kerberos简介:
Kerberos 是一个安全的网络认证协议,支持客户端和服务端不需要在网络上传输密码就可以进行认证。Kerberos 采用通过对称加密算法生成时间敏感的票据。
在安全范式中Kerberos 的三个脑袋是指:
尝试认证的用户是谁。
客户端要认证哪个服务。
Kerberos 安全服务中心作为密钥分发中心(Key Distribution Center,KDC),值得用户和服务信赖。KDC存储用户和服务用于通信的密钥。
KDC 提供两大主要功能:
认证服务(Authentication Service,AS)
票据授权服务(Ticket Granting Service,TGS)
服务器配置:
10.25.169.115 p1
10.26.21.193 p2
10.25.1.170 p3
安装kdc 与 Kerberos客户端
在p1上安装kdc
yum install krb5-server krb5-libs krb5-auth-dialog
在p2和p3上安装client
yum -y install krb5-auth-dialog krb5-workstation
修改三个配置文件:
[root@p1 ~]# vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HADOOP.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
max_renewable_life = 7d
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
[root@p1 ~]# vim /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
HADOOP.COM = {
kdc = p1
admin_server = p1
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
vi /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *
将客户端配置同步到另外两台机器上
[root@p1 ~]# scp /etc/krb5.conf root@p2:/etc/krb5.conf
krb5.conf 100% 644 702.9KB/s 00:00
[root@p1 ~]# scp /etc/krb5.conf root@p3:/etc/krb5.conf
krb5.conf 100% 644 464.3KB/s 00:00
初始化管理员
[root@p1 ~]# /usr/sbin/kdb5_util create -s -r HADOOP.COMLoading random data
Initializing database ‘/var/kerberos/krb5kdc/principal’ for realm ‘HADOOP.COM’,
master key name ‘K/[email protected]’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 【密码】
Re-enter KDC database master key to verify:
创建admin princ
[root@p1 krb5kdc]# /usr/sbin/kadmin.local -q “addprinc admin/admin”
Authenticating as principal root/[email protected] with password.
WARNING: no policy specified for admin/[email protected]; defaulting to no policy
Enter password for principal “admin/[email protected]”: dtwave@2019
Re-enter password for principal “admin/[email protected]”:
Principal “admin/[email protected]” created.
[root@p1 ~]# kadmin.local
kadmin.local: addprinc test
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal “[email protected]”:
Re-enter password for principal “[email protected]”:dtwave@2019
Principal “[email protected]” created.
admin.local: list_principals
K/[email protected]
admin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kiprop/[email protected]
krbtgt/[email protected]
[email protected]
kadmin.local: addprinc -randkey [email protected]
WARNING: no policy specified for [email protected]; defaulting to no policy
add_principal: Principal or policy already exists while creating “[email protected]”.
kadmin.local: xst -k service.keytab test
Entry for principal test with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:service.keytab.
Entry for principal test with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:service.keytab.
Entry for principal test with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:service.keytab.
Entry for principal test with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:service.keytab.
Entry for principal test with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:service.keytab.
Entry for principal test with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:service.keytab.
Entry for principal test with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:service.keytab.
Entry for principal test with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:service.keytab.
查看keytab内容
[root@p1 ~]# klist -k -t service.keytab
Keytab name: FILE:service.keytab
KVNO Timestamp Principal
2 11/27/2019 17:18:25 [email protected]
2 11/27/2019 17:18:25 [email protected]
2 11/27/2019 17:18:25 [email protected]
2 11/27/2019 17:18:25 [email protected]
2 11/27/2019 17:18:25 [email protected]
2 11/27/2019 17:18:25 [email protected]
2 11/27/2019 17:18:25 [email protected]
2 11/27/2019 17:18:25 [email protected]
[root@p1 ~]# kinit -kt service.keytab [email protected]
[root@p1 ~]#
需要配置的:
需要一个有创建princ的账号时:
使用admin/[email protected]
输入密码【密码】
继续点击下一步检查通过后, 即可启动Kerberos。
再次进行hdfs 操作
[root@p1 ~]# hdfs dfs -ls /
19/11/29 09:42:18 WARN security.UserGroupInformation: PriviledgedActionException as:admin/[email protected] (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Generic error (description in e-text) (60) - PROCESS_TGS)]
查找一个keytab文件。
find /opt/ |grep keytab
find /opt/ | grep keytab
kinit -kt /opt/cloudera-manager/cm-5.15.2/run/cloudera-scm-agent/process/250-hue-HUE_SERVER/hue.keytab hue/[email protected]
再次执行hdfs命令,权限认证通过。
[root@p1 opt]# ./presto --server localhost:8080 --catalog hive
presto> show SCHEMAS;
Query 20191129_020656_00149_jutv4 failed: p1:9083: null
查询报错
[root@p1 catalog]# pwd
/opt/presto-server-0.228/etc/catalog
[root@p1 catalog]# vim hive.properties
直接使用hive的keytab文件
#配置Presto访问HiveMetastore服务的Kerberos信息,该段配置可以只存在Presto的Coordinator节点
hive.metastore.authentication.type=KERBEROS
hive.metastore.service.principal=hive/[email protected]
hive.metastore.client.principal=hive/[email protected]
hive.metastore.client.keytab=/opt/presto-server-0.228/etc/hive.keytab
#配置Presto访问HiveMetastore服务的Kerberos信息,该段配置可以只存在Presto的Worker节点(worker节点直接访问hdfs数据)
hive.hdfs.authentication.type=KERBEROS
hive.hdfs.impersonation.enabled=false
hive.hdfs.presto.principal=hive/[email protected]
hive.hdfs.presto.keytab=/opt/presto-server-0.228/etc/hive.keytab
配置完后,重启presto集群各个节点
./lanucher restart
并保证拥有相应的权限。
修改Alluxio 的Alluxio-site文件
alluxio.master.keytab.file=/opt/alluxio/conf/hive.keytab
alluxio.master.principal=hive/[email protected]
alluxio.worker.keytab.file=/opt/alluxio/conf/hive.keytab
alluxio.worker.principal=hive/[email protected]
./alluxio-stop.sh all
./alluxio-start.sh all