO.COM@AISINO.COM

9.Restart the kadmin process.

[root@bigdata27 ~]# service kadmin restart

10.关闭防火墙和selinux（所有节点）

[root@bigdata27 ~]# service iptables stop
iptables：将链设置为政策 ACCEPT：filter                    [确定]
iptables：清除防火墙规则：                                 [确定]
iptables：正在卸载模块：                                   [确定]
[root@bigdata27 ~]# service iptables status
iptables：未运行防火墙。
[root@bigdata27 ~]# setenforce 0 #临时关闭selinux
[root@bigdata27 ~]# vim /etc/selinux/config#永久关闭，需重启
把里边的一行改为SELINUX=disabled

11.下载JCE

补充1：
JCE（Java Cryptography Extension）是一组包，它们提供用于加密、密钥生成和协商以及 Message Authentication Code（MAC）算法的框架和实现。
它提供对对称、不对称、块和流密码的加密支持，它还支持安全流和密封的对象。它不对外出口，用它开发完成封装后将无法调用。
补充2：
If you are using Oracle JDK, you must distribute and install the JCE on all hosts in the cluster, including the Ambari Server.
Be sure to restart Ambari Server after installng the JCE. If you are using OpenJDK, some distributions of the OpenJDK come with unlimited strength JCE automatically and therefore, installation of JCE is not required.
For Oracle JDK 1.8:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

For Oracle JDK 1.7:
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

12.将下载的JCE解压并覆盖$JAVA_HOME/jre/lib/security/目录下的文件（所有节点）

[root@bigdata27 ~]# unzip UnlimitedJCEPolicyJDK7.zip 
Archive:  UnlimitedJCEPolicyJDK7.zip
   creating: UnlimitedJCEPolicy/
  inflating: UnlimitedJCEPolicy/US_export_policy.jar  
  inflating: UnlimitedJCEPolicy/local_policy.jar  
  inflating: UnlimitedJCEPolicy/README.txt  
[root@bigdata27 ~]# cd UnlimitedJCEPolicy
[root@bigdata27 UnlimitedJCEPolicy]# ll
总用量 16
-rw-rw-r-- 1 root root 2500 6月   1 2011 local_policy.jar
-rw-r--r-- 1 root root 7289 6月   1 2011 README.txt
-rw-rw-r-- 1 root root 2487 6月   1 2011 US_export_policy.jar
[root@bigdata27 UnlimitedJCEPolicy]# cp *.jar /opt/java/jre/lib/security/
cp：是否覆盖"/opt/java/jre/lib/security/local_policy.jar"？ y
cp：是否覆盖"/opt/java/jre/lib/security/US_export_policy.jar"？ y
[root@bigdata27 UnlimitedJCEPolicy]# cd /opt/java/jre/lib/security/
[root@bigdata27 security]# ll
总用量 136
-rw-r--r-- 1 root root  3890 9月  30 09:55 blacklist
-rw-r--r-- 1 root root 92776 9月  30 09:55 cacerts
-rw-r--r-- 1 root root   158 9月  30 09:55 javafx.policy
-rw-r--r-- 1 root root  2593 9月  30 09:55 java.policy
-rw-r--r-- 1 root root 17838 9月  30 09:55 java.security
-rw-r--r-- 1 root root    98 9月  30 09:55 javaws.policy
-rw-r--r-- 1 root root  2500 12月  7 17:01 local_policy.jar
-rw-r--r-- 1 root root     0 9月  30 09:55 trusted.libraries
-rw-r--r-- 1 root root  2487 12月  7 17:01 US_export_policy.jar

替换其它节点的JCE

[root@bigdata27 security]# scp *.jar ws1m:/opt/java/jre/lib/security/

二、CM页面开启Kerberos

1.登录cm后选择管理->安全

2.点击启用Kerberos

后略

注：Sentry安装前请先安装Hive、Hue、Oozie，可以使用Hue的界面操作Sentry赋权。