需求:
对新建hadoop集群和hive集群的安全认证安装部署。
版本:
centos 7.7
hadoop 2.7.6
hive 1.2.2
部署规划:
192.168.216.111 hadoop01 namenode、resourcemanager、datanode、nodemanager、hive、KDC服务
192.168.216.112 hadoop02 datanode、nodemanager、secondarynamenode、kerbros客户端
192.168.216.113 hadoop03 datanode、nodemanager、kerbros客户端
Kerberos 是一种网络认证协议,其设计目标是通过密钥系统为客户机 / 服务器应用程序提供强大的认证服务。该认证过程的实现不依赖于主机操作系统的认证,无需基于主机地址的信任,不要求网络上所有主机的物理安全,并假定网络上传送的数据包可以被任意地读取、修改和插入数据。在以上情况下, Kerberos 作为一种可信任的第三方认证服务,是通过传统的密码技术(如:共享密钥)执行认证服务的。
Kerberos的工作围绕着票据展开,票据类似于人的驾驶证,驾驶证标识了人的信息,以及其可以驾驶的车辆等级。
Kerberos是一种基于对称密钥技术的身份认证协议,它作为一个独立且可靠的的第三方的身份认证服务,可以为其它服务提供身份认证功能,且支持SSO(即客户端身份认证后,可以访问多个服务如HBase/HDFS等)。
Kerberos协议过程主要有两个阶段,第一个阶段是KDC对Client身份认证,第二个阶段是Service对Client身份认证。如下图:
俗语:
KDC:Kerberos的服务端程序;密钥分发中心,负责管理发放票据,记录授权。
Client:需要访问服务的用户(principal),KDC和Service会对用户的身份进行认证。
Service:集成了Kerberos的服务,如HDFS/YARN/HBase等。
principal:当每添加一个用户或服务的时候都需要向kdc添加一条principal,principl的形式为 主名称/实例名@领域名。
TGT : 票证授予票证。
SGT : 服务授予票证。
认证步骤:
[root@hadoop01 ~]# yum install -y krb5-server krb5-lib krb5-workstation
或者使用下面这个:
yum install -y krb5-server krb5-libs krb5-auth-dialog krb5-workstation
客户机在hadoop的从节点上安装即可。
[root@hadoop02 ~]# yum install -y krb5-libs krb5-workstation
[root@hadoop03 ~]# yum install -y krb5-libs krb5-workstation
在安装的kerbros服务端上修改即可。
[root@hadoop01 ~]# vi /var/kerberos/krb5kdc/kdc.conf
修改内容如下:
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
# EXAMPLE.COM = {
# #master_key_type = aes256-cts
# acl_file = /var/kerberos/krb5kdc/kadm5.acl
# dict_file = /usr/share/dict/words
# admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
# supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
# }
HIVE.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_renewable_life = 7d
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
配置说明:
HIVE.COM:是设定的realms。名字随意。Kerberos可以支持多个realms,一般全用大写
master_key_type,supported_enctypes默认使用aes256-cts。由于,JAVA使用aes256-cts验证方式需要安装额外的jar包,这里暂不使用
acl_file:标注了admin的用户权限。文件格式是
Kerberos_principal permissions [target_principal] [restrictions]支持通配符等
admin_keytab:KDC进行校验的keytab
supported_enctypes:支持的校验方式。注意把aes256-cts去掉
krb5.conf需要再kerbros的服务和客户端都配置。
kerbros服务端配置:
[root@hadoop01 ~]# vi /etc/krb5.conf
替换内容如下:
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
# dns_lookup_realm = false
# ticket_lifetime = 24h
# renew_lifetime = 7d
# forwardable = true
# rdns = false
# pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
## default_realm = EXAMPLE.COM
# default_ccache_name = KEYRING:persistent:%{uid}
default_realm = HIVE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
clockskew = 120
udp_preference_limit = 1
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
HIVE.COM = {
kdc = hadoop01
admin_server = hadoop01
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.hive.com = HIVE.COM
hive.com = HIVE.COM
kerbros客户端配置:
[root@hadoop02 ~]# vi /etc/krb5.conf
内容如上
[root@hadoop03 ~]# vi /etc/krb5.conf
内容如上
配置说明:
[logging]:表示server端的日志的打印位置
udp_preference_limit = 1 禁止使用udp可以防止一个Hadoop中的错误
ticket_lifetime: 表明凭证生效的时限,一般为24小时。
renew_lifetime: 表明凭证最长可以被延期的时限,一般为一个礼拜。当凭证过期之后,对安全认证的服务的后续访问则会失败。
clockskew:时钟偏差是不完全符合主机系统时钟的票据时戳的容差,超过此容差将不接受此票据,单位是秒
修改其中的realm,把默认的EXAMPLE.COM修改为自己要定义的值,如:HIVE.COM。其中,以下参数需要修改:
default_realm:默认的realm。设置为realm。如HIVE.COM
kdc:代表要kdc的位置。添加格式是 机器名
admin_server:代表admin的位置。格式是机器名
default_domain:代表默认的域名。(设置master主机所对应的域名,如hive.com)
数据库管理员权限配置。在kerbros的服务端配置。
[root@hadoop01 ~]# vi /var/kerberos/krb5kdc/kadm5.acl
修改如下:
*/[email protected] *
配置说明:
kadm5.acl 文件更多内容可参考:kadm5.acl文档
想要管理 KDC 的资料库有两种方式, 一种直接在 KDC 本机上面直接执行,可以不需要密码就登入资料库管理;一种则是需要输入账号密码才能管理~这两种方式分别是:
kadmin.local:需要在 KDC server 上面操作,无需密码即可管理资料库
kadmin:可以在任何一台 KDC 领域的系统上面操作,但是需要输入管理员密码
创建Kerberos数据库,需要设置管理员密码,创建成功后会在/var/Kerberos/krb5kdc/下生成一系列文件,如果重新创建的话,需要先删除/var/kerberos/krb5kdc下面principal相关文件。
kerbros服务器上操作命令:
[root@hadoop01 ~]# kdb5_util create -s -r HIVE.COM
输入kdc的密码。一定要记住。我这儿设置为root,两次相同即可。
kerbros的服务端执行即可。
[root@hadoop01 ~]# chkconfig krb5kdc on
[root@hadoop01 ~]# chkconfig kadmin on
[root@hadoop01 ~]# service krb5kdc start
[root@hadoop01 ~]# service kadmin start
[root@hadoop01 ~]# service krb5kdc status
在kerbros服务端执行如下命令。
kadmin.local输入后,,添加规则:addprinc admin/[email protected]。
[root@hadoop01 ~]# kadmin.local
Authenticating as principal root/[email protected] with password.
