HDFS配置Kerberos之创建 CA SSL证书

本文主要提供创建ssl证书的过程 其余hdfs配置Kerberos的内容请参考其他文章

配置ssl的原因：在配置hdfs集成Kerberos的时候，standby节点一直起不来 看了log ，原因竟然是hdfs配置了https_only 在同步namenode的元数据时 传不过来，所以必须要有ssl证书的支持 ，配完ssl证书整个流程就通畅了!

假设我们有三台机器 m1 m2 m3

• 我们在第一台m1的 ～目录执行 下面这句 （替换变量 m1_hostname是第一台机器的namehost）

      openssl req -new -x509 -passout pass:password -keyout bd_ca_key -out bd_ca_cert -days 9999 -subj "/C=CN/ST=beijing/L=beijing/O=m1_hostname/OU=m1_hostname/CN=m1_hostname"

• 此时会生成两个文件 bd_ca_key 和 bd_ca_cert

• 然后在第一台执行如下脚本
  作用就是
  1、将 bd_ca_key 和 bd_ca_cert 发到三台机器上
  2、创建一个/var/lib/hadoop-hdfs/ 路径
  3、生成证书
  4、分发证书到指定目录

注意：证书生成的密码我全用的password 如有需要 可以自己替换 并且同步替换 ssl-client.xml和ssl-server.xml里的密码即可，ssl-client.xml和ssl-server.xml在下文有模版

SSHCMD="sshpass -p $MACHINEPASSWORD ssh -o StrictHostKeyChecking=no "
SCPCMD="sshpass -p $MACHINEPASSWORD scp -r -o StrictHostKeyChecking=no "
SSHUSER="root"

for node in $(cat hosts); do
          $SSHCMD ${SSHUSER}@${node} "sudo mkdir -p /var/lib/hadoop-hdfs/"
          $SSHCMD ${SSHUSER}@${node} "sudo chown ${SSHUSER} /var/lib/hadoop-hdfs/"
          #将key 和 cert分发到其他机器
          $SCPCMD ~/bd_ca_cert ${SSHUSER}@${node}:~
          $SCPCMD ~/bd_ca_key ${SSHUSER}@${node}:~
          #证书生成的六步
          $SSHCMD ${SSHUSER}@$node "keytool -keystore keystore -alias localhost -validity 9999 -importpass -keypass password  -importpass -storepass password -genkey -keyalg RSA -keysize 2048 -dname 'CN=${node}, OU=${node}, O=${node}, L=beijing, ST=beijing, C=CN'"
          $SSHCMD ${SSHUSER}@$node "keytool -keystore truststore -alias CARoot -importpass -storepass password -noprompt -import -file bd_ca_cert"
          $SSHCMD ${SSHUSER}@$node "keytool -importpass -storepass password -certreq -alias localhost -keystore keystore -file cert"
          $SSHCMD ${SSHUSER}@$node "openssl x509 -req -CA bd_ca_cert -CAkey bd_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial -passin pass:password"
          $SSHCMD ${SSHUSER}@$node "keytool -importpass -storepass password -noprompt -keystore keystore -alias CARoot -import -file bd_ca_cert"
          $SSHCMD ${SSHUSER}@$node "keytool -importpass -storepass password -keystore keystore -alias localhost -import -file cert_signed"
          #把证书copy到对应目录下 赋权
          $SSHCMD ${SSHUSER}@$node "cp ~/keystore /var/lib/hadoop-hdfs/"
          $SSHCMD ${SSHUSER}@$node "cp ~/truststore /var/lib/hadoop-hdfs/"
      done

• 证书的路径我这里设置的是/var/lib/hadoop-hdfs/ 所以 ssl-client.xml和ssl-server.xml里面配置的路径也是这个 例如

client

<configuration>
    <property>
        <name>ssl.client.truststore.locationname>
        <value>/var/lib/hadoop-hdfs/truststorevalue>
    property>
    <property>
        <name>ssl.client.truststore.passwordname>
        <value>passwordvalue>
    property>
    <property>
        <name>ssl.client.truststore.typename>
        <value>jksvalue>
    property>
    <property>
        <name>ssl.client.truststore.reload.intervalname>
        <value>10000value>
    property>
    <property>
        <name>ssl.client.keystore.locationname>
        <value>/var/lib/hadoop-hdfs/keystorevalue>
    property>
    <property>
        <name>ssl.client.keystore.passwordname>
        <value>passwordvalue>
    property>
    <property>
        <name>ssl.client.keystore.keypasswordname>
        <value>passwordvalue>
    property>
    <property>
        <name>ssl.client.keystore.typename>
        <value>jksvalue>
    property>
configuration>

server

<configuration>
    <property>
        <name>ssl.server.truststore.locationname>
        <value>/var/lib/hadoop-hdfs/truststorevalue>
    property>
    <property>
        <name>ssl.server.truststore.passwordname>
        <value>passwordvalue>
    property>
    <property>
        <name>ssl.server.truststore.typename>
        <value>jksvalue>
    property>
    <property>
        <name>ssl.server.truststore.reload.intervalname>
        <value>10000value>
    property>
    <property>
        <name>ssl.server.keystore.locationname>
        <value>/var/lib/hadoop-hdfs/keystorevalue>
    property>
    <property>
        <name>ssl.server.keystore.passwordname>
        <value>passwordvalue>
    property>
    <property>
        <name>ssl.server.keystore.keypasswordname>
        <value>passwordvalue>
    property>
    <property>
        <name>ssl.server.keystore.typename>
        <value>jksvalue>
    property>
    <property>
        <name>ssl.server.exclude.cipher.listname>
        <value>TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
            SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,
            SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
            SSL_RSA_WITH_RC4_128_MD5value>
    property>
configuration>