hadoop生态的kerberos认证系列1—zookeeper
- 一、zookeeper
- 1.准备工作
- 2.配置
- 2.1创建服务端用户
- 2.2导出凭证:
- 2.3修改zookeeper的配置文件
- 2.4生成jaas.conf文件
- 2.5创建client的principal并导出
- 2.6配置client-jaas.conf文件
- 3.验证zk的kerberos
- 4.更正
一、zookeeper
1.准备工作
停掉hadoop集群;
安装好kerberos认证服务;
2.配置
节点名为node,本文以单节点为例说明,集群一般也差不多,只要配置文件统一、凭证区分开即可(本文操作过程中,因计算机性能等问题,将集群全部缩容为单节点)
2.1创建服务端用户
在安装好后使用命令:kadmin.local进入本地管理员模式
为zk的服务端创建zookeeper用户:
注意:必须创建zookeeper用户,其他用户名会导致认证出现问题
kadmin.local: addprinc zookeeper/node
WARNING: no policy specified for zookeeper/node@HADOOP.COM; defaulting to no policy
Enter password for principal "zookeeper/node@HADOOP.COM":
Re-enter password for principal "zookeeper/node@HADOOP.COM":
Principal "zookeeper/node@HADOOP.COM" created.
kadmin.local:2.2导出凭证:
kadmin.local: ktadd -norandkey -k /usr/data/kerberos/keytab/root.keytab zookeeper/node2.3修改zookeeper的配置文件
命令vi ${ZOOKEEPER_HOME}/conf/zoo.cfg 加入以下内容:
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider ##开启认证功能
jaasLoginRenew=3600000 ##重写时间
kerberos.removeHostFromPrincipal=true #将principal对应的主机名去掉,防止hbase等服务访问zookeeper时报错,如GSS initiate failed时就有可能是该项没配置2.4生成jaas.conf文件
命令生成touch jaas.conf,编辑vi jaas.conf
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/usr/data/kerberos/keytab/root.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/node@HADOOP.COM";
};JAAS配置文件定义用于身份验证的属性,如服务主体和 keytab 文件的位置等。其中的属性意义如下:
- useKeyTab:这个布尔属性定义了我们是否应该使用一个keytab文件(在这种情况下是true)。
- keyTab:JAAS配置文件的此部分用于主体的keytab文件的位置和名称。路径应该用双引号括起来。
- storeKey:这个布尔属性允许密钥存储在用户的私人凭证中。
- useTicketCache:该布尔属性允许从票证缓存中获取票证。
- debug:此布尔属性将输出调试消息,以帮助进行疑难解答。
- principal:要使用的服务主体的名称。
2.5创建client的principal并导出
kadmin.local: addprinc zkcli/node
kadmin.local: ktadd -norandkey -k /usr/data/kerberos/keytab/root.keytab zkcli/node2.6配置client-jaas.conf文件
命令生成touch client-jaas.conf,编辑vi client-jaas.conf
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/usr/local/zookeeper/conf/zk-clie.keytab"
storeKey=true
useTicketCache=false
principal="zkcli/node@HADOOP.COM";
};3.验证zk的kerberos
[root@node bin]# export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/zookeeper-3.4.14/conf/jaas.conf"
[root@node bin]# zkServer.sh start
ZooKeeper JMX enabled by default
Using config: /usr/local/zookeeper/zookeeper-3.4.14/conf/zoo.cfg
Starting zookeeper ... STARTED
[root@node bin]# export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/zookeeper-3.4.14/conf/client-jaas.conf"
[root@node bin]# echo $JVMFLAGS
-Djava.security.auth.login.config=/usr/local/zookeeper/zookeeper-3.4.14/conf/client-jaas.conf
[root@node bin]# zkCli.sh -server node:2181此时会发现连接不上
登录kerberos(此处是用的root/node用户,该用户是之前建好的,创建方法同上,用其他用户也可以的):
kinit -kt /usr/data/kerberos/keytab/root.keytab root/node再重新运行命令zkCli.sh -server node:2181 发现可以连接,并进行操作:
[root@node ~]# zkCli.sh -server node:2181
Connecting to node:2181
2020-12-17 09:54:40,873 [myid:] - INFO [main:Environment@100] - Client environment:zookeeper.version=3.4.14-4c25d480e66aadd371de8bd2fd8da255ac140bcf, built on 03/06/2019 16:18 GMT
2020-12-17 09:54:40,876 [myid:] - INFO [main:Environment@100] - Client environment:host.name=node
2020-12-17 09:54:40,876 [myid:] - INFO [main:Environment@100] - Client environment:java.version=1.8.0_261
2020-12-17 09:54:40,878 [myid:] - INFO [main:Environment@100] - Client environment:java.vendor=Oracle Corporation
2020-12-17 09:54:40,878 [myid:] - INFO [main:Environment@100] - Client environment:java.home=/usr/local/java/jdk1.8.0_261/jre