继续如下图的填写:
输入规则和密码,,两次密码相同即可,我是用的是root。
最后使用q、quit或者exist退出即可。
一些概念:
Kerberos principal用于在kerberos加密系统中标记一个唯一的身份。
kerberos为kerberos principal分配tickets使其可以访问由kerberos加密的hadoop服务。
对于hadoop,principals的格式为username/[email protected].
keytab是包含principals和加密principal key的文件。 keytab文件对于每个host是唯一的,因为key中包含hostname。keytab文件用于不需要人工交互和保存纯文本密码,实现到kerberos上验证一个主机上的principal。 因为服务器上可以访问keytab文件即可以以principal的身份通过kerberos的认证,所以,keytab文件应该被妥善保存,应该只有少数的用户可以访问。
hive配置kerberos的前提是Hadoop集群已经配置好Kerberos,因此我们先来配置Hadoop集群的认证。
如下的创建用户,密码都是用户名。可以随意设置。
#创建hadoop用户
[root@hadoop01 hadoop]# useradd hadoop
[root@hadoop01 hadoop]# passwd hadoop
[root@hadoop02 hadoop]# useradd hadoop
[root@hadoop02 hadoop]# passwd hadoop
[root@hadoop03 hadoop]# useradd hadoop
[root@hadoop03 hadoop]# passwd hadoop
#新建用户yarn,其中需设定userID<1000,命令如下:
[root@hadoop01 ~]# useradd -u 502 yarn -g hadoop
#并使用passwd命令为新建用户设置密码
[root@hadoop01 ~]# passwd yarn
passwd yarn 输入新密码
#创建hdfs用户
[root@hadoop01 hadoop]# useradd hdfs -g hadoop
[root@hadoop01 hadoop]# passwd hdfs
[root@hadoop02 hadoop]# useradd hdfs -g hadoop
[root@hadoop02 hadoop]# passwd hdfs
[root@hadoop03 hadoop]# useradd hdfs -g hadoop
[root@hadoop03 hadoop]# passwd hdfs
#创建HTTP用户
[root@hadoop01 hadoop]# useradd HTTP
[root@hadoop01 hadoop]# passwd HTTP
[root@hadoop02 hadoop]# useradd HTTP
[root@hadoop02 hadoop]# passwd HTTP
[root@hadoop03 hadoop]# useradd HTTP
[root@hadoop03 hadoop]# passwd HTTP
在服务端节点的root用户下分别执行以下命令:
[root@hadoop01 ~]# cd /var/kerberos/krb5kdc/
#登录管理用户
[root@hadoop01 krb5kdc]# kadmin.local
#创建用户
addprinc -randkey yarn/[email protected]
addprinc -randkey yarn/[email protected]
addprinc -randkey yarn/[email protected]
addprinc -randkey hdfs/[email protected]
addprinc -randkey hdfs/[email protected]
addprinc -randkey hdfs/[email protected]
addprinc -randkey HTTP/[email protected]
addprinc -randkey HTTP/[email protected]
addprinc -randkey HTTP/[email protected]
#生成密钥文件(生成到当前路径下)
[root@hadoop01 krb5kdc]# kadmin.local -q "xst -k yarn.keytab yarn/[email protected]"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst -k yarn.keytab yarn/[email protected]"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst -k yarn.keytab yarn/[email protected]"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst -k HTTP.keytab HTTP/[email protected]"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst -k HTTP.keytab HTTP/[email protected]"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst -k HTTP.keytab HTTP/[email protected]"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst -k hdfs-unmerged.keytab hdfs/[email protected]"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst -k hdfs-unmerged.keytab hdfs/[email protected]"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst -k hdfs-unmerged.keytab hdfs/[email protected]"
#合并成一个keytab文件,rkt表示展示,wkt表示写入
[root@hadoop01 krb5kdc]# ktutil
ktutil: rkt hdfs-unmerged.keytab
ktutil: rkt HTTP.keytab
ktutil: rkt yarn.keytab
ktutil: wkt hdfs.keytab
ktutil: q
注意:ktutil:以后面的是输入的。
#查看
[root@hadoop01 krb5kdc]# klist -ket hdfs.keytab
Keytab name: FILE:hdfs.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
3 04/14/2020 15:48:21 hdfs/[email protected] (aes128-cts-hmac-sha1-96)
3 04/14/2020 15:48:21 hdfs/[email protected] (des3-cbc-sha1)
3 04/14/2020 15:48:21 hdfs/[email protected] (arcfour-hmac)
3 04/14/2020 15:48:21 hdfs/[email protected] (camellia256-cts-cmac)
3 04/14/2020 15:48:21 hdfs/[email protected] (camellia128-cts-cmac)
3 04/14/2020 15:48:21 hdfs/[email protected] (des-hmac-sha1)
3 04/14/2020 15:48:21 hdfs/[email protected] (des-cbc-md5)
3 04/14/2020 15:48:21 hdfs/[email protected] (aes128-cts-hmac-sha1-96)
3 04/14/2020 15:48:21 hdfs/[email protected] (des3-cbc-sha1)
3 04/14/2020 15:48:21 hdfs/[email protected] (arcfour-hmac)
3 04/14/2020 15:48:21 hdfs/[email protected] (camellia256-cts-cmac)
3 04/14/2020 15:48:21 hdfs/[email protected] (camellia128-cts-cmac)
3 04/14/2020 15:48:21 hdfs/[email protected] (des-hmac-sha1)
3 04/14/2020 15:48:21 hdfs/[email protected] (des-cbc-md5)
