48.1 演示环境介绍
- Kerberos已安装并与CDH集成
- 操作系统RedHat7.2
- 用sudo权限的ec2-user用户
- Kerberos节点
ip-186-33-22-88.ap-southeast-1.compute.internal(主)
ip-186-33-21-86.ap-southeast-1.compute.internal(备)
48.2 操作演示
备节点安装Kerberos服务
[ec2-user@ip-186-33-21-86 ~]**$ sudo** yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
### 注意:此处只安装服务,暂不做相应配置及启动服务。
主Kerberos节点操作
- 修改/etc/krb5.conf的配置文件,在realms配置下增加备Kerberos的配置
[realms]
CLOUDERA.COM = {
kdc = ip-186-33-22-88.ap-southeast-1.compute.internal
admin_server = ip-186-33-22-88.ap-southeast-1.compute.internal
kdc = ip-186-33-21-86.ap-southeast-1.compute.internal
admin_server = ip-186-33-21-86.ap-southeast-1.compute.internal
}
- 将修改后的/etc/krb5.conf文件同步到集群的所有Kerberos客户端节点相应目录
- 保存配置,然后重启krb5kdc和kadmin服务
[ec2-user@ip-186-33-22-88 ~]$ sudo systemctl restart krb5kdc
[ec2-user@ip-186-33-22-88 ~]$ sudo systemctl restart kadmin
- 创建主从同步账号,并为账号生成keytab文件
[ec2-user@ip-186-33-22-88 ~]$ sudo kadmin.local
kadmin.local: addprinc -randkey host/ip-186-33-22-88.ap-southeast-1.compute.internal
kadmin.local: addprinc -randkey host/ip-186-33-21-86.ap-southeast-1.compute.internal
kadmin.local:
kadmin.local: ktadd host/ip-186-33-22-88.ap-southeast-1.compute.internal
kadmin.local: ktadd host/ip-186-33-21-86.ap-southeast-1.compute.internal
### 使用随机生成秘钥的方式创建同步账号,并使用ktadd命令生成同步账号的keytab文件,默认文件生成在/etc/krb5.keytab下,生成多个账号则在krb5.keytab基础上追加。
- 复制以下文件到备Kerberos服务器相应目录
- 将/etc目录下的krb5.conf和krb5.keytab文件拷贝至备Kerberos服务器的/etc目录下
- 将/var/kerberos/krb5kdc目录下的.k5.CLOUDERA.COM、kadm5.acl和krb5.conf文件拷贝至备Kerberos服务器的/var/kerberos/krb5kdc目录
- 这里由于Fayson服务器使用的AWS非root用户权限问题,先将需要拷贝的文件拷贝至备Kerberos节点的ec2-user用户目录下,然后备服务器上使用sudo权限将文件拷贝至相应目录,以下操作是在备Kerberos服务器上进行
[ec2-user@ip-186-33-21-86 kerberos]$ sudo cp krb5.conf krb5.keytab /etc/
[ec2-user@ip-186-33-21-86 kerberos]$ sudo chown root:root /etc/krb5.*
[ec2-user@ip-186-33-21-86 kerberos]$ ll /etc/krb5.*
[ec2-user@ip-186-33-21-86 kerberos]$ sudo cp .k5.CLOUDERA.COM kadm5.acl kdc.conf /var/kerberos/krb5kdc/
[ec2-user@ip-186-33-21-86 kerberos]$ sudo chown root:root /var/kerberos/krb5kdc/*
[ec2-user@ip-186-33-21-86 kerberos]$ cd /var/kerberos/krb5kdc/
[ec2-user@ip-186-33-21-86 krb5kdc]$ ll -a
备Kerberos节点操作
- 需要申明用来同步的用户,在/var/kerberos/krb5kdc/kpropd.acl配置文件中添加对应账户,如果配置文件不存在则新增
[ec2-user@ip-186-33-21-86 krb5kdc]$ cd /var/kerberos/krb5kdc
[ec2-user@ip-186-33-21-86 krb5kdc]$ sudo vim kpropd.acl
host/[email protected]
host/[email protected]
- 启动kprop服务并加入系统自启动
[ec2-user@ip-186-33-21-86 krb5kdc]$ sudo systemctl enable kprop
[ec2-user@ip-186-33-21-86 krb5kdc]$ sudo systemctl start kprop
[ec2-user@ip-186-33-21-86 krb5kdc]$ sudo systemctl status kprop
### 备节点上已经准备好数据传输。接下来在主节点上使用kdb5_util将Kerberos库导出,然后通过kprop命令向备节点同步数据。
主节点数据同步至备节点
- 在主节点上使用kdb5_util命令导出Kerberos数据库文件
[ec2-user@ip-186-33-22-88 krb5kdc]$ sudo kdb5_util dump /var/kerberos/krb5kdc/master.dump
### 导出成功后生成master.dump和master.dump.dump_ok两个文件。
- 在主节点上使用kprop命令将master.dump文件同步至备节点
[ec2-user@ip-186-33-22-88 krb5kdc]$ sudo kprop -f /var/kerberos/krb5kdc/master.dump -d -P 754 ip-186-33-21-86.ap-southeast-1.compute.internal
32768 bytes sent.