2020-12-17 09:54:40,878 [myid:] - INFO [main:Environment@100] - Client environment:java.class.path=/usr/local/zookeeper/zookeeper-3.4.14/bin/../zookeeper-server/target/classes:/usr/local/zookeeper/zookeeper-3.4.14/bin/../build/classes:/usr/local/zookeeper/zookeeper-3.4.14/bin/../zookeeper-server/target/lib/*.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../build/lib/*.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/slf4j-log4j12-1.7.25.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/slf4j-api-1.7.25.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/netty-3.10.6.Final.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/log4j-1.2.17.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/jline-0.9.94.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/audience-annotations-0.5.0.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../zookeeper-3.4.14.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../zookeeper-server/src/main/resources/lib/*.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../conf:.:/usr/local/java/jdk1.8.0_261/lib/dt.jar:/usr/local/java/jdk1.8.0_261/lib/tools.jar:/usr/local/hadoop/hadoop-2.7.4/bin/hadoop
2020-12-17 09:54:40,878 [myid:] - INFO [main:Environment@100] - Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
2020-12-17 09:54:40,878 [myid:] - INFO [main:Environment@100] - Client environment:java.io.tmpdir=/tmp
2020-12-17 09:54:40,878 [myid:] - INFO [main:Environment@100] - Client environment:java.compiler=<NA>
2020-12-17 09:54:40,878 [myid:] - INFO [main:Environment@100] - Client environment:os.name=Linux
2020-12-17 09:54:40,878 [myid:] - INFO [main:Environment@100] - Client environment:os.arch=amd64
2020-12-17 09:54:40,879 [myid:] - INFO [main:Environment@100] - Client environment:os.version=3.10.0-1127.el7.x86_64
2020-12-17 09:54:40,879 [myid:] - INFO [main:Environment@100] - Client environment:user.name=root
2020-12-17 09:54:40,879 [myid:] - INFO [main:Environment@100] - Client environment:user.home=/root
2020-12-17 09:54:40,879 [myid:] - INFO [main:Environment@100] - Client environment:user.dir=/root
2020-12-17 09:54:40,879 [myid:] - INFO [main:ZooKeeper@442] - Initiating client connection, connectString=node:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@277050dc
Welcome to ZooKeeper!
2020-12-17 09:54:40,926 [myid:] - INFO [main-SendThread(node:2181):ClientCnxn$SendThread@1025] - Opening socket connection to server node/192.168.88.129:2181. Will not attempt to authenticate using SASL (unknown error)
JLine support is enabled
2020-12-17 09:54:40,932 [myid:] - INFO [main-SendThread(node:2181):ClientCnxn$SendThread@879] - Socket connection established to node/192.168.88.129:2181, initiating session
2020-12-17 09:54:40,962 [myid:] - INFO [main-SendThread(node:2181):ClientCnxn$SendThread@1299] - Session establishment complete on server node/192.168.88.129:2181, sessionid = 0x10017d2e7bc004b, negotiated timeout = 30000
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
[zk: node:2181(CONNECTED) 0] ls /
[zookeeper, hbase, kylin]
[zk: node:2181(CONNECTED) 1]4.更正
在2.4生成jaas.conf文件中
命令生成touch jaas.conf,编辑vi jaas.conf,将server、client的配置全部都写到一起
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/usr/data/kerberos/keytab/root.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/node@HADOOP.COM";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/usr/local/zookeeper/conf/zk-clie.keytab"
storeKey=true
useTicketCache=false
principal="zkcli/node@HADOOP.COM";
};并在/conf下生成java.env文件,加入以下内容:
export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/zookeeper-3.4.14/conf/jaas.conf"这样省的经常忘记引入配置变量
然后直接启动:
zkServer.sh start再用以下命令发现:
[root@node conf]# zkCli.sh
Connecting to localhost:2181
2020-12-18 09:54:43,352 [myid:] - INFO [main:Environment@100] - Client environment:zookeeper.version=3.4.14-4c25d480e66aadd371de8bd2fd8da255ac140bcf, built on 03/06/2019 16:18 GMT
2020-12-18 09:54:43,354 [myid:] - INFO [main:Environment@100] - Client environment:host.name=node
2020-12-18 09:54:43,354 [myid:] - INFO [main:Environment@100] - Client environment:java.version=1.8.0_261
2020-12-18 09:54:43,356 [myid:] - INFO [main:Environment@100] - Client environment:java.vendor=Oracle Corporation
2020-12-18 09:54:43,356 [myid:] - INFO [main:Environment@100] - Client environment:java.home=/usr/local/java/jdk1.8.0_261/jre