8 04/14/2020 15:48:21 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
8 04/14/2020 15:48:21 HTTP/[email protected] (des3-cbc-sha1)
8 04/14/2020 15:48:21 HTTP/[email protected] (arcfour-hmac)
8 04/14/2020 15:48:21 HTTP/[email protected] (camellia256-cts-cmac)
8 04/14/2020 15:48:21 HTTP/[email protected] (camellia128-cts-cmac)
8 04/14/2020 15:48:21 HTTP/[email protected] (des-hmac-sha1)
8 04/14/2020 15:48:21 HTTP/[email protected] (des-cbc-md5)
6 04/14/2020 15:48:21 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
6 04/14/2020 15:48:21 HTTP/[email protected] (des3-cbc-sha1)
6 04/14/2020 15:48:21 HTTP/[email protected] (arcfour-hmac)
6 04/14/2020 15:48:21 HTTP/[email protected] (camellia256-cts-cmac)
6 04/14/2020 15:48:21 HTTP/[email protected] (camellia128-cts-cmac)
6 04/14/2020 15:48:21 HTTP/[email protected] (des-hmac-sha1)
6 04/14/2020 15:48:21 HTTP/[email protected] (des-cbc-md5)
6 04/14/2020 15:48:21 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
6 04/14/2020 15:48:21 HTTP/[email protected] (des3-cbc-sha1)
6 04/14/2020 15:48:21 HTTP/[email protected] (arcfour-hmac)
6 04/14/2020 15:48:21 HTTP/[email protected] (camellia256-cts-cmac)
6 04/14/2020 15:48:21 HTTP/[email protected] (camellia128-cts-cmac)
6 04/14/2020 15:48:21 HTTP/[email protected] (des-hmac-sha1)
6 04/14/2020 15:48:21 HTTP/[email protected] (des-cbc-md5)
7 04/14/2020 15:48:21 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
7 04/14/2020 15:48:21 HTTP/[email protected] (des3-cbc-sha1)
7 04/14/2020 15:48:21 HTTP/[email protected] (arcfour-hmac)
7 04/14/2020 15:48:21 HTTP/[email protected] (camellia256-cts-cmac)
7 04/14/2020 15:48:21 HTTP/[email protected] (camellia128-cts-cmac)
7 04/14/2020 15:48:21 HTTP/[email protected] (des-hmac-sha1)
7 04/14/2020 15:48:21 HTTP/[email protected] (des-cbc-md5)
4 04/14/2020 15:48:21 yarn/[email protected] (aes128-cts-hmac-sha1-96)
4 04/14/2020 15:48:21 yarn/[email protected] (des3-cbc-sha1)
4 04/14/2020 15:48:21 yarn/[email protected] (arcfour-hmac)
4 04/14/2020 15:48:21 yarn/[email protected] (camellia256-cts-cmac)
4 04/14/2020 15:48:21 yarn/[email protected] (camellia128-cts-cmac)
4 04/14/2020 15:48:21 yarn/[email protected] (des-hmac-sha1)
4 04/14/2020 15:48:21 yarn/[email protected] (des-cbc-md5)
4 04/14/2020 15:48:21 yarn/[email protected] (aes128-cts-hmac-sha1-96)
4 04/14/2020 15:48:21 yarn/[email protected] (des3-cbc-sha1)
4 04/14/2020 15:48:21 yarn/[email protected] (arcfour-hmac)
4 04/14/2020 15:48:21 yarn/[email protected] (camellia256-cts-cmac)
4 04/14/2020 15:48:21 yarn/[email protected] (camellia128-cts-cmac)
4 04/14/2020 15:48:21 yarn/[email protected] (des-hmac-sha1)
4 04/14/2020 15:48:21 yarn/[email protected] (des-cbc-md5)
4 04/14/2020 15:48:21 yarn/[email protected] (aes128-cts-hmac-sha1-96)
4 04/14/2020 15:48:21 yarn/[email protected] (des3-cbc-sha1)
4 04/14/2020 15:48:21 yarn/[email protected] (arcfour-hmac)
4 04/14/2020 15:48:21 yarn/[email protected] (camellia256-cts-cmac)
4 04/14/2020 15:48:21 yarn/[email protected] (camellia128-cts-cmac)
4 04/14/2020 15:48:21 yarn/[email protected] (des-hmac-sha1)
4 04/14/2020 15:48:21 yarn/[email protected] (des-cbc-md5)
将生成的hdfs.keytab文件复制到hadoop配置路径下,并授权 后面经常会遇到使用keytab login失败的问题,首先需要检查的就是文件的权限。
[root@hadoop01 krb5kdc]# cp ./hdfs.keytab /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop01 krb5kdc]# cd /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop01 krb5kdc]# chown hdfs:hadoop hdfs.keytab && chmod 400 hdfs.keytab
core-site.xml配置:
hadoop.security.authorization
true
hadoop.security.authentication
kerberos
yarn-site.xml
yarn.resourcemanager.keytab
/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab
yarn.resourcemanager.principal
hdfs/[email protected]
yarn.nodemanager.keytab
/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab
yarn.nodemanager.principal
hdfs/[email protected]
yarn.nodemanager.container-executor.class
org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor
yarn.nodemanager.linux-container-executor.group
yarn
yarn.resourcemanager.proxy-user-privileges.enabled
true
yarn.nodemanager.local-dirs
/usr/local/hadoop-2.7.6/tmp/nm-local-dir
hdfs-site.xml
dfs.block.access.token.enable
true
dfs.datanode.data.dir.perm
700
dfs.namenode.keytab.file
/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab
dfs.namenode.kerberos.principal
hdfs/[email protected]
dfs.namenode.kerberos.https.principal
HTTP/[email protected]
dfs.datanode.address
0.0.0.0:1004
dfs.datanode.http.address
0.0.0.0:1006
dfs.datanode.keytab.file
/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab
dfs.datanode.kerberos.principal
hdfs/[email protected]
dfs.datanode.kerberos.https.principal
HTTP/[email protected]
dfs.webhdfs.enabled
true
dfs.web.authentication.kerberos.principal
HTTP/[email protected]
dfs.web.authentication.kerberos.keytab
/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab
dfs.secondary.namenode.keytab.file
/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab
dfs.secondary.namenode.kerberos.principal
hdfs/[email protected]
hadoop.tmp.dir
/usr/local/hadoop-2.7.6/tmp
mapred-site.xml:
mapreduce.jobhistory.keytab
/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab
mapreduce.jobhistory.principal
hdfs/[email protected]
mapreduce.jobhistory.http.policy
HTTPS_ONLY
container-executor.cfg
yarn.nodemanager.linux-container-executor.group=hadoop
#configured value of yarn.nodemanager.linux-container-executor.group
banned.users=hdfs
#comma separated list of users who can not run applications
min.user.id=0
#Prevent other super-users
allowed.system.users=root,yarn,hdfs,mapred,nobody
##comma separated list of system users who CAN run applications
当设置了安全的datanode时,启动datanode需要root权限,需要修改hadoop-env.sh文件.且需要安装jsvc,同时重新下载编译包commons-daemon-1.0.15.jar,并把$HADOOP_HOME/share/hadoop/hdfs/lib下替换掉.
否则报错Cannot start secure DataNode without configuring either privileged resources
启动datanode具体报错如下:
2020-04-14 15:56:35,164 FATAL org.apache.hadoop.hdfs.server.datanode.DataNode: Exception in secureMain
java.lang.RuntimeException: Cannot start secure DataNode without configuring either privileged resources or SASL RPC data transfer protection and SSL for HTTP. Using privileged resources in combination with SASL RPC data transfer protection is not supported.
at org.apache.hadoop.hdfs.server.datanode.DataNode.checkSecureConfig(DataNode.java:1208)
at org.apache.hadoop.hdfs.server.datanode.DataNode.startDataNode(DataNode.java:1108)
at org.apache.hadoop.hdfs.server.datanode.DataNode.(DataNode.java:429)
at org.apache.hadoop.hdfs.server.datanode.DataNode.makeInstance(DataNode.java:2414)
at org.apache.hadoop.hdfs.server.datanode.DataNode.instantiateDataNode(DataNode.java:2301)
at org.apache.hadoop.hdfs.server.datanode.DataNode.createDataNode(DataNode.java:2348)
at org.apache.hadoop.hdfs.server.datanode.DataNode.secureMain(DataNode.java:2530)
at org.apache.hadoop.hdfs.server.datanode.DataNode.main(DataNode.java:2554)
2020-04-14 15:56:35,173 INFO org.apache.hadoop.util.ExitUtil: Exiting with status 1
2020-04-14 15:56:35,179 INFO org.apache.hadoop.hdfs.server.datanode.DataNode: SHUTDOWN_MSG:
下载解压commons-daemon-1.2.2-src.tar.gz及commons-daemon-1.2.2-bin.tar.gz
[root@hadoop01 hadoop]# cd /usr/local
[root@hadoop01 local]# cd ./JSVC_packages/
[root@hadoop01 JSVC_packages]# wget http://apache.fayea.com//commons/daemon/source/commons-daemon-1.2.2-src.tar.gz
[root@hadoop01 JSVC_packages]# wget http://apache.fayea.com//commons/daemon/binaries/commons-daemon-1.2.2-bin.tar.gz
[root@hadoop01 JSVC_packages]# tar xf commons-daemon-1.2.2-bin.tar.gz
[root@hadoop01 JSVC_packages]# tar xf commons-daemon-1.2.2-src.tar.gz
[root@hadoop01 JSVC_packages]# ll
total 472
drwxr-xr-x. 3 root root 278 Apr 14 16:25 commons-daemon-1.2.2
-rw-r--r--. 1 root root 179626 Apr 14 16:24 commons-daemon-1.2.2-bin.tar.gz
drwxr-xr-x. 3 root root 180 Apr 14 16:25 commons-daemon-1.2.2-src
-rw-r--r--. 1 root root 301538 Apr 14 16:24 commons-daemon-1.2.2-src.tar.gz
#编译生成jsvc,并拷贝至指定目录
