Kerberos 认证配置&大数据组件配置kerberos
前提
1.已经安装keberos 组件,以及相关其他组件:zk,hadoop,hbase,hive,flink,,spark,kafka
不是所有组件都要安装,根据自己需要
2.假设三台机器,hadoop01,hadoop02,hadoop03,它们之间ssh已打通
3.假设所有组件都安装在/opt目录下
创建证书
创建认证规则
为集群中每个服务器节点添加principals:hdfs、HTTP
[root@hadoop01 ~]# for i in {
01..03}; do kadmin.local -q "addprinc -randkey hdfs/hadoop$i.jedy.com.cn@jedy.com.cn"; done
[root@hadoop01 ~]# for i in {
01..03}; do kadmin.local -q "addprinc -randkey HTTP/hadoop$i.jedy.com.cn@jedy.com.cn"; done
[root@hadoop01 ~]# kadmin.local -q "listprincs"
创建hdfs.keytab文件
分别生成keytab文件:
[root@hadoop01 ~]# cd /var/kerberos/krb5kdc/
[root@hadoop01 krb5kdc]# for i in {
01..03}; do kadmin.local -q "xst -k hdfs.keytab hdfs/hadoop$i.jedy.com.cn@jedy.com.cn"; done
[root@hadoop01 krb5kdc]# for i in {
01..03}; do kadmin.local -q "xst -k hdfs.keytab HTTP/hadoop$i.jedy.com.cn@jedy.com.cn"; done
使用 klist 显示 hdfs.keytab 文件列表
[root@hadoop01 krb5kdc]# klist -ket hdfs.keytab
验证(无输出正常)
[root@hadoop01 krb5kdc]# kinit -k -t $HADOOP_HOME/etc/hadoop/hdfs.keytab hdfs/hadoop01.jedy.com.cn@jedy.com.cn
将hdfs.keytab 分发至hadoop配置目录,并赋权(hdfs用户,400)
[root@hadoop01 krb5kdc]# chmod 400 hdfs.keytab
[root@hadoop01 krb5kdc]# chown hdfs hdfs.keytab
[root@hadoop01 krb5kdc]#for i in {
02..03}; do scp $HADOOP_HOME/etc/hadoop/hdfs.keytab hadoop$i:$HADOOP_HOME/etc/hadoop/hdfs.keytab; done
验证
[root@hadoop01 krb5kdc]# klist -ket $HADOOP_HOME/etc/hadoop/hdfs.keytab
创建zookeeper.keytab文件(用于zk)
hiveserver连接启用了kerberos的zookeeper时,要求zkconfig的jaas.conf中server配置段中Principal必须使用zookeeper用户主体
分别生成keytab文件:
[root@hadoop01 ~]# mkdir -P /etc/security/keytab/
[root@hadoop01 ~]# cd /etc/security/keytab/
[root@hadoop01 keytab]# for i in {
01..03}; do kadmin.local -q "xst -k zookeeper.keytab zookeeper/hadoop$i.jedy.com.cn@jedy.com.cn"; done
使用 klist 显示 zookeeper.keytab 文件列表
[root@hadoop01 keytab]# klist -ket zookeeper.keytab
验证(无输出正常)
[root@hadoop01 keytab]# kinit -k -t /etc/security/keytab/zookeeper.keytab zookeeper/hadoop01.jedy.com.cn@jedy.com.cn
分发zookeeper.keytab
[root@hadoop01 keytab]#for i in {
02..03}; do
ssh hadoop$i "mkdir -p /etc/security/keytab/";
scp zookeeper.keytab hadoop$i:/etc/security/keytab/hdfs.keytab; done
验证
[root@hadoop01 keytab]#for i in {
02..03}; do
ssh hadoop$i "klist -ket /etc/security/keytab/zookeeper.keytab"
done
zk配置 kerberos
启用kerberos
zoo_hadoop.cfg(以hadoop实例为例)
#zk SASL
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
#jaasLoginRenew=3600000
requireClientAuthScheme=sasl
zookeeper.sasl.client=true
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
quorum.auth.enableSasl=true
quorum.auth.learner.saslLoginContext=Learner
quorum.auth.server.saslLoginContext=Server
quorum.auth.kerberos.servicePrincipal=hdfs/_HOST@jedy.com.cn
4lw.commands.whitelist=mntr,conf,ruok,cons
jaas.conf(注意各个zk节点不同)
这里有一个坑,zk的server认证中必须使用zookeeper主机名,否则hiveserver连接时报错认证失败
cat /opt/zookeeper/conf/jaas.conf
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytab/zookeeper.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop01.jedy.com.cn@jedy.com.cn";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytab/zookeeper.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/hadoop01.jedy.com.cn@jedy.com.cn";
};
Learner {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/opt/hadoop/etc/hadoop/hdfs.keytab"
storeKey=true
useTicketCache=false
principal="hdfs/hadoop01.jedy.com.cn@jedy.com.cn";
};
Server的principal 如果是多个zookeeper,那么这个principal里面的域名改成对应的主机名
同时在这个server里面,principal必须以zookeeper开头,也就是principal=‘zookeeper/hostname@jedy.com.cn’ 否则会报服务不能找到错误。
比如hadoop02机器的话,则替换文件中的hadooop01为hadoop02
java.env
cat /opt/zookeeper/conf/java.env
export SERVER_JVMFLAGS="-Djava.security.auth.login.config=/opt/zookeeper/conf/jaas.conf"
export CLIENT_JVMFLAGS="${CLIENT_JVMFLAGS} -Djava.security.auth.login.config=/opt/zookeeper/conf/jaas.conf -Djava.security.krb5.conf=/etc/krb5.conf -Dzookeeper.server.principal=zookeeper/$HOSTNAME@jedy.com.cn"
重启服务
同步配置
[root@hadoop01 zookeeper]#for i in {
02..03}; do
scp {
zoo_hadoop.cfg,jaas.conf,java.env} hadoop$i:/opt/zookeeper/conf/; done
#### 重启服务
```javascript
for n in stop start status
do
zkServer.sh $n /opt/zookeeper/conf/zoo_hadoop.cfg
done
错误处理
hdfs 主从切换报错:
kinit: KDC can’t fulfill requested option while renewing credentials
原因、解决方法:缓存问题,重新认证
rm -rf /tmp/krb5cc_*
kinit -kt $HADOOP_HOME/etc/hadoop/hdfs.keytab hdfs/$HOSTNAME@jedy.com.cn
klist
hadoop配置 kerberos(HTTPS方式)
创建HTTPS证书
Step 1 生成根CA证书
[root@hdp-node1 ~]# HADOOP_HOME=/opt/hadoop; mkdir $HADOOP_HOME/etc/hadoop/ssl ; cd $HADOOP_HOME/etc/hadoop/ssl
# 此命令成功后输出 hdfs_ca_cert、hdfs_ca_key文件
[root@hdp-node1 ssl]# openssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days 9999 -subj /C=CN/ST=zhejiang/L=hangzhou/O=jy/OU=jy/CN=hadoop01.jedy.com.cn
# 密码M123456a
将得到的文件复制到其他机器上面.
