CDH6.3.2 集成 openldap 配置

标签(空格分隔): 大数据运维专栏


[toc]


一: hive 集成 openldap

1.1 CDH6.3.2 的主机节点安装openldap的客户端

openldap 服务端已经配置完成,不会看flyfish 博文 https://blog.51cto.com/flyfish225/4562546 在此不做部署:

安装openldap-client 装包:

yum -y install openldap-clients sssd authconfig nss-pam-ldapd

image_1fk4abcmuqpq7gv126hfk4o6a19.png-176.4kB

编辑配置文件:
    vim /etc/openldap/ldap.conf
    ---
    BASE    dc=flyfish,dc=com
    URI     ldap://192.168.100.14

    #SIZELIMIT      12
    #TIMELIMIT      15
    #DEREF          never

    TLS_CACERTDIR   /etc/openldap/certs

    # Turning this off breaks GSSAPI used with krb5 when rdns = false
    SASL_NOCANON    on

    ----

image_1fk4afqi7l07eqk139l10c5sjd1m.png-79.5kB


openldap 客户端验证:
      ldapsearch -D "cn=admin,dc=flyfish,dc=com" -W |grep dn

image_1fk4ah5191du11v2fv7d1g9v1aut23.png-111.5kB

1.2 hive 集成openldap

1.登录CM的Web控制台,进入Hive服务,关闭Hive的模拟功能
hive.server2.enable.doAs =false

image_1fk4akrhh1n1q1kebahul2ssp730.png-257.3kB

修改LDAP相关配置,通过这里可以进行全局配置,配置后所有的HiveServer2服务均使用该配置
启用 LDAP 身份验证 =true
hive.server2.authentication.ldap.url=ldap://192.168.100.14
hive.server2.authentication.ldap.baseDN= ou=cdh,dc=flyfish,dc=com

image_1fk4am2iecvgauf1gda1fooa053d.png-396.8kB

去openldap 创建 条目 hive 的 uid 

image_1fk4arq3m4641nob8u4csl1ses47.png-561.8kB

下面从新启动CDH 的 hive 服务:

image_1fk4atjadus4s7v1bvqnng16sa4k.png-362.6kB

image_1fk4av0i51au91l0d1mmnkp6mk851.png-281kB

登录测试:
 beeline 
 beeline> !connect jdbc:hive2://192.168.100.11:10000
Connecting to jdbc:hive2://192.168.100.11:10000
Enter username for jdbc:hive2://192.168.100.11:10000: hive
Enter password for jdbc:hive2://192.168.100.11:10000: ******

image_1fk4b3tenjafgp2ef0tp619i05e.png-245.9kB

image_1fk4b4bdl186qfo517j6isndn45r.png-164.9kB

二:impala 集成 openldap

1.登录CM的Web控制台,进入Impala服务,修改LDAP配置
enable_ldap_auth = true
ldap_uri = ldap://192.168.100.14
ldap_baseDN = ou=cdh,dc=flyfish,dc=com

image_1fk4gknin1hlf1cb43gfl9v9au9.png-336kB

Impala Daemon 命令行参数高级配置代码段
--ldap_passwords_in_clear_ok

image_1fk4glcsn1i2d152j1qpialo1qu4m.png-216.9kB

设置 impala的openldap 的用户

image_1fk4bnksl15krvcv17e11cbs178sa0.png-462.8kB

image_1fk4boan0pd81nj61lho1ntc19a4ad.png-136.1kB

image_1fk4gn3u41aev1tvr19821vc21rde13.png-353.8kB

从新启动impala

image_1fk4bsboulg61jchm35632njec7.png-353.2kB

image_1fk4c049b1k7o1dck1vc21shtk32ck.png-410kB

impala 登录测试:
  impala-shell -i flyfishsrvs01 -u hive -d default
  登录测试输入错误 
    Error connecting: TTransportException, TSocket read 0 bytes

image_1fk4gpq068pgrf0vvdaju1mal20.png-156.9kB

impala-shell -i flyfishsrvs01 -u hive -d default -l -u impala --auth_creds_ok_in_clear

