zookeeper集成Kerberos

隶属于文章系列：大数据安全实战 https://www.jianshu.com/p/76627fd8399c

---

步骤：

1. 创建principle
2. 修改jaas.conf java.env
3. 分发配置文件

• 创建principle

#!/bin/bash

kadmin.local -q "addprinc -randkey zookeeper/v-hadoop-kbds.sz.kingdee.net"
kadmin.local -q "addprinc -randkey zookeeper/v-hadoop2-kbds.sz.kingdee.net "
kadmin.local -q "addprinc -randkey zookeeper/v-hadoop3-kbds.sz.kingdee.net "
kadmin.local -q "addprinc -randkey zookeeper/v-hadoop4-kbds.sz.kingdee.net "
kadmin.local -q "addprinc -randkey zookeeper/v-hadoop5-kbds.sz.kingdee.net "

kadmin.local -q "ktadd -k /etc/hadoop/conf/zookeeper-service.keytab  zookeeper/v-hadoop-kbds.sz.kingdee.net"
kadmin.local -q "ktadd -k /etc/hadoop/conf/zookeeper-service.keytab  zookeeper/v-hadoop2-kbds.sz.kingdee.net "
kadmin.local -q "ktadd -k /etc/hadoop/conf/zookeeper-service.keytab  zookeeper/v-hadoop3-kbds.sz.kingdee.net "
kadmin.local -q "ktadd -k /etc/hadoop/conf/zookeeper-service.keytab  zookeeper/v-hadoop4-kbds.sz.kingdee.net "
kadmin.local -q "ktadd -k /etc/hadoop/conf/zookeeper-service.keytab  zookeeper/v-hadoop5-kbds.sz.kingdee.net "

kadmin.local -q "addprinc -randkey zkcli"
kadmin.local -q "ktadd -k /etc/hadoop/conf/zkcli.keytab  zkcli"
ansible hadoop  -m copy --become -a "src=/etc/hadoop/conf/zkcli.keytab dest=/etc/hadoop/conf/zkcli.keytab"

• 在conf下没有就创建jaas.conf
  在conf文件中，_HOST可能不会转换为主机名，所以用每个主机的主机名。

Server {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/etc/hadoop/conf/zookeeper.keytab"
  storeKey=true
  useTicketCache=false
  principal="zookeeper/[email protected]";
};

Client {
  com.sun.security.auth.module.Krb5LoginModule required
  useKeyTab=true
  keyTab="/plat/zookeeper/conf/zkcli.keytab"
  storeKey=true
  useTicketCache=false
  principal="[email protected]";

};

ansible hadoop  -m copy -a "src=/var/opt/zookeeper-3.4.6/conf/jaas.conf dest=/var/opt/zookeeper-3.4.6/conf/jaas.conf "

• 修改java.env (没有就创建)

export JVMFLAGS="-Djava.security.auth.login.config=/var/opt/zookeeper-3.4.6/conf/jaas.conf"

ansible hadoop -m copy -a "src=/var/opt/zookeeper-3.4.6/conf/java.env dest=/var/opt/zookeeper-3.4.6/conf/java.env"

• 启动

[kduser@v-hadoop-kbds zookeeper-3.4.6]$ ansible rss  -m shell -a "/var/opt/zookeeper-3.4.6/bin/zkServer.sh start" v-hadoop4-kbds.sz.kingdee.net | SUCCESS | rc=0 >>
Starting zookeeper ... STARTEDJMX enabled by default
Using config: /var/opt/zookeeper-3.4.6/bin/../conf/zoo.cfg

v-hadoop3-kbds.sz.kingdee.net | SUCCESS | rc=0 >>
Starting zookeeper ... STARTEDJMX enabled by default
Using config: /var/opt/zookeeper-3.4.6/bin/../conf/zoo.cfg

v-hadoop5-kbds.sz.kingdee.net | SUCCESS | rc=0 >>
Starting zookeeper ... STARTEDJMX enabled by default
Using config: /var/opt/zookeeper-3.4.6/bin/../conf/zoo.cfg

[kduser@v-hadoop-kbds zookeeper-3.4.6]$ ansible rss  -m shell -a "/var/opt/zookeeper-3.4.6/bin/zkServer.sh status"
v-hadoop5-kbds.sz.kingdee.net | SUCCESS | rc=0 >>
Mode: followerJMX enabled by default
Using config: /var/opt/zookeeper-3.4.6/bin/../conf/zoo.cfg

v-hadoop3-kbds.sz.kingdee.net | SUCCESS | rc=0 >>
Mode: followerJMX enabled by default
Using config: /var/opt/zookeeper-3.4.6/bin/../conf/zoo.cfg

v-hadoop4-kbds.sz.kingdee.net | SUCCESS | rc=0 >>
Mode: leaderJMX enabled by default
Using config: /var/opt/zookeeper-3.4.6/bin/../conf/zoo.cfg

ansible hadoop -m copy -a "src=/var/opt/hadoop-2.7.4/sbin dest=/var/opt/hadoop-2.7.4/ "

• 验证

[kduser@v-hadoop4-kbds ~]$ pwd
/home/kduser
[kduser@v-hadoop4-kbds ~]$ tail -f zookeeper.out
#查看日志
tail -f zookeeper



[hadoop@vm10-247-24-53 conf]$ ansible slave  -m shell -a "/mnt/kbdsproject/zookeeper/bin/zkServer.sh status"
vm10-247-24-63.ksc.com | SUCCESS | rc=0 >>
Mode: followerJMX enabled by default
Using config: /mnt/kbdsproject/zookeeper/bin/../conf/zoo.cfg
vm10-247-24-28.ksc.com | SUCCESS | rc=0 >>
Mode: followerJMX enabled by default
Using config: /mnt/kbdsproject/zookeeper/bin/../conf/zoo.cfg
vm10-247-24-49.ksc.com | SUCCESS | rc=0 >>
Mode: leaderJMX enabled by default
Using config: /mnt/kbdsproject/zookeeper/bin/../conf/zoo.cfg
[hadoop@vm10-247-24-53 conf]$