CDH6.2.0集成kerberos（已经集成了ldap,sentry）

服务器列表信息：
10.29.200.241 testhadoop-01
10.81.51.210 testhadoop-02
10.81.75.23 testhadoop-03
10.81.66.119 testhadoop-04
10.81.88.137 testhadoop-05

1.在testhadoop-02 服务器上安装KDC服务
yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
2.修改/etc/krb5.conf配置文件（#号注释掉的地方需要注释掉，否则安装结束之后hive客户端会报错java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]）

3.修改/var/kerberos/krb5kdc/kadm5.acl配置
5.testhadoop-02 服务器上创建数据库 kdb5_util create -r FAYSON.COM -s 数据库密码: 123456
6.创建Kerberos的管理账号 ，kerberos管理员密码: 123456
[root@testhadoop-02~]# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: addprinc admin/[email protected]
WARNING: no policy specified for admin/[email protected]; defaulting to no policy
Enter password for principal “admin/[email protected]”:
Re-enter password for principal “admin/[email protected]”:
Principal “admin/[email protected]” created.
kadmin.local: exit
7. 将服务，并启动krb5kdc和kadmin服务
[root@testhadoop-02~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@testhadoop-02~]# systemctl enable kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@2~]# systemctl start krb5kdc
[root@testhadoop-02~]# systemctl start kadmin
8、 为集群安装所有Kerberos客户端，包括Cloudera Manager
使用批处理脚本执行shell语句: yum -y install krb5-libs krb5-workstation
testhadoop-02上 /etc/krb5.conf的配置文件分发到各个集群的/etc目录下；

9.CDH集群启用Kerberos
1.在KDC(testhadoop-02)中给Cloudera Manager添加管理员账号

[root@testhadoop-02 shell]# kadmin.local
Authenticating as principal admin/[email protected] with password.
kadmin.local: addprinc cloudera-scm/[email protected]
WARNING: no policy specified for cloudera-scm/[email protected]; defaulting to no policy
Enter password for principal “cloudera-scm/[email protected]”:
Re-enter password for principal “cloudera-scm/[email protected]”:
Principal “cloudera-scm/[email protected]” created.
kadmin.local: exit

2.进入Cloudera Manager的“管理”->“安全”界面

3.选择“启用Kerberos”，进入如下界面

!
5.点击“继续”，配置相关的KDC信息，包括类型、KDC服务器、KDC Realm、加密类型以及待创建的Service Principal（hdfs，yarn,，hbase，hive等）的更新生命期等
6.不建议让Cloudera Manager来管理krb5.conf, 点击“继续”
7.输入Cloudera Manager的Kerbers管理员账号，一定得和之前创建的账号一致，点击“继续”
8.点击“继续”启用Kerberos
9.Kerberos启用完成，点击“继续”
10.集群重启完成，点击“继续”
11.点击“继续”
点击“完成”，至此已成功启用Kerberos。

12.回到主页，一切正常，再次查看“管理”->“安全”，界面显示“已成功启用 Kerberos。

安装过程中如果出现问题可以参照如下链接：
https://www.cnblogs.com/barneywill/p/10398663.html

集成之后，出现hive客户端执行的count指令失败，报错信息为/dfs/data1/yarn/nm/usercache相应的目录下没有创建文件的去权限，最后的解决方案是删除所有机器的usercache目录，重新启动cm集群解决。