[root@hadoop01 JSVC_packages]# cd commons-daemon-1.2.2-src/src/native/unix/
[root@hadoop01 unix]# ./configure
[root@hadoop01 unix]# make
[root@hadoop01 unix]# cp ./jsvc /usr/local/hadoop-2.7.6/libexec/
#拷贝commons-daemon-1.2.2.jar
[root@hadoop01 unix]# cd /usr/local/JSVC_packages/commons-daemon-1.2.2/
[root@hadoop01 commons-daemon-1.2.2]# cp /usr/local/hadoop-2.7.6/share/hadoop/hdfs/lib/commons-daemon-1.0.13.jar /usr/local/hadoop-2.7.6/share/hadoop/hdfs/lib/commons-daemon-1.0.13.jar.bak
[root@hadoop01 commons-daemon-1.2.2]# cp ./commons-daemon-1.2.2.jar /usr/local/hadoop-2.7.6/share/hadoop/hdfs/lib/
[root@hadoop01 /opt/JSVC_packages/commons-daemon-1.2.2]# cd /opt/hadoop-2.7.2/share/hadoop/hdfs/lib/
[root@hadoop01 /opt/hadoop-2.7.2/share/hadoop/hdfs/lib]# chown hdfs:hadoop commons-daemon-1.2.2.jar
[root@hadoop01 hadoop-2.7.6]# vi ./etc/hadoop/hadoop-env.sh
追加如下内容:
export HADOOP_SECURE_DN_USER=hdfs
export JSVC_HOME=/usr/local/hadoop-2.7.6/libexec/
[root@hadoop01 local]# scp -r /usr/local/hadoop-2.7.6/ hadoop02:/usr/local/
[root@hadoop01 local]# scp -r /usr/local/hadoop-2.7.6/ hadoop03:/usr/local/
[root@hadoop01 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/[email protected]
[root@hadoop02 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/[email protected]
[root@hadoop03 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/[email protected]
[root@hadoop02 krb5kdc]# cd /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop02 krb5kdc]# chown hdfs:hadoop hdfs.keytab && chmod 400 hdfs.keytab
[root@hadoop03 krb5kdc]# cd /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop03 krb5kdc]# chown hdfs:hadoop hdfs.keytab && chmod 400 hdfs.keytab
[root@hadoop01 hadoop-2.7.6]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/[email protected]
Valid starting Expires Service principal
04/14/2020 16:49:17 04/15/2020 16:49:17 krbtgt/[email protected]
renew until 04/21/2020 16:49:17
[root@hadoop02 ~]# useradd hdfs
[root@hadoop02 hadoop-2.7.6]# passwd hdfs
[root@hadoop03 ~]# useradd hdfs
[root@hadoop03 hadoop-2.7.6]# passwd hdfs
#启动hdfs,,直接root用户
[root@hadoop01 hadoop-2.7.6]# start-dfs.sh
#启动DataNode,直接root用户
[root@hadoop01 hadoop-2.7.6]# start-secure-dns.sh
#启动yarn,直接root用户启动即可(亲测没有问题)
[root@hadoop01 hadoop-2.7.6]# start-yarn.sh
#启动historyserver,,直接root用户
[root@hadoop01 hadoop-2.7.6]# mr-jobhistory-daemon.sh start historyserver
停止集群:
#停止DataNode,需要切换到root用户
[root@hadoop01 hadoop-2.7.6]# stop-secure-dns.sh
#停止hdfs
[root@hadoop01 hadoop-2.7.6]# stop-dfs.sh
#停止yarn,直接root用户启动即可(亲测没有问题)
[root@hadoop01 hadoop-2.7.6]# stop-yarn.sh
访问地址:http://hadoop01:50070
yarn的访问地址:http://hadoop01:8088
hdfs的测试:
[root@hadoop01 hadoop-2.7.6]# hdfs dfs -ls /
[root@hadoop01 hadoop-2.7.6]# hdfs dfs -put /home/words /
[root@hadoop01 hadoop-2.7.6]# hdfs dfs -cat /words
hello qianfeng
hello flink
wuhan jiayou hello wuhan wuhan hroe
# 如下使用hdfs测试,当hdfs未获取授权验证,是不能访问hdfs的文件系统的
[hdfs@hadoop02 hadoop]$ hdfs dfs -cat /words
20/04/15 15:04:41 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
cat: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "hadoop02/192.168.216.112"; destination host is: "hadoop01":9000;
#解决方法:
[hdfs@hadoop02 hadoop]$ kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/[email protected]
[hdfs@hadoop02 hadoop]$ hdfs dfs -cat /words
hello qianfeng
hello flink
wuhan jiayou hello wuhan wuhan hroe
yarn的测试:
[root@hadoop01 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab yarn/[email protected]
[root@hadoop01 hadoop-2.7.6]# yarn jar ./share/hadoop/mapreduce/hadoop-mapreduce-examples-2.7.6.jar wordcount /words /out/00
错误1:
20/04/15 23:42:45 INFO mapreduce.Job: Job job_1586934815492_0008 failed with state FAILED due to: Application application_1586934815492_0008 failed 2 times due to AM Container for appattempt_1586934815492_0008_000002 exited with exitCode: -1000
For more detailed output, check application tracking page:http://hadoop01:8088/cluster/app/application_1586934815492_0008Then, click on links to logs of each attempt.