image_1fk4grr311dt912t1vh31qrj1kb2t.png-186.9kB

image_1fk4gsekrqvko81m4fgh11jno3a.png-59.3kB

image_1fk4gtdcd136qii920t1haj1h2i3n.png-147.7kB

三: HUE 集成 openldap 配置

使用管理员登录CM,进入Hue配置页面,修改Hue的认证方式为LDAP

导入ldap 数据:

vim group-flyfish.ldif
---
dn: cn=flyfish,ou=Group,dc=flyfish,dc=com
objectClass: posixGroup
objectClass: top
cn: flyfish
userPassword: {SSHA}PFp8AcylmONN4ZWtfZ/dPvdfkY/a5JUo
gidNumber: 984
---

image_1fk71ffkieer72n1qde71fou9.png-61.3kB


导入用户组:
vim user-ldap.ldif
---
dn: uid=flyfish,ou=People,dc=flyfish,dc=com
uid: flyfish
cn: flyfish
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SSHA}PFp8AcylmONN4ZWtfZ/dPvdfkY/a5JUo
shadowLastChange: 17493
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 987
gidNumber: 984
homeDirectory: /home/flyfish

----
ldapadd -D "cn=admin,dc=flyfish,dc=com" -W -x -f user_ldap.ldif

image_1fk71nnivc5onr36vhec15an1m.png-69.2kB

hue 的ldap 认证
ldap_uri = ldap://192.168.100.14
ldap_baseDN = ou=cdh,dc=flyfish,dc=com 

image_1fk72eoel1ihh1868gvu1lqv1nfj33.png-199.6kB

image_1fk72nuqf991aatfhd45nidt7j.png-142.4kB

image_1fk4hpf2n1bchj7p17pb10gk1jmf6b.png-155.5kB

hue_safety_valve.ini 配置:

image_1fk4j013s1j771bq214lqnkgs5ced.png-298.6kB

从新启动hue

image_1fk4hvqjk9112phuua1mc41tpj85.png-388.6kB

修改完以上配置后保存,在重启Hue服务前将认证方式修改为desktop.auth.backend.AllowFirstUserDjangoBackend

image_1fk4k3a692u59h1098t8410pvfn.png-130.5kB

重启成功后使用Hue的超级管理员登录,我们这里是hdfs用户为超级管理员
先以本地账号登录然后同步 openldap的用户:
 hdfs/hdfs 

image_1fk4ie4f9cta1rjo171k15vi1pr2bc.png-86.9kB

image_1fk4if0ea172lr6p135e95m1c78c9.png-109.4kB

image_1fk4ifr8k108t13ob171v113c16b3cm.png-187.1kB

添加同步ldap的用户,应为启用ldap 账号之后就不能 用本地账号了

image_1fk4ihomv10te11bs1bff10epk8od3.png-342.7kB

image_1fk4ijigf1jn412ir13g412hlji6dg.png-238.2kB

添加同步用户flyfish

将flyfish 用户 添加为 管理员  权限 不然 HUE 启用 LDAP  hdfs 的超级账号就不能用了。

image_1fk72tqv5o5s4qvprf1k8514889g.png-234.6kB

1.png-116.2kB

添加flyfish 的 用户组

image_1fk73emru18u0eok1t5tp61nmsds.png-218.6kB

image_1fk73f8q7ma01ut4lriil5i7le9.png-187.5kB

image_1fk73h6uf1ng6102u6boaqff7kem.png-173kB

image_1fk73i55l17o9ehp1hhuu8mgftf3.png-255.1kB

编辑flyfish 用户组

image_1fk73m5nh7k512dq4ihalh2c6gg.png-267.2kB

2.png-290.3kB

切换 hue 的认证模式 为LDAP 然后重启hue 

3.png-119.9kB

重启之后 hdfs的本地用户就登录不了。

image_1fk747abv1gjme1qejb1cev1fihkn.png-206.4kB

采用LDAP 用户的flyfish 登录 
设置flyfish 账户密码 为123456

4.png-245.2kB

使用flyfish 账号登录hue 

5.png-76.1kB

image_1fk74m0ol1em01n4k1eb51ik22aboq.png-246.8kB

image_1fk74nji6s491qa8kiikeokbmpn.png-241.4kB

image_1fk75u4ltdg34391kfp16fe1e3ll.png-355.9kB