60543 bytes sent.
Database propagation to ip-186-33-21-86.ap-southeast-1.compute.internal: SUCCEEDED
[ec2-user@ip-186-33-22-88 krb5kdc]$
- 在备节点的/var/kerberos/krb5kdc目录下查看
[ec2-user@ip-186-33-21-86 krb5kdc]$ pwd
/var/kerberos/krb5kdc
[ec2-user@ip-186-33-21-86 krb5kdc]$ ll
total 132
-rw------- 1 root root 60543 Nov 14 10:36 from_master
-rw------- 1 root root 23 Nov 14 10:15 kadm5.acl
-rw------- 1 root root 486 Nov 14 10:15 kdc.conf
-rw-r--r-- 1 root root 132 Nov 14 10:23 kpropd.acl
-rw------- 1 root root 53248 Nov 14 10:36 principal
-rw------- 1 root root 8192 Nov 14 10:36 principal.kadm5
-rw------- 1 root root 0 Nov 14 10:36 principal.kadm5.lock
-rw------- 1 root root 0 Nov 14 10:36 principal.ok
[ec2-user@ip-186-33-21-86 krb5kdc]$
- 在备节点上测试通过过来的数据是否能启动Kerberos服务
- 首先将kprop服务停止,将kpropd.acl文件备份并删除,然后启动krb5kdc和kadmin服务
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo systemctl stop kprop
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo mv /var/kerberos/krb5kdc/kpropd.acl/var/kerberos/krb5kdc/kpropd.acl.bak
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo systemctl start krb5kdc
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo systemctl start kadmin
- 修改备服务器的/etc/krb5.conf文件,将kdc和kadmin_server修改为备服务器地址,测试kinit是否正常
[ec2-user@ip-186-33-21-86 krb5kdc]$kinit fayson
Password for [email protected]:
[ec2-user@ip-186-33-21-86 krb5kdc]$klist
Ticket cache:FILE:/tmp/krb5cc_1000
Default principal:[email protected]
Valid starting Expires Service principal
11/14/2017 10:47:11 11/15/2017 10:47:11 krbtgt/[email protected]
renew until 11/21/201710:47:11
[ec2-user@ip-186-33-21-86 krb5kdc]$
- 测试完成需要将/etc/krb5.conf和kpropd.acl文件还原并启动kprop服务
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo systemctl stop krb5kdc
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo systemctl stop kadmin
[ec2-user@ip-186-33-21-86 krb5kdc]$
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo mv /var/kerberos/krb5kdc/kpropd.acl.bak kpropd.acl
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo systemctl start kprop
配置主节点crontab任务定时同步数据
- 同步脚本
[ec2-user@ip-186-33-22-88 krb5kdc]$pwd
/var/kerberos/krb5kdc
[ec2-user@ip-186-33-22-88 krb5kdc]$ sudovim kprop_sync.sh
#!/bin/bash
DUMP=/var/kerberos/krb5kdc/master.dump
PORT=754
SLAVE="ip-186-33-21-86.ap-southeast-1.compute.internal"
TIMESTAMP=`date`
echo "Start at $TIMESTAMP"
sudo kdb5_utildump $DUMP
sudo kprop -f $DUMP-d -P $PORT $SLAVE
- 赋予kprop_sync.sh脚本可执行权限,并测试
[ec2-user@ip-186-33-22-88 krb5kdc]$sudo chmod 700 /var/kerberos/krb5kdc/kprop_sync.sh
[ec2-user@ip-186-33-22-88 krb5kdc]$sudo sh /var/kerberos/krb5kdc/kprop_sync.sh
- 配置crontab任务
[ec2-user@ip-186-33-22-88 krb5kdc]$sudo crontab -e
0 * * * * root/var/kerberos/krb5kdc/kprop_sync.sh >/var/kerberos/krb5kdc/lastupdate
- 退出并保存,启动服务并设置开机启动
[ec2-user@ip-186-33-22-88 krb5kdc]$sudo systemctl enable crond
[ec2-user@ip-186-33-22-88 krb5kdc]$sudo systemctl start crond
大数据视频推荐:
腾讯课堂
CSDN
大数据语音推荐:
企业级大数据技术应用
大数据机器学习案例之推荐系统
自然语言处理
大数据基础
人工智能:深度学习入门到精通