hbase集成kerberos

环境说明

本文章介绍如何在现有非安全集群上集成kerberos，使用的环境如下：

环境	版本
OS	CentOS-7
JDK	jdk-8u111-linux
Hadoop	hadoop-2.5.2
Zookeeper	zookeeper-3.4.9
HBase	hbase-1.3.1

准备

• 关闭防火墙

  关闭防火墙 systemctl stop firewalld.service
  禁止开机启动 systemctl disable firewalld.service
  

• 关闭SELinux

  临时关闭 setenforce 0
  永久关闭 修改 /etc/selinux/config 设置SELINUX=disabled
  

安装Kerberos

以下过程中使用到MQ或者MQ.COM的均可以替换为自己的REALM

• 安装kerberos

  yum install -y krb5-libs krb5-server krb5-workstation pam_krb5
  

• 编辑krb5.conf和kdc.conf

  • /etc/krb5.conf

  [logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log
  [libdefaults]
   dns_lookup_realm = true
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   rdns = false
   pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
   default_realm = MQ.COM
   dns_lookup_kdc = true
  [realms]
   MQ.COM = {
    default_domain=mq.com
    kdc = mq
    admin_server = mq
   }
  [domain_realm]
   .mq.com = MQ.COM
   mq.com = MQ.COM
  

  • /var/kerberos/krb5kdc/kdc.conf

  [kdcdefaults]
    v4_mode = nopreauth
    kdc_tcp_ports = 88
  
  [realms]
    MQ.COM = {
      acl_file = /var/kerberos/krb5kdc/kadm5.acl
      dict_file = /usr/share/dict/words
      admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
      supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
    }
  

• 创建数数据库

  kdb5_util create -s -r MQ.COM
  

• 编辑kadm5.acl

  路径 /var/kerberos/krb5kdc/kadm5.acl
  修改以下内容：
  */[email protected]    *
  

• 启动kerberos

  启动服务
  systemctl start krb5kdc
  systemctl start kadmin
  开机启动
  systemctl enable krb5kdc
  systemctl enable kadmin
  

• 修改/etc/ssh/ssh_config

  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPITrustDNS yes
  

• 重启SSHD

  systemctl reload sshd
  

• 配置PAM

  authconfig-tui
  选择“[*] Use Kerberos”并选择Next，
  确定 Realm、KDC 和 Admin Server 是否正确，
  选择 “[*] Use DNS to resolve hosts to realms”
      “[*] Use DNS to locate KDCs for realms”
  选择 OK 保存。
  authconfig --enablekrb5 --update
  

• 常用命令

  • 进入命令行

    kadmin.local
    

  • 添加用户

    addprinc username
    addprinc -randkey username
    addprinc -randkey username/host
    

  • 删除用户

    delete_principal username
    

  • 获取用户

    getprinc username
    

  • 认证用户

    kinit username
    kinit -k -t keytab路径 principal
    

  • 查询登陆状态

    klist
    

  • 清除登陆

    kdestroy
    

  • keytab生成

    ktadd -k keytab路径 principal principal
    

  • 查看keytab用户

    klist -ket keytab路径
    

  • 设置时长

  • modprinc -maxrenewlife 7days principal
    

hadoop配置

• 安装jsvc

  下载 commons-daemon-x.x.x-src.tar.gz和commons-daemon-x.x.x-bin.tar.gz
  下载地址： http://mirror.bit.edu.cn/apache//commons/daemon/
  解压 commons-daemon-x.x.x-src.tar.gz
  进入解压目录 执行./configure --with-java=$JAVA_HOME && make
  将生成的jsvc文件拷贝至hadoop-x.x.x/libexec目录
  

• 下载JCE

  由于Centos5.6及以上的系统系统均使用AES-256加密的，默认情况下Oracle对JCE限制长度为128位16字节，所以需要安装Java Cryptography Extension (JCE) 
  JDK6的下载地址：
  http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
  JDK7的下载地址：
  http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
  JDK8的下载地址：
  http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
  下载后将解压的jar文件拷贝至%JDK_HOME%\jre\lib\security
  

• 修改文件

  • core-site.xml

    
    
    
        
            local.realm
            MQ
        
        
            fs.defaultFS
            hdfs://mq:8020
        
        
            hadoop.tmp.dir
            /usr/local/hadoop-2.5.2/tmp
        
        
            hadoop.proxyuser.hduser.hosts
            *
        
        
            hadoop.proxyuser.hduser.groups
            *
        
        
            hadoop.security.authentication
            kerberos
        
    
    

