cdh5.12.2 開啟kerberos認證
阿新 • • 發佈:2018-04-10
大數據 cdh kerberos hadoop
- 一:kdc 服務的安裝與配置
- 二:集群所有節點安裝Kerberos客戶端(包括CM)
- 三:CDH集群啟用Kerberos
一: kdc 服務的安裝與配置
1.1 安裝kdc服務
# yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation -y
1.2 配置kdc 服務
vim /etc/krb5.conf --- includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_kdc = false dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = GEMS.COM default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac permitted_enctypes = rc4-hmac udp_preference_limit = 1 kdc_timeout = 3000 # default_ccache_name = KEYRING:persistent:%{uid} [realms] GEMS.COM = { kdc = node01.yangyang.com admin_server = node01.yangyang.com } [domain_realm] .node01.yangyang.com = GEMS.COM node01.yangyang.com = GEMS.COM
1.3 修改/var/kerberos/krb5kdc/kadm5.acl
vim /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *
1.4 修改/var/kerberos/krb5kdc/kdc.conf
vim /var/kerberos/krb5kdc/kdc.conf ---- [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] GEMS.COM = { #master_key_type = aes256-cts max_renewable_life = 7d max_life = 1d acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal default_principal_flags = +renewable, +forwardable }
1.5 創建Kerberos數據庫
# kdb5_util create -r GEMS.COM -s --- Loading random data Initializing database ‘/var/kerberos/krb5kdc/principal‘ for realm ‘GEMS.COM‘, master key name ‘K/[email protected]‘ You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: --- 輸入認證的密碼為: GEMS.COM
1.6 創建Kerberos的管理賬號
# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: addprinc admin/[email protected]
WARNING: no policy specified for admin/[email protected]; defaulting to no policy
Enter password for principal "admin/[email protected]": [輸入密碼]
Re-enter password for principal "admin/[email protected]": [輸入密碼]
Principal "admin/[email protected]" created.
kadmin.local: exit 
1.7 啟動krb5 的 服務
service krb5kdc start
service kadmin start
chkconfig krb5kdc on
chkconfig kadmin on 1.8 測試kerberos 的管理員賬號
kinit admin/[email protected]
---> 輸入密碼:admin
# klist
二:集群所有節點安裝Kerberos客戶端(包括CM)
全部節點都要安裝:
yum -y install krb5-libs krb5-workstation (所有節點都要安裝)
CM節點安裝額外組件
yum -y install openldap-clients (kdc-server 節點安裝)2.1 節點同步krb5.conf 文件
scp /etc/krb5.conf node02:/etc
scp /etc/krb5.conf node03:/etc 三: CDH集群啟用Kerberos
3.1 配置jdk 的 jce_policy-8.zip
# unzip jce_policy-8.zip
# cd UnlimitedJCEPolicyJDK8/
# cp -p *.jar /usr/java/jdk1.8.0_151/jre/lib/security/
# scp *.jar node02:/usr/java/jdk1.8.0_151/jre/lib/security/
# scp *.jar node03:/usr/java/jdk1.8.0_151/jre/lib/security/3.2 打開CM 的 界面配置啟用kerberos
-
3.2.1 配置jdk 的目錄:
- 3.2.2 KDC添加Cloudera Manager管理員賬號
kadmin.local
Authenticating as principal admin/[email protected] with password.
kadmin.local: addprinc cloudera-scm/[email protected]
WARNING: no policy specified for cloudera-scm/[email protected]; defaulting to no policy
Enter password for principal "cloudera-scm/[email protected]": [輸入密碼]
Re-enter password for principal "cloudera-scm/[email protected]": [輸入密碼]
Principal "cloudera-scm/[email protected]" created.
密碼為: Cloudera-scm
- 3.2.3 啟用kerberoscdh5.12.2 開啟kerberos認證