2020-12-18 09:54:43,356 [myid:] - INFO [main:Environment@100] - Client environment:java.class.path=/usr/local/zookeeper/zookeeper-3.4.14/bin/../zookeeper-server/target/classes:/usr/local/zookeeper/zookeeper-3.4.14/bin/../build/classes:/usr/local/zookeeper/zookeeper-3.4.14/bin/../zookeeper-server/target/lib/*.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../build/lib/*.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/slf4j-log4j12-1.7.25.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/slf4j-api-1.7.25.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/netty-3.10.6.Final.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/log4j-1.2.17.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/jline-0.9.94.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/audience-annotations-0.5.0.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../zookeeper-3.4.14.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../zookeeper-server/src/main/resources/lib/*.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../conf:.:/usr/local/java/jdk1.8.0_261/lib/dt.jar:/usr/local/java/jdk1.8.0_261/lib/tools.jar:/usr/local/hadoop/hadoop-2.7.4/bin/hadoop
2020-12-18 09:54:43,356 [myid:] - INFO [main:Environment@100] - Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
2020-12-18 09:54:43,356 [myid:] - INFO [main:Environment@100] - Client environment:java.io.tmpdir=/tmp
2020-12-18 09:54:43,356 [myid:] - INFO [main:Environment@100] - Client environment:java.compiler=<NA>
2020-12-18 09:54:43,356 [myid:] - INFO [main:Environment@100] - Client environment:os.name=Linux
2020-12-18 09:54:43,356 [myid:] - INFO [main:Environment@100] - Client environment:os.arch=amd64
2020-12-18 09:54:43,356 [myid:] - INFO [main:Environment@100] - Client environment:os.version=3.10.0-1127.el7.x86_64
2020-12-18 09:54:43,356 [myid:] - INFO [main:Environment@100] - Client environment:user.name=root
2020-12-18 09:54:43,356 [myid:] - INFO [main:Environment@100] - Client environment:user.home=/root
2020-12-18 09:54:43,356 [myid:] - INFO [main:Environment@100] - Client environment:user.dir=/usr/local/zookeeper/zookeeper-3.4.14/conf
2020-12-18 09:54:43,357 [myid:] - INFO [main:ZooKeeper@442] - Initiating client connection, connectString=localhost:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@277050dc
Welcome to ZooKeeper!
JLine support is enabled
[zk: localhost:2181(CONNECTING) 0] 2020-12-18 09:54:43,680 [myid:] - INFO [main-SendThread(localhost:2181):Login@297] - Client successfully logged in.
2020-12-18 09:54:43,683 [myid:] - INFO [main-SendThread(localhost:2181):SecurityUtils$1@124] - Client will use GSSAPI as SASL mechanism.
2020-12-18 09:54:43,687 [myid:] - INFO [Thread-1:Login$1@130] - TGT refresh thread started.
2020-12-18 09:54:43,691 [myid:] - INFO [Thread-1:Login@305] - TGT valid starting at: Fri Dec 18 09:54:43 CST 2020
2020-12-18 09:54:43,691 [myid:] - INFO [Thread-1:Login@306] - TGT expires: Sun Dec 20 09:54:43 CST 2020
2020-12-18 09:54:43,691 [myid:] - INFO [Thread-1:Login$1@185] - TGT refresh sleeping until: Sun Dec 20 00:52:24 CST 2020
2020-12-18 09:54:43,707 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1025] - Opening socket connection to server localhost/0:0:0:0:0:0:0:1%1:2181. Will attempt to SASL-authenticate using Login Context section 'Client'
2020-12-18 09:54:43,710 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@879] - Socket connection established to localhost/0:0:0:0:0:0:0:1%1:2181, initiating session
2020-12-18 09:54:43,721 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1299] - Session establishment complete on server localhost/0:0:0:0:0:0:0:1%1:2181, sessionid = 0x1000025d1a00000, negotiated timeout = 30000
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
2020-12-18 09:54:43,733 [myid:] - ERROR [main-SendThread(localhost:2181):ZooKeeperSaslClient@308] - An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.
2020-12-18 09:54:43,734 [myid:] - ERROR [main-SendThread(localhost:2181):ClientCnxn$SendThread@1072] - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state.