Diagnostics: Application application_1586934815492_0008 initialization failed (exitCode=255) with output: Requested user hdfs is banned
错误2:
Caused by: java.io.IOException: Exceeded MAX_FAILED_UNIQUE_FETCHES; bailing-out.
解决方案:
hdfs-site.xml中配置临时目录
yarn-site.xml中也要配置零食目录,,并且和hdfs中的前边一样,后边加一点固定的
#再次测试:
[root@hadoop01 hadoop-2.7.6]# yarn jar ./share/hadoop/mapreduce/hadoop-mapreduce-examples-2.7.6.jar wordcount /words /out/02
20/04/16 02:55:38 INFO client.RMProxy: Connecting to ResourceManager at hadoop01/192.168.216.111:8032
20/04/16 02:55:38 INFO hdfs.DFSClient: Created HDFS_DELEGATION_TOKEN token 61 for yarn on 192.168.216.111:9000
20/04/16 02:55:38 INFO security.TokenCache: Got dt for hdfs://hadoop01:9000; Kind: HDFS_DELEGATION_TOKEN, Service: 192.168.216.111:9000, Ident: (HDFS_DELEGATION_TOKEN token 61 for yarn)
20/04/16 02:55:39 INFO input.FileInputFormat: Total input paths to process : 1
20/04/16 02:55:39 INFO mapreduce.JobSubmitter: number of splits:1
20/04/16 02:55:39 INFO mapreduce.JobSubmitter: Submitting tokens for job: job_1586976916277_0001
20/04/16 02:55:39 INFO mapreduce.JobSubmitter: Kind: HDFS_DELEGATION_TOKEN, Service: 192.168.216.111:9000, Ident: (HDFS_DELEGATION_TOKEN token 61 for yarn)
20/04/16 02:55:41 INFO impl.YarnClientImpl: Submitted application application_1586976916277_0001
20/04/16 02:55:41 INFO mapreduce.Job: The url to track the job: http://hadoop01:8088/proxy/application_1586976916277_0001/
20/04/16 02:55:41 INFO mapreduce.Job: Running job: job_1586976916277_0001
20/04/16 02:56:11 INFO mapreduce.Job: Job job_1586976916277_0001 running in uber mode : false
20/04/16 02:56:11 INFO mapreduce.Job: map 0% reduce 0%
20/04/16 02:56:13 INFO mapreduce.Job: Task Id : attempt_1586976916277_0001_m_000000_0, Status : FAILED
Application application_1586976916277_0001 initialization failed (exitCode=20) with output: main : command provided 0
main : user is yarn
main : requested yarn user is yarn
Permission mismatch for /usr/local/hadoop-2.7.6/tmp/nm-local-dir for caller uid: 0, owner uid: 502.
Couldn't get userdir directory for yarn.
20/04/16 02:56:20 INFO mapreduce.Job: map 100% reduce 0%
20/04/16 02:56:28 INFO mapreduce.Job: map 100% reduce 100%
20/04/16 02:56:28 INFO mapreduce.Job: Job job_1586976916277_0001 completed successfully
20/04/16 02:56:28 INFO mapreduce.Job: Counters: 51
File System Counters
FILE: Number of bytes read=81
FILE: Number of bytes written=251479
FILE: Number of read operations=0
FILE: Number of large read operations=0
FILE: Number of write operations=0
HDFS: Number of bytes read=154
HDFS: Number of bytes written=51
HDFS: Number of read operations=6
HDFS: Number of large read operations=0
HDFS: Number of write operations=2
Job Counters
Failed map tasks=1
Launched map tasks=2
Launched reduce tasks=1
Other local map tasks=1
Data-local map tasks=1
Total time spent by all maps in occupied slots (ms)=4531
Total time spent by all reduces in occupied slots (ms)=3913
Total time spent by all map tasks (ms)=4531
Total time spent by all reduce tasks (ms)=3913
Total vcore-milliseconds taken by all map tasks=4531
Total vcore-milliseconds taken by all reduce tasks=3913
Total megabyte-milliseconds taken by all map tasks=4639744
Total megabyte-milliseconds taken by all reduce tasks=4006912
Map-Reduce Framework
Map input records=3
Map output records=10
Map output bytes=103
Map output materialized bytes=81
Input split bytes=91
Combine input records=10
Combine output records=6
Reduce input groups=6
Reduce shuffle bytes=81
Reduce input records=6
Reduce output records=6
Spilled Records=12
Shuffled Maps =1
Failed Shuffles=0
Merged Map outputs=1
GC time elapsed (ms)=192
CPU time spent (ms)=2120
Physical memory (bytes) snapshot=441053184
Virtual memory (bytes) snapshot=4211007488
Total committed heap usage (bytes)=277348352
Shuffle Errors
BAD_ID=0
CONNECTION=0
IO_ERROR=0
WRONG_LENGTH=0
WRONG_MAP=0
WRONG_REDUCE=0
File Input Format Counters
Bytes Read=63
File Output Format Counters
Bytes Written=51
错误1:
2020-04-15 14:38:36,457 INFO org.apache.hadoop.security.UserGroupInformation: Login successful for user hdfs/[email protected] using keytab file /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab
2020-04-15 14:38:36,961 WARN org.apache.hadoop.hdfs.server.datanode.DataNode: Invalid dfs.datanode.data.dir /home/hdfs/hadoopdata/dfs/data :
