kerberos 部署

教程 犀牛 ⋅ 于 2021-06-04 15:19:30 ⋅ 1046 阅读

kerberos部署

选择worker1节点作为kerberos服务端

#安装kerberos软件
yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
#安装sasl工具,impala启用kerberos时需要sasl工具
yum -y install cyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5

修改/etc/krb5.conf文件

#注释掉如下行,打开会引起错误:[Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
# default_ccache_name = KEYRING:persistent:%{uid}
cp -n /etc/krb5.conf /etc/krb5.conf.bak && \
cp -f /etc/krb5.conf.bak /etc/krb5.conf && \
sed -i 's/#//g' /etc/krb5.conf && \
sed -i 's/EXAMPLE.COM/HAINIU.COM/g' /etc/krb5.conf && \
sed -i 's/kerberos.example.com/worker-1/g' /etc/krb5.conf && \
sed -i 's/example.com/worker-1/g' /etc/krb5.conf && \
sed -i 's/ default_ccache_name/# default_ccache_name/g' /etc/krb5.conf && \
sed -i 's/ Configuration/# Configuration/g' /etc/krb5.conf
diff /etc/krb5.conf.bak /etc/krb5.conf

修改/var/kerberos/krb5kdc/kdc.conf文件

cp -n /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf.bak && \
cp -f /var/kerberos/krb5kdc/kdc.conf.bak /var/kerberos/krb5kdc/kdc.conf && \
sed -i 's/EXAMPLE.COM/HAINIU.COM/g' /var/kerberos/krb5kdc/kdc.conf
diff /var/kerberos/krb5kdc/kdc.conf.bak /var/kerberos/krb5kdc/kdc.conf

修改/var/kerberos/krb5kdc/kadm5.acl文件

cp -n /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/kadm5.acl.bak && \
cp -f /var/kerberos/krb5kdc/kadm5.acl.bak /var/kerberos/krb5kdc/kadm5.acl && \
sed -i 's/EXAMPLE.COM/HAINIU.COM/g' /var/kerberos/krb5kdc/kadm5.acl
diff /var/kerberos/krb5kdc/kadm5.acl.bak /var/kerberos/krb5kdc/kadm5.acl

配置kerberos服务

生成kerberos数据库,设置密码为:hainiu1688

/usr/sbin/kdb5_util create -s

为cdh创建cloudera-scm/admin用户,设置密码为:hainiu1688

kadmin.local

   addprinc cloudera-scm/admin

   hainiu1688

   hainiu1688

   exit

修改krbtgt/HAINIU.COM@HAINIU.COM的Maximum renewable life参数为90天(其默认值为0天),解决在CDH启用kerberos时,Hue角色Kerberos Ticket Renewer启动异常问题

kadmin.local

   modprinc -maxrenewlife 90day krbtgt/HAINIU.COM@HAINIU.COM

   getprinc krbtgt/HAINIU.COM@HAINIU.COM

   exit

启动kerberos服务 

#启动kerberos服务并添加为开机启动
systemctl enable krb5kdc
systemctl enable kadmin
systemctl start krb5kdc
systemctl start kadmin
systemctl status krb5kdc
systemctl status kadmin

kerberos客户端安装 

#从节点安装kerberos客户端软件
yum -y install krb5-libs krb5-workstation
#从主节点复制配置文件到从节点
scp /etc/krb5.conf root@worker-1:/etc/krb5.conf
scp /etc/krb5.conf root@worker-2:/etc/krb5.conf
scp /etc/krb5.conf root@worker-3:/etc/krb5.conf
ssh root@worker-1 cat /etc/krb5.conf
ssh root@worker-2 cat /etc/krb5.conf
ssh root@worker-3 cat /etc/krb5.conf

kerberos认证测试 

#客户端执行
#获取票据
kinit cloudera-scm/admin
   hainiu1688
#查看票据
klist
#销毁票据
kdestroy

CDH集成kerberos

集群启用kerberos

file

Administration -> Security -> Enable Kerberos

  • 页面1,检查提示

    Yes, I have set up a working KDC.

    Yes, I have checked that the KDC allows renewable tickets.

    Yes, I have installed the client libraries.

    Yes, I have created a proper account for Cloudera Manager.

  • 页面2,配置kerberos服务端信息

KDC Type: MIT KDC

Kerberos Security Realm: HAINIU.COM

KDC Server Host: worker-1

KDC Admin Server Host: worker-1

Kerberos Encryption Types: rc4-hmac

Maximum Renewable Life for Principals: 5

  • 页面3,不要勾选该项(Manage krb5.conf through Cloudera Manager),直接继续

  • 页面4,cloudera-scm/admin账号、密码

    cloudera-scm/admin

    hainiu1688

  • 页面5,页面6 Continue

  • 页面7,确认HDFS特权端口,并选择重启集群

    Yes, I am ready to restart the cluster now.

  • 其余页面按提示操作

file

版权声明:原创作品,允许转载,转载时务必以超链接的形式表明出处和作者信息。否则将追究法律责任。来自海汼部落-犀牛,http://hainiubl.com/topics/75616
点赞
成为第一个点赞的人吧 :bowtie:
回复数量: 0
    暂无评论~~
    • 请注意单词拼写,以及中英文排版,参考此页
    • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`, 更多语法请见这里 Markdown 语法
    • 支持表情,可用Emoji的自动补全, 在输入的时候只需要 ":" 就可以自动提示了 :metal: :point_right: 表情列表 :star: :sparkles:
    • 上传图片, 支持拖拽和剪切板黏贴上传, 格式限制 - jpg, png, gif,教程
    • 发布框支持本地存储功能,会在内容变更时保存,「提交」按钮点击时清空
    Ctrl+Enter
    新 建 话 题

    作者:犀牛

    犀牛 的其他话题

    分类下其他主题

    随机推荐话题

    QQ群1:551936262 海牛大数据QQ群1

    关注海牛部落大数据技术社区