WATCHER::
WatchedEvent state:AuthFailed type:None path:null
[zk: localhost:2181(AUTH_FAILED) 0] ls /
Not connected改用以下命令,发现
zkCli.sh -server node:2181[root@node conf]# zkCli.sh -server node
Connecting to node
2020-12-18 09:55:07,652 [myid:] - INFO [main:Environment@100] - Client environment:zookeeper.version=3.4.14-4c25d480e66aadd371de8bd2fd8da255ac140bcf, built on 03/06/2019 16:18 GMT
2020-12-18 09:55:07,655 [myid:] - INFO [main:Environment@100] - Client environment:host.name=node
2020-12-18 09:55:07,655 [myid:] - INFO [main:Environment@100] - Client environment:java.version=1.8.0_261
2020-12-18 09:55:07,656 [myid:] - INFO [main:Environment@100] - Client environment:java.vendor=Oracle Corporation
2020-12-18 09:55:07,657 [myid:] - INFO [main:Environment@100] - Client environment:java.home=/usr/local/java/jdk1.8.0_261/jre
2020-12-18 09:55:07,657 [myid:] - INFO [main:Environment@100] - Client environment:java.class.path=/usr/local/zookeeper/zookeeper-3.4.14/bin/../zookeeper-server/target/classes:/usr/local/zookeeper/zookeeper-3.4.14/bin/../build/classes:/usr/local/zookeeper/zookeeper-3.4.14/bin/../zookeeper-server/target/lib/*.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../build/lib/*.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/slf4j-log4j12-1.7.25.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/slf4j-api-1.7.25.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/netty-3.10.6.Final.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/log4j-1.2.17.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/jline-0.9.94.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../lib/audience-annotations-0.5.0.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../zookeeper-3.4.14.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../zookeeper-server/src/main/resources/lib/*.jar:/usr/local/zookeeper/zookeeper-3.4.14/bin/../conf:.:/usr/local/java/jdk1.8.0_261/lib/dt.jar:/usr/local/java/jdk1.8.0_261/lib/tools.jar:/usr/local/hadoop/hadoop-2.7.4/bin/hadoop
2020-12-18 09:55:07,657 [myid:] - INFO [main:Environment@100] - Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
2020-12-18 09:55:07,657 [myid:] - INFO [main:Environment@100] - Client environment:java.io.tmpdir=/tmp
2020-12-18 09:55:07,657 [myid:] - INFO [main:Environment@100] - Client environment:java.compiler=<NA>
2020-12-18 09:55:07,657 [myid:] - INFO [main:Environment@100] - Client environment:os.name=Linux
2020-12-18 09:55:07,657 [myid:] - INFO [main:Environment@100] - Client environment:os.arch=amd64
2020-12-18 09:55:07,657 [myid:] - INFO [main:Environment@100] - Client environment:os.version=3.10.0-1127.el7.x86_64
2020-12-18 09:55:07,657 [myid:] - INFO [main:Environment@100] - Client environment:user.name=root
2020-12-18 09:55:07,657 [myid:] - INFO [main:Environment@100] - Client environment:user.home=/root
2020-12-18 09:55:07,657 [myid:] - INFO [main:Environment@100] - Client environment:user.dir=/usr/local/zookeeper/zookeeper-3.4.14/conf
2020-12-18 09:55:07,658 [myid:] - INFO [main:ZooKeeper@442] - Initiating client connection, connectString=node sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@277050dc
Welcome to ZooKeeper!
JLine support is enabled
[zk: node(CONNECTING) 0] 2020-12-18 09:55:07,940 [myid:] - INFO [main-SendThread(node:2181):Login@297] - Client successfully logged in.
2020-12-18 09:55:07,942 [myid:] - INFO [Thread-1:Login$1@130] - TGT refresh thread started.
2020-12-18 09:55:07,945 [myid:] - INFO [Thread-1:Login@305] - TGT valid starting at: Fri Dec 18 09:55:07 CST 2020
2020-12-18 09:55:07,945 [myid:] - INFO [Thread-1:Login@306] - TGT expires: Sun Dec 20 09:55:07 CST 2020
2020-12-18 09:55:07,945 [myid:] - INFO [Thread-1:Login$1@185] - TGT refresh sleeping until: Sun Dec 20 01:31:29 CST 2020
2020-12-18 09:55:07,949 [myid:] - INFO [main-SendThread(node:2181):SecurityUtils$1@124] - Client will use GSSAPI as SASL mechanism.
2020-12-18 09:55:07,957 [myid:] - INFO [main-SendThread(node:2181):ClientCnxn$SendThread@1025] - Opening socket connection to server node/192.168.88.129:2181. Will attempt to SASL-authenticate using Login Context section 'Client'
2020-12-18 09:55:07,960 [myid:] - INFO [main-SendThread(node:2181):ClientCnxn$SendThread@879] - Socket connection established to node/192.168.88.129:2181, initiating session
2020-12-18 09:55:07,967 [myid:] - INFO [main-SendThread(node:2181):ClientCnxn$SendThread@1299] - Session establishment complete on server node/192.168.88.129:2181, sessionid = 0x1000025d1a00001, negotiated timeout = 30000
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
WATCHER::
WatchedEvent state:SaslAuthenticated type:None path:null
[zk: node(CONNECTED) 0] ls /
[zookeeper, hbase, kylin]
[zk: node(CONNECTED) 1]
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
