CDH6.3.2 开启Kerberos 认证

CDH6.3.2 开启Kerberos 认证

CDH6.3.2 开启Kerberos 认证

标签（空格分隔）： 大数据平台构建

一：如何安装及配置KDC服务 二：如何通过CDH启用Kerberos 三：如何登录Kerberos并访问Hadoop相关服务

一：如何安装及配置KDC服务

1.1 系统环境

1.操作系统：CentOS7.5x64 2.CDH6.3.2 3.采用root用户进行操作

1.2 KDC服务安装及配置

1.在Cloudera Manager服务器上安装KDC服务 yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation

2.修改/etc/krb5.conf配置 vim /etc/krb5.conf ---- # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = LANXIN.COM #default_ccache_name = KEYRING:persistent:%{uid} [realms] LANXIN.COM = { kdc = 192.168.11.160 admin_server = 192.168.11.160 } [domain_realm] .lanxin.com = LANXIN.COM lanxin.com = LANXIN.COM ---

3.修改/var/kerberos/krb5kdc/kadm5.acl配置 vim /var/kerberos/krb5kdc/kadm5.acl ---- */admin@LANXIN.COM * ----

4.修改/var/kerberos/krb5kdc/kdc.conf配置 [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] LANXIN.COM = { #master_key_type = aes256-cts max_renewable_life= 7d 0h 0m 0s acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }

5.创建Kerberos数据库 kdb5_util create –r LANXIN.COM -s 密码：LANXIN.COM --- Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'LANXIN.COM', master key name 'K/M@LANXIN.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: --- 此处需要输入Kerberos数据库的密码。

6.创建Kerberos的管理账号 admin/admin@LANXIN.COM ---- Authenticating as principal root/admin@LANXIN.COM with password. kadmin.local: kadmin.local: addprinc admin/admin@LANXIN.COM WARNING: no policy specified for admin/admin@LANXIN.COM; defaulting to no policy Enter password for principal "admin/admin@LANXIN.COM": 【输入密码为admin】 Re-enter password for principal "admin/admin@LANXIN.COM": Principal "admin/admin@LANXIN.COM" created. kadmin.local: kadmin.local: kadmin.local: list_principals K/M@LANXIN.COM admin/admin@LANXIN.COM kadmin/admin@LANXIN.COM kadmin/changepw@LANXIN.COM kadmin/dev01.lanxintec.cn@LANXIN.COM kiprop/dev01.lanxintec.cn@LANXIN.COM krbtgt/LANXIN.COM@LANXIN.COM ----

7.将Kerberos服务添加到自启动服务，并启动krb5kdc和kadmin服务 systemctl enable krb5kdc systemctl enable kadmin systemctl start krb5kdc systemctl start kadmin

8.测试Kerberos的管理员账号 kinit admin/admin@LANXIN.COM --- Password for admin/admin@LANXIN.COM: [root@dev01 ~]# [root@dev01 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin/admin@LANXIN.COM Valid starting Expires Service principal 05/26/2020 16:26:36 05/27/2020 16:26:36 krbtgt/LANXIN.COM@LANXIN.COM renew until 06/02/2020 16:26:36 ---

为集群安装所有Kerberos客户端，包括Cloudera Manager yum -y install krb5-libs krb5-workstation

10.在Cloudera Manager Server服务器上安装额外的包 yum -y install openldap-clients

11.将KDC Server上的krb5.conf文件拷贝到所有Kerberos客户端 scp /etc/krb5.conf root@192.168.11.161:/etc scp /etc/krb5.conf root@192.168.11.162:/etc

二：CDH集群启用Kerberos

1.在KDC中给Cloudera Manager添加管理员账号 cloudera/admin@LANXIN.COM ---- [root@dev01 ~]# kadmin.local Authenticating as principal root/admin@LANXIN.COM with password. kadmin.local: addprinc cloudera/admin@LANXIN.COM WARNING: no policy specified for cloudera/admin@LANXIN.COM; defaulting to no policy Enter password for principal "cloudera/admin@LANXIN.COM": [密码：cloudera] Re-enter password for principal "cloudera/admin@LANXIN.COM": Principal "cloudera/admin@LANXIN.COM" created. kadmin.local: list_principals K/M@LANXIN.COM admin/admin@LANXIN.COM cloudera/admin@LANXIN.COM kadmin/admin@LANXIN.COM kadmin/changepw@LANXIN.COM kadmin/dev01.lanxintec.cn@LANXIN.COM kiprop/dev01.lanxintec.cn@LANXIN.COM krbtgt/LANXIN.COM@LANXIN.COM ----

2.进入Cloudera Manager的“管理”->“安全”界面

使用 xst -k 命令：将所有的principal 导入到一个 /etc/devcdh.keytab 测试 kadminl.local xst -k /etc/devcdh.keytab admin/admin@LANXIN.COM xst -k /etc/devcdh.keytab cloudera/admin@LANXIN.COM xst -k /etc/devcdh.keytab hdfs/dev01.lanxintec.cn@LANXIN.COM .......

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。