CDH6.3.2 开启Kerberos 认证

标签(空格分隔): 大数据平台构建

  • 一:如何安装及配置KDC服务

  • 二:如何通过CDH启用Kerberos

  • 三:如何登录Kerberos并访问Hadoop相关服务

一:如何安装及配置KDC服务

1.1 系统环境

1.操作系统:CentOS7.5x64

2.CDH6.3.2

3.采用root用户进行操作

1.2 KDC服务安装及配置

1.在Cloudera Manager服务器上安装KDC服务

 yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation

CDH6.3.2 开启Kerberos 认证_第1张图片

2.修改/etc/krb5.conf配置

vim /etc/krb5.conf
----
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = LANXIN.COM
 #default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 LANXIN.COM = {
  kdc = 192.168.11.160
  admin_server = 192.168.11.160
 }

 [domain_realm]
 .lanxin.com = LANXIN.COM
 lanxin.com = LANXIN.COM

---

CDH6.3.2 开启Kerberos 认证_第2张图片

3.修改/var/kerberos/krb5kdc/kadm5.acl配置

vim /var/kerberos/krb5kdc/kadm5.acl
----
*/[email protected]      *
----

CDH6.3.2 开启Kerberos 认证_第3张图片

4.修改/var/kerberos/krb5kdc/kdc.conf配置

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 LANXIN.COM = {
  #master_key_type = aes256-cts
  max_renewable_life= 7d 0h 0m 0s
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

CDH6.3.2 开启Kerberos 认证_第4张图片

5.创建Kerberos数据库
kdb5_util create –r LANXIN.COM -s
  密码:LANXIN.COM
---
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'LANXIN.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:
---
此处需要输入Kerberos数据库的密码。

CDH6.3.2 开启Kerberos 认证_第5张图片

6.创建Kerberos的管理账号
   admin/[email protected]

----
Authenticating as principal root/[email protected] with password.
kadmin.local:  
kadmin.local:  addprinc admin/[email protected]   
WARNING: no policy specified for admin/[email protected]; defaulting to no policy
Enter password for principal "admin/[email protected]":     【输入密码为admin】
Re-enter password for principal "admin/[email protected]": 
Principal "admin/[email protected]" created.
kadmin.local:  
kadmin.local:  
kadmin.local:  list_principals 
K/[email protected]
admin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
----

CDH6.3.2 开启Kerberos 认证_第6张图片

7.将Kerberos服务添加到自启动服务,并启动krb5kdc和kadmin服务

  systemctl enable krb5kdc
  systemctl enable kadmin
  systemctl start krb5kdc
  systemctl start kadmin

CDH6.3.2 开启Kerberos 认证_第7张图片

8.测试Kerberos的管理员账号

  kinit admin/[email protected]
 ---
 Password for admin/[email protected]: 
[root@dev01 ~]# 
[root@dev01 ~]# klist 
Ticket cache: KEYRING:persistent:0:0
Default principal: admin/[email protected]

Valid starting       Expires              Service principal
05/26/2020 16:26:36  05/27/2020 16:26:36  krbtgt/[email protected]
    renew until 06/02/2020 16:26:36
 ---

CDH6.3.2 开启Kerberos 认证_第8张图片

为集群安装所有Kerberos客户端,包括Cloudera Manager

yum -y install krb5-libs krb5-workstation

CDH6.3.2 开启Kerberos 认证_第9张图片

10.在Cloudera Manager Server服务器上安装额外的包

yum -y install openldap-clients

CDH6.3.2 开启Kerberos 认证_第10张图片

11.将KDC Server上的krb5.conf文件拷贝到所有Kerberos客户端

scp /etc/krb5.conf [email protected]:/etc
scp /etc/krb5.conf [email protected]:/etc

CDH6.3.2 开启Kerberos 认证_第11张图片

二:CDH集群启用Kerberos

1.在KDC中给Cloudera Manager添加管理员账号
    cloudera/[email protected]
----
[root@dev01 ~]# kadmin.local 
Authenticating as principal root/[email protected] with password.
kadmin.local:  addprinc cloudera/[email protected]
WARNING: no policy specified for cloudera/[email protected]; defaulting to no policy
Enter password for principal "cloudera/[email protected]":       [密码:cloudera]
Re-enter password for principal "cloudera/[email protected]": 
Principal "cloudera/[email protected]" created.
kadmin.local:  list_principals 
K/[email protected]
admin/[email protected]
cloudera/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]

----

CDH6.3.2 开启Kerberos 认证_第12张图片

2.进入Cloudera Manager的“管理”->“安全”界面

CDH6.3.2 开启Kerberos 认证_第13张图片

CDH6.3.2 开启Kerberos 认证_第14张图片

CDH6.3.2 开启Kerberos 认证_第15张图片

CDH6.3.2 开启Kerberos 认证_第16张图片

CDH6.3.2 开启Kerberos 认证_第17张图片

CDH6.3.2 开启Kerberos 认证_第18张图片

CDH6.3.2 开启Kerberos 认证_第19张图片

使用 xst -k 命令:将所有的principal 导入到一个 /etc/devcdh.keytab 测试

kadminl.local

xst -k /etc/devcdh.keytab admin/[email protected] 

xst -k /etc/devcdh.keytab cloudera/[email protected]

xst -k /etc/devcdh.keytab hdfs/[email protected] 
.......

CDH6.3.2 开启Kerberos 认证_第20张图片