解决方案(如果满足下面的要求,不用做)
第1步:
[root@hadoop02 ~]# useradd hdfs -g hadoop
[root@hadoop02 ~]# passwd hdfs
[root@hadoop03 ~]# useradd hdfs -g hadoop
[root@hadoop03 ~]# passwd hdfs
第2步(那一台报错在那一台执行):
[root@hadoop02 hadoop]# chown -R hdfs:hadoop /home/hdfs/hadoopdata/
[root@hadoop02 hadoop]# chown -R hdfs:hadoop /home/hdfs/hadoopdata/
[root@hadoop03 hadoop]# chown -R hdfs:hadoop /home/hdfs/hadoopdata/
错误2:
启动datanode报错:
java.io.IOException: All directories in dfs.datanode.data.dir are invalid: "/home/hdfs/hadoopdata/dfs/data"
解决方案(确定没有手动创建都可以):
[root@hadoop02 hadoop-2.7.6]# mkdir -p /home/hdfs/hadoopdata/dfs/data
[root@hadoop03 hadoop-2.7.6]# mkdir -p /home/hdfs/hadoopdata/dfs/data
错误3:
启动yarn时报错:
Caused by: java.io.IOException: Login failure for hdfs/[email protected] from keytab /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user
解决(那一台报错就在那一台是对应执行):
[root@hadoop02 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/[email protected]
[root@hadoop03 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/[email protected]
错误4:
启动yarn时报错如下:
Caused by: ExitCodeException exitCode=24: File /usr/local/hadoop-2.7.6/etc/hadoop/container-executor.cfg must be owned by root, but is owned by 20415
将container-executor.cfg的所有父目录及本身文件都修改成root:root即可:
[root@hadoop01 hadoop-2.7.6]# chown root:root /usr/local/hadoop-2.7.6/etc/
[root@hadoop01 hadoop-2.7.6]# chown root:root /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop01 hadoop-2.7.6]# chown root:root /usr/local/hadoop-2.7.6/etc/hadoop/container-executor.cfg
错误5:
启动yarn时报错如下:
Caused by: ExitCodeException exitCode=22: Invalid permissions on container-executor binary.
解决方法:
[root@hadoop01 hadoop-2.7.6]# chown root:hadoop $HADOOP_HOME/bin/container-executor
[root@hadoop01 hadoop-2.7.6]# chmod 6050 $HADOOP_HOME/bin/container-executor
[root@hadoop02 hadoop-2.7.6]# chown root:hadoop $HADOOP_HOME/bin/container-executor
[root@hadoop02 hadoop-2.7.6]# chmod 6050 $HADOOP_HOME/bin/container-executor
[root@hadoop03 hadoop-2.7.6]# chown root:hadoop $HADOOP_HOME/bin/container-executor
[root@hadoop03 hadoop-2.7.6]# chmod 6050 $HADOOP_HOME/bin/container-executor
错误6:
#运行案例报错
java.io.IOException: org.apache.hadoop.yarn.exceptions.InvalidResourceRequestException: Invalid resource request, requested memory < 0, or requested memory > max configured, requestedMemory=1536, maxMemory=1024
#解决方案,修改yarn-site.xml:
yarn.nodemanager.resource.memory-mb
2048
#分发到别的服务器:
[root@hadoop02 hadoop-2.7.6]# scp -r ./etc/hadoop/yarn-site.xml hadoop02:/usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop03 hadoop-2.7.6]# scp -r ./etc/hadoop/yarn-site.xml hadoop03:/usr/local/hadoop-2.7.6/etc/hadoop/
#重启yarn服务
[root@hadoop01 hadoop-2.7.6]# start-yarn.sh
#新建用户hive,命令如下:
[root@hadoop01 hive-1.2.2]# useradd -u 503 hive -g hadoop
[root@hadoop01 hive-1.2.2]# passwd hive 输入新密码,我的密码为hive
在主节点,即KDC server 节点上执行下面命令(root用户):
[root@hadoop01 hive-1.2.2]# cd /var/kerberos/krb5kdc/
[root@hadoop01 krb5kdc]# kadmin.local -q "addprinc -randkey hive/[email protected]"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst -k hive.keytab hive/[email protected]"
#查看
[root@hadoop01 krb5kdc]# klist -ket hive.keytab
Keytab name: FILE:hive.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 04/15/2020 23:52:46 hive/[email protected] (aes128-cts-hmac-sha1-96)
2 04/15/2020 23:52:46 hive/[email protected] (des3-cbc-sha1)
2 04/15/2020 23:52:46 hive/[email protected] (arcfour-hmac)
2 04/15/2020 23:52:46 hive/[email protected] (camellia256-cts-cmac)
2 04/15/2020 23:52:46 hive/[email protected] (camellia128-cts-cmac)
2 04/15/2020 23:52:46 hive/[email protected] (des-hmac-sha1)
2 04/15/2020 23:52:46 hive/[email protected] (des-cbc-md5)
#将hive.keytab发送到hive目录的配置文件下:
[root@hadoop01 krb5kdc]# cp hive.keytab /usr/local/hive-1.2.2/conf/
#授权
[root@hadoop01 krb5kdc]# cd /usr/local/hive-1.2.2/conf/
[root@hadoop01 conf]# chown hive:hadoop hive.keytab && chmod 400 hive.keytab
由于 keytab 相当于有了永久凭证,不需要提供密码(如果修改 kdc 中的 principal 的密码,则该 keytab 就会失效),所以其他用户如果对该文件有读权限,就可以冒充 keytab 中指定的用户身份访问 hadoop,所以 keytab 文件需要确保只对 owner 有读权限(0400)
hive-site.xml:
[root@hadoop01 hive-1.2.1]# vi ./conf/hive-site.xml
hive.server2.authentication
KERBEROS
hive.server2.authentication.kerberos.principal
hive/[email protected]
hive.server2.authentication.kerberos.keytab
/usr/local/hive-1.2.2/conf/hive.keytab
