MIT kerberos认证集群搭建

MIT kerberos认证集群搭建

认证原理

可以看这个博客，很详细： https://blog.csdn.net/sky_jiangcheng/article/details/81070240

环境搭建

1. 运行环境

   • ubuntu18.04 server
   • kdc: hp01
   • client: hp02、hp03

2. 安装软件

   • 安装NTP时间同步服务

   • hp01安装kdc ,admin-server

     sudo apt-get install krb5-kdc krb5-admin-server
     

     安装过程中会出现要输入realm,类似根域名，在kerberos中是名称空间，比如： EXAMPLE.COM

     如果你需要修改上述realm名称空间，则需要执行：

     sudo dpkg-reconfigure krb5-kdc
     

     会出现输入界面，重新输入即可

   • hp02,hp03安装kerberos认证客户端

     sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
     

     安装过程中需要输入认证服务的名称空间，服务器端主机名，根据这两点与kdc服务建立认证连接通道

3. 配置认证服务端（hp01）

   • 修改/etc/kerb5.conf,增加认证时间过期配置

     [libdefaults]
             default_realm = LY.COM
     
     # The following krb5.conf variables are only for MIT Kerberos.
             kdc_timesync = 1
             ccache_type = 4
             forwardable = true
             proxiable = true
             dns_lookup_realm = false
             dns_lookup_kdc = false
             #TGT有效期限一天
             ticket_lifetime = 86400
             renew_lifetime = 604800
             forwardable = true
             udp_preference_limit = 1
     
     

   • 修改/etc/krb5kdc/kadm5.acl

     sudo vim /etc/krb5kdc/kadm5.acl
     #增加admin管理权限
     */admin@LY.COM *
     

4. 启动服务

   • 启动kdc

   • 启动admin-server

     sudo service  krb5-kdc start
     sudo service krb5-admin-server start
     #查看服务启动状态
     sudo systemctl status krb5-kdc
     liyuan@hp01:/etc$ sudo systemctl status krb5-kdc
     ● krb5-kdc.service - Kerberos 5 Key Distribution Center
        Loaded: loaded (/lib/systemd/system/krb5-kdc.service; enabled; vendor preset: enabled)
        Active: active (running) since Tue 2020-01-14 15:32:09 CST; 23h ago
       Process: 29042 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS (code=exited, status=0/SUCCESS)
      Main PID: 29053 (krb5kdc)
         Tasks: 1 (limit: 4632)
        CGroup: /system.slice/krb5-kdc.service
                └─29053 /usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid
     
     liyuan@hp01:/etc$ sudo systemctl status krb5-admin-server
     ● krb5-admin-server.service - Kerberos 5 Admin Server
        Loaded: loaded (/lib/systemd/system/krb5-admin-server.service; enabled; vendor preset: enabled)
        Active: active (running) since Tue 2020-01-14 18:41:32 CST; 20h ago
      Main PID: 29545 (kadmind)
         Tasks: 1 (limit: 4632)
        CGroup: /system.slice/krb5-admin-server.service
                └─29545 /usr/sbin/kadmind -nofork
     
     Jan 14 18:41:32 hp01 kadmind[29545]: Setting up TCP socket for address 0.0.0.0.464
     Jan 14 18:41:32 hp01 kadmind[29545]: Setting up TCP socket for address ::.464
     Jan 14 18:41:32 hp01 kadmind[29545]: setsockopt(12,IPV6_V6ONLY,1) worked
     Jan 14 18:41:32 hp01 kadmind[29545]: Setting up RPC socket for address 0.0.0.0.749
     Jan 14 18:41:32 hp01 kadmind[29545]: Setting up RPC socket for address ::.749
     Jan 14 18:41:32 hp01 kadmind[29545]: setsockopt(14,IPV6_V6ONLY,1) worked
     Jan 14 18:41:32 hp01 kadmind[29545]: set up 6 sockets
     Jan 14 18:41:32 hp01 kadmind[29545]: Seeding random number generator
     Jan 14 18:41:32 hp01 kadmind[29545]: starting
     Jan 14 18:41:32 hp01 kadmind[29545]: kadmind: starting...
     
