众所周知,kerberos是大数据环境下最常用的安全通信的保障机制,是一种网络协议
本文不涉及kerberos原理,只涉及docker搭建kerberos环境
FROM centos:7
RUN yum install -y krb5-server krb5-libs krb5-auth-dialog krb5-workstation
CMD ["/usr/sbin/init"]
将Dockerfile放在任意目录,在该目录下执行:
docker build -t kdc:1.0 .
等待打包构建镜像,因为涉及到kerberos的下载安装,可能会比较慢
使用docker images命令可以看到新生成的docker镜像
docker run --privileged=true -p 88:88 -p 749:749 -p 750:750 -d --name="my_kdc" kdc:1.0
首先进入容器的bash
docker exec -it my_kdc bash
cat > /var/kerberos/krb5kdc/kdc.conf << EOF
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HADOOP.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_renewable_life = 7d
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
EOF
cat > /etc/krb5.conf << EOF
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_realm = HADOOP.COM
udp_preference_limit = 1
[realms]
HADOOP.COM = {
kdc = kdc
admin_server = kdc
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
EOF
cat >> /etc/hosts << EOF
127.0.0.1 kdc
EOF
cat > /var/kerberos/krb5kdc/kadm5.acl << EOF
*/admin@HADOOP.COM *
EOF
kdb5_util create -s -r HADOOP.COM
systemctl start kadmin krb5kdc
进入kadmin交互命令行
kadmin.local
如果要使用kadmin,需要先在kadmin.local中创建出一个principal,有对应的权限之后才能使用
添加之后记住密码,初始化wentjiang/admin并输入密码之后,即可看到相关的信息
kinit wentjiang/admin
klist
kerberos提供的功能,只要在两个服务间互相确认,例如向B证明请求他的服务A确实是A,这里的操作就是向KDC注册自己的服务信息,首先还是先进入kadmin
一般添加principle的规则是{组件名}/{hostname}@{域},如alluxio/wentjiang@HADOOP.COM
添加alluxio 的 principle
addprinc -randkey alluxio/wentjiang@HADOOP.COM
生成keytab文件
xst -k alluxio.keytab alluxio/wentjiang@HADOOP.COM
将该文件copy到本地使用
docker cp my_kdc:/alluxio.keytab ./
cat > /etc/krb5.conf << EOF
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_realm = HADOOP.COM
udp_preference_limit = 1
[realms]
HADOOP.COM = {
kdc = kdc
admin_server = kdc
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
EOF
cat >> /etc/hosts << EOF
127.0.0.1 kdc
EOF
kinit -kt /Users/wentao.jiang/Downloads/docker/alluxio.keytab alluxio/wentjiang
klist