Kerberos常用操作

​​​​​登录Kerberos: kadmin.local

  • 使用kadmin.local命令登录
[root@manager ~]# kadmin.local 
Authenticating as principal root/admin@BIGDATA with password.
kadmin.local:  ?	# 查看命令列表i
Available kadmin.local requests:

add_principal, addprinc, ank
                         Add principal
delete_principal, delprinc
                         Delete principal
modify_principal, modprinc
                         Modify principal
rename_principal, renprinc
                         Rename principal
change_password, cpw     Change password
get_principal, getprinc  Get principal
list_principals, listprincs, get_principals, getprincs
                         List principals
add_policy, addpol       Add policy
modify_policy, modpol    Modify policy
delete_policy, delpol    Delete policy
get_policy, getpol       Get policy
list_policies, listpols, get_policies, getpols
                         List policies
get_privs, getprivs      Get privileges
ktadd, xst               Add entry(s) to a keytab
ktremove, ktrem          Remove entry(s) from a keytab
lock                     Lock database exclusively (use with extreme caution!)
unlock                   Release exclusive database lock
purgekeys                Purge previously retained old keys from a principal
get_strings, getstrs     Show string attributes on a principal
set_string, setstr       Set a string attribute on a principal
del_string, delstr       Delete a string attribute on a principal
list_requests, lr, ?     List available requests.
quit, exit, q            Exit program.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35

查看已存在凭据:list_principals, listprincs, get_principals, getprincs

kadmin.local:  listprincs
HTTP/manager.bigdata@BIGDATA
HTTP/master.bigdata@BIGDATA
HTTP/worker.bigdata@BIGDATA
K/M@BIGDATA
activity_analyzer/manager.bigdata@BIGDATA
activity_explorer/manager.bigdata@BIGDATA
admin/admin@BIGDATA
ambari-qa-gaia@BIGDATA
ambari-server-gaia@BIGDATA
……
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11

添加凭据:add_principal, addprinc, ank

kadmin.local:  ank test@BIGDATA
WARNING: no policy specified for test@BIGDATA; defaulting to no policy
Enter password for principal "test@BIGDATA": 
Re-enter password for principal "test@BIGDATA": 
Principal "test@BIGDATA" created.

# 创建的时候指定密码
kadmin.local -q "addprinc -pw bigdata123 test"
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

根据添加的凭据生成keytab文件

kadmin.local # 登录
kadmin.local:  ktadd -k /etc/security/keytabs/student.keytab -norandkey test@BIGDATA

  • 1
  • 2
  • 3

修改凭据密码:change_password, cpw

kadmin.local:  cpw test@BIGDATA
Enter password for principal "test@BIGDATA": 
Re-enter password for principal "test@BIGDATA": 
Password for "test@BIGDATA" changed.
  • 1
  • 2
  • 3
  • 4

删除凭据:delete_principal, delprinc

kadmin.local:  delprinc test@BIGDATA
Are you sure you want to delete the principal "test@BIGDATA"? (yes/no): yes
Principal "test@BIGDATA" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
  • 1
  • 2
  • 3
  • 4

认证用户:kinit

[root@manager ~]# kinit admin/admin@BIGDATA
Password for admin/admin@BIGDATA:
  • 1
  • 2

查看当前认证用户:klist

[root@manager ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@BIGDATA

Valid starting       Expires              Service principal
10/30/2019 00:21:12  10/31/2019 00:21:12  krbtgt/BIGDATA@BIGDATA
	renew until 11/06/2019 00:21:12
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7

删除当前认证的缓存

[root@manager ~]# kdestroy
[root@manager ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
  • 1
  • 2
  • 3

切换Hadoop组内用户票据

  • 根据keytab文件查询用户
klist -kt /etc/security/keytabs/hdfs.headless.keytab
  • 1
  • 切换票据
kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-hdv4@BIGDATA

你可能感兴趣的:(大数据,运维,Kerberos)