scp -r $HADOOP_HOME/etc/hadoop/ssl root@xxx : $HADOOP_HOME/etc/hadoop/ssl
在每个节点上都依次执行以下命令
cd $HADOOP_HOME/etc/hadoop/ssl
# 所有需要输入密码的地方全部输入M123456a(方便起见,如果你对密码有要求请自行修改)
Step2 生成keystore(密钥库)
# 输入密码和确认密码:M123456a,
# 此命令成功后输出keystore文件
name="CN=$HOSTNAME, OU=jy, O=jy, L=hangzhou, ST=zhejiang, C=CN"
keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "$name" -keypass M123456a -storepass M123456a
Step 3 向truststore(信任库)添加CA
# 输入密码和确认密码:M123456a,提示是否信任证书:输入yes,
# 此命令成功后输出truststore文件
keytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert -keypass M123456a -storepass M123456a
输入yes
Step 4 从keystore导出cert
# 输入密码和确认密码:M123456a,
# 此命令成功后输出cert文件
keytool -certreq -alias localhost -keystore keystore -file cert -keypass M123456a -storepass M123456a
Step 5 用CA对cert签名
# 此命令成功后,
# 输出cert_signed文件
openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial -passin pass:M123456a
Step 6 将CA证书和用CA签名后的证书导入到keystore
# 5 输入密码和确认密码:M123456a,是否信任证书,输入yes,
# 此命令成功后更新keystore文件
keytool -keystore keystore -alias CARoot -import -file hdfs_ca_cert -keypass M123456a -storepass M123456a
输入yes
keytool -keystore keystore -alias localhost -import -file cert_signed -keypass M123456a -storepass M123456a
# 最终得到:
-rw-r--r-- 1 hdfs hadoop 1101 Jun 26 19:50 cert
-rw-r--r-- 1 hdfs hadoop 1224 Jun 26 19:50 cert_signed
-rw-r--r-- 1 hdfs root 1342 Jun 26 19:49 hdfs_ca_cert
-rw-r--r-- 1 hdfs hadoop 17 Jun 26 19:50 hdfs_ca_cert.srl
-rw-r--r-- 1 hdfs root 1834 Jun 26 19:49 hdfs_ca_key
-rw-r--r-- 1 hdfs hadoop 4159 Jun 26 19:52 keystore
-rw-r--r-- 1 hdfs hadoop 1012 Jun 26 19:50 truststore
配置HDFS启用HTTPS
hdfs-site.xml(新增)
<property>
<name>dfs.http.policy</name>
<value>HTTPS_ONLY</value>
<description>所有开启的web页面均使用https, 细节在ssl server 和client那个配置文件内配置</description>
</property>
ssl-server.xml(新增)
<configuration>
<!-- SSL密钥库中密钥的密码 -->
<property>
<name>ssl.server.keystore.keypassword</name>
<value>M123456a</value>
<description>Must be specified.</description>
</property>
<!-- SSL密钥库路径 -->
<property>
<name>ssl.server.keystore.location</name>
<value>/opt/hadoop/etc/hadoop/ssl/keystore</value>
<description>Keystore to be used by NN and DN. Must be specified.</description>
</property>
<!-- SSL密钥库密码 -->
<property>
<name>ssl.server.keystore.password</name>
<value>M123456a</value>
<description>Must be specified.</description>
</property>
<!-- SSL可信任密钥库路径 -->
<property>
<name>ssl.server.truststore.location</name>
<value>/opt/hadoop/etc/hadoop/ssl/truststore</value>
<description>Truststore to be used by NN and DN. Must be specified.</description>
</property>
<!-- SSL可信任密钥库密码 -->
<property>
<name>ssl.server.truststore.password</name>
<value>M123456a</value>
<description>Optional. Default value is "". </description>
</property>
</configuration>
ssl-client.xml(新增)
<configuration>
<!-- SSL密钥库中密钥的密码 -->
<property>
<name>ssl.client.keystore.keypassword</name>
<value>M123456a</value>
<description>Optional. Default value is "". </description>
</property>
扫一扫
3800
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