hive.metastore.sasl.enabled
true
hive.metastore.kerberos.keytab.file
/usr/local/hive-1.2.2/conf/hive.keytab
hive.metastore.kerberos.principal
hive/[email protected]
core-site.xml:
[root@hadoop01 hive-1.2.2]# vi ../hadoop-2.7.6/etc/hadoop/core-site.xml
hadoop.proxyuser.hive.hosts
*
hadoop.proxyuser.hive.groups
*
hadoop.proxyuser.hdfs.hosts
*
hadoop.proxyuser.hdfs.groups
*
hadoop.proxyuser.HTTP.hosts
*
hadoop.proxyuser.HTTP.groups
*
# 添加后同步到其它服务器
[root@hadoop01 hive-1.2.2]# scp -r ../hadoop-2.7.6/etc/hadoop/core-site.xml hadoop02:/usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop01 hive-1.2.2]# scp -r ../hadoop-2.7.6/etc/hadoop/core-site.xml hadoop03:/usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop01 hive-1.2.2]# nohup hive --service metastore >> metastore.log 2>&1 &
[root@hadoop01 hive-1.2.2]# nohup hive --service hiveserver2 >> hiveserver2.log 2>&1 &
##也可以切换到hive执行。
hive连接
[root@hadoop01 hive-1.2.2]# hive
Logging initialized using configuration in file:/opt/apache-hive-1.2.1-bin/conf/hive-log4j.properties
hive>
Caused by: MetaException(message:Could not connect to meta store using any of the URIs provided. Most recent failure: org.apache.thrift.transport.TTransportException: GSS initiate failed
2020-04-16 00:47:11,335 ERROR [main]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]
beeline连接
配置kerberos后,每次窗口连接都要登录:kinit -k -t /usr/local/hive-1.2.2/conf/hive.keytab hive/[email protected]
[root@hadoop01 hive-1.2.2]# kinit -k -t /usr/local/hive-1.2.2/conf/hive.keytab hive/[email protected]
[root@hadoop01 hive-1.2.2]# beeline
Beeline version 1.2.2 by Apache Hive
beeline> !connect jdbc:hive2://hadoop01:10000/default;principal=hive/[email protected]
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/local/hbase-1.2.1/lib/phoenix-4.14.1-HBase-1.2-client.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/local/hadoop-2.7.6/share/hadoop/common/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
Connecting to jdbc:hive2://hadoop01:10000/default;principal=hive/[email protected]
Enter username for jdbc:hive2://hadoop01:10000/default;principal=hive/[email protected]: hive
Enter password for jdbc:hive2://hadoop01:10000/default;principal=hive/[email protected]: ****
Connected to: Apache Hive (version 1.2.2)
Driver: Hive JDBC (version 1.2.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://hadoop01:10000/default> show databases;
这里登录的用户名和密码是最开始创建hive的时候的所用的 hive的用户名和密码,本次测试的用户名和密码为:hive/hive
[root@hadoop01 hive-1.2.2]# hive
create table if not exists u1(
uid int,
age int
)
row format delimited fields terminated by ','
;
数据:
[root@hadoop01 hive-1.2.2]# vi /home/u1
1,18
2,20
3,20
4,32
5,18
6.20
#数据装载
load data local inpath '/home/u1' into table u1;
#查询
hive> select * from u1;
chmod: changing permissions of 'hdfs://hadoop01:9000/tmp/hive/hive/e9a76813-5c64-47f7-9a2b-5d7876111786/hive_2020-04-16_01-18-41_393_8778198899588815011-1/-mr-10000': Permission denied: user=hive, access=EXECUTE, inode="/tmp":hdfs:supergroup:drwx------
OK
1 18
2 20
3 20
4 32
5 18
6 NULL
hive> select count(*) from u1;
Query ID = root_20200416025824_e9adc8a8-7052-4ee9-8924-bf735461484b
Total jobs = 1
Launching Job 1 out of 1
Number of reduce tasks determined at compile time: 1
In order to change the average load for a reducer (in bytes):
set hive.exec.reducers.bytes.per.reducer=
In order to limit the maximum number of reducers:
set hive.exec.reducers.max=
In order to set a constant number of reducers:
set mapreduce.job.reduces=
Starting Job = job_1586976916277_0002, Tracking URL = http://hadoop01:8088/proxy/application_1586976916277_0002/
Kill Command = /usr/local/hadoop-2.7.6//bin/hadoop job -kill job_1586976916277_0002
Hadoop job information for Stage-1: number of mappers: 1; number of reducers: 1
2020-04-16 02:58:39,528 Stage-1 map = 0%, reduce = 0%
2020-04-16 02:58:45,992 Stage-1 map = 100%, reduce = 0%, Cumulative CPU 2.03 sec
2020-04-16 02:58:52,547 Stage-1 map = 100%, reduce = 100%, Cumulative CPU 4.51 sec
MapReduce Total cumulative CPU time: 4 seconds 510 msec
Ended Job = job_1586976916277_0002
MapReduce Jobs Launched:
Stage-Stage-1: Map: 1 Reduce: 1 Cumulative CPU: 4.51 sec HDFS Read: 6381 HDFS Write: 2 SUCCESS
Total MapReduce CPU Time Spent: 4 seconds 510 msec
OK
6
Time taken: 30.518 seconds, Fetched: 1 row(s)
hive>
至此,hive的kerberos认证配置完成!