  • hdfs-site.xml

    
    
    
      
        dfs.replication
        1
      
      
        dfs.data.dir
        /usr/local/hadoop-2.5.2/data
      
      
        dfs.name.dir
        /usr/local/hadoop-2.5.2/name
      
      
        dfs.block.access.token.enable
        true
      
      
      
        dfs.https.address
        mq:50470
      
      
        dfs.https.port
        50470
      
      
        dfs.namenode.keytab.file
        /opt/hadoop/keytab/hadoop/hadoop.keytab
      
      
        dfs.namenode.kerberos.principal
        hadoop/[email protected]
      
      
        dfs.namenode.kerberos.https.principal
        hadoop/[email protected]
      
      
      
        dfs.secondary.https.address
        mq:50495
      
      
        dfs.secondary.https.port
        50495
      
      
        dfs.secondary.namenode.keytab.file
        /opt/hadoop/keytab/hadoop/hadoop.keytab
      
      
        dfs.secondary.namenode.kerberos.principal
        hadoop/[email protected]
      
      
        dfs.secondary.namenode.kerberos.https.principal
        hadoop/[email protected]
      
      
      
        dfs.datanode.data.dir.perm
        700
      
      
        dfs.datanode.address
        0.0.0.0:1004
      
      
        dfs.datanode.http.address
        0.0.0.0:1006
      
      
        dfs.datanode.keytab.file
        /opt/hadoop/keytab/hadoop/hadoop.keytab
      
      
        dfs.datanode.kerberos.principal
        hadoop/[email protected]
      
      
        dfs.datanode.kerberos.https.principal
        hadoop/[email protected]
      
      
        dfs.web.authentication.kerberos.principal
        hadoop/[email protected]
      
      
        dfs.datanode.require.secure.ports
        false
      
      
        dfs.namenode.kerberos.principal.pattern
        hdfs/*@MQ.COM
      
      
    

  • hadoop-env.sh 修改增加如下配置

    export JSVC_HOME=/opt/hadoop/hadoop-2.5.2/libexec
    

zookper配置

• jaas.conf（zookeeper conf目录新增文件）

  Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/opt/hadoop/keytab/hadoop/zookeeper.keytab"
    storeKey=true
    useTicketCache=false
    principal="zookeeper/[email protected]";
  };
  Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/opt/hadoop/keytab/hadoop/zookeeper.keytab"
    storeKey=true
    useTicketCache=false
    principal="[email protected]";
  };
  

• java.env （zookeeper conf目录新增文件）

  export JVMFLAGS="-Djava.security.auth.login.config=/opt/hadoop/zookeeper-3.4.9/conf/jaas.conf"
  export JAVA_HOME="/opt/hadoop/jdk1.8.0_111"
  

• zoo.cfg 增加如下配置

  kerberos.removeHostFromPrincipal=true
  kerberos.removeRealmFromPrincipal=true
  authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
  jaasLoginRenew=3600000
  

hbase配置

• hbase-site.xml

  
  
  
    
      hbase.rootdir
      hdfs://mq:8020/hbase
    
    
      hbase.zookeeper.quorum
      mq
    
    
      hbase.cluster.distributed
      true
    
    
      hbase.security.authentication
      kerberos
    
    
      hbase.rpc.engine
      org.apache.hadoop.hbase.ipc.SecureRpcEngine
    
    
      hbase.regionserver.kerberos.principal
      hbase/[email protected]
    
    
      hbase.regionserver.keytab.file
      /opt/hadoop/keytab/hadoop/hbase.keytab
    
    
      hbase.master.kerberos.principal
      hbase/[email protected]
    
    
      hbase.master.keytab.file
      /opt/hadoop/keytab/hadoop/hbase.keytab
    
    
      dfs.namenode.kerberos.principal.pattern
      *
    
    
      javax.security.auth.useSubjectCredsOnly
      false
    
  
  

• zk-jaas.conf （hbase conf目录新增文件）

  Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    useTicketCache=false
    keyTab="/opt/hadoop/keytab/hadoop/zookeeper.keytab"
    principal="zookeeper/[email protected]";
  };
  

• hbase-env.sh 修改增加如下配置

  export HBASE_OPTS="$HBASE_OPTS -XX:+UseConcMarkSweepGC -Djava.security.auth.login.config=/opt/hadoop/hbase-1.3.1/conf/zk-jaas.conf"