     #设置开机启动服务
     sudo systemctl enable krb5-admin-server
     sudo systemctl enable krb5-kdc
     

5. principal服务实体操作

   • 启动命令

     sudo kadmin.local
     #输入：？会显示命令提示
     kadmin.local:  ?
     Available kadmin.local requests:
     
     add_principal, addprinc, ank
                              Add principal
     delete_principal, delprinc
                              Delete principal
     modify_principal, modprinc
                              Modify principal
     rename_principal, renprinc
                              Rename principal
     change_password, cpw     Change password
     get_principal, getprinc  Get principal
     list_principals, listprincs, get_principals, getprincs
                              List principals
     add_policy, addpol       Add policy
     modify_policy, modpol    Modify policy
     delete_policy, delpol    Delete policy
     get_policy, getpol       Get policy
     list_policies, listpols, get_policies, getpols
                              List policies
     get_privs, getprivs      Get privileges
     ktadd, xst               Add entry(s) to a keytab
     ktremove, ktrem          Remove entry(s) from a keytab
     lock                     Lock database exclusively (use with extreme caution!)
     unlock                   Release exclusive database lock
     purgekeys                Purge previously retained old keys from a principal
     get_strings, getstrs     Show string attributes on a principal
     set_string, setstr       Set a string attribute on a principal
     del_string, delstr       Delete a string attribute on a principal
     list_requests, lr, ?     List available requests.
     quit, exit, q            Exit program.
     #创建admin管理员principal
     addprinc admin/admin@LY.COM
     #然后回让你输入两次密码
     #输入q退出admin.local
     #shell终端使用admin用户实体进行认证,会让你输入密码
     kinit admin/admin
     #生成admin的keytab文件，使用kadmin.local命令中的ktadd命令,不加加-norandkey，密码会变成随机值，就算之前设置的是固定密码，也会丢失变成随机值
     ktadd -norandkey -k ./admin.keytab admin/admin@LY.COM
     
     

6. 创建zookeeper安全认证实体

   sudo kadmin.local
   addprinc zookeeper/_HOST@LY.COM
   #生成keytab文件
   ktadd -kt zookeeper.keytab zookeeper/_HOST@LY.COM
   #将当前目录下的zookeeper.keytab文件保存好
   

7. 配置安全模式zookeeper高可用集群

   • 官网下载最新编译包

   • 上传到ubuntu18.04虚拟机

   • 创建zookeeper用户并指定用户组hadoop,最好和hdfs同属一个组

   • 使用zookeeper用户进行以下操作

   • 解压，编辑conf/下的配置文件

     #由模板创建zoo.cfg
     cp zoo_sample.cfg zoo.cfg
     vim zoo.cfg
     #修改成如下配置
     
     # The number of milliseconds of each tick
     tickTime=2000
     # The number of ticks that the initial 
     # synchronization phase can take
     initLimit=10
     # The number of ticks that can pass between 
     # sending a request and getting an acknowledgement
     syncLimit=5
     # the directory where the snapshot is stored.
     # do not use /tmp for storage, /tmp here is just 
     # example sakes.
     dataDir=../data
     dataLogDir=../logs
     # the port at which the clients will connect
     clientPort=2181
     # the maximum number of client connections.
     # increase this if you need to handle more clients
     #maxClientCnxns=60
     #
     # Be sure to read the maintenance section of the 
     # administrator guide before turning on autopurge.
     #
     # http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_maintenance
     #
     # The number of snapshots to retain in dataDir
     #autopurge.snapRetainCount=3
     # Purge task interval in hours
     # Set to "0" to disable auto purge feature
     #autopurge.purgeInterval=1
     authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
     jaasLoginRenew=3600000
     #主机ip/服务间心跳连接端口/数据端口
     server.1=192.168.1.21:2888:3888
     server.2=192.168.1.22:2888:3888
     server.3=192.168.1.23:2888:3888
     
     

   • zk主目录下创建data,与logs目录

   • data下创建myid文件，输入：1，即集群唯一标识

   • 创建conf/jass.conf文件，指定kerberos认证的keytab等参数

     Server {
       com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab = true
       keyTab = "/opt/apache-zookeeper-3.5.6-bin/conf/zookeeper.keytab"
       storeKey = true
       useTicketCache = false
       principal = "zookeeper/_HOST@LY.COM";
     };
     

   • 创建conf/java.env文件，启动进程加入jass认证文件读取的jvm参数

     export JVMFLAGS="-Djava.security.auth.login.config=/opt/apache-zookeeper-3.5.6-bin/conf/jass.conf"
     

8. 启动zookeeper，先将第6步生成的zookeeper.keytab 文件拷贝到conf/目录下

   ./bin/zkServer.sh start
   #失败就查看logs下日志，
   #成功会在日志中出现
   Server successfully logged in
   

9. 如果成功启动，将zookeeper目录 scp到hp02,hp03

10. hp02,hp03都要新建zookeeper：hadoop用户,使用zookeeper用户编辑data/myid,分别改成2，3，然后启动

参考与引用

https://blog.csdn.net/sky_jiangcheng/article/details/81070240