简介
Kerberos认证流程
环境准备
安装Kerberos服务端
yum安装
yum install krb5-server krb5-libs krb5-workstation -y
vim /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
clockskew = 120
udp_preference_limit = 1
[realms]
HADOOP.COM = {
kdc = node1
admin_server = node1
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
node1 = HADOOP.COM
node2 = HADOOP.COM
node3 = HADOOP.COM
node4 = HADOOP.COM
node5 = HADOOP.COM
说明:
[logging]:表示server端的日志的打印位置
udp_preference_limit = 1 禁止使用udp可以防止一个Hadoop中的错误
ticket_lifetime: 表明凭证生效的时限,一般为24小时。
renew_lifetime: 表明凭证最长可以被延期的时限,一般为一个礼拜。当凭证过期之后,对安全认证的服务的后续访问则会失败。
clockskew:时钟偏差是不完全符合主机系统时钟的票据时戳的容差,超过此容差将不接受此票据,单位是秒
vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HADOOP.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_renewable_life = 7d
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
vim /var/kerberos/krb5kdc/kadm5.acl
#修改如下
*/admin@HADOOP.COM *
#kadm5.acl 文件更多内容可参考:kadm5.acl
只要名称满足上述规则就可以拥有最高权限。
初始化kerberos database
cd /var/kerberos/krb5kdc/
kdb5_util create -s -r HADOOP.COM
# hust@4400
图示有误,是会创建4个文件。
创建账户
kadmin.local
addprinc root/admin@HADOOP.COM
listprincs
设置开机自启
[root@node1 krb5kdc]# systemctl restart krb5kdc.service
[root@node1 krb5kdc]# systemctl restart kadmin
[root@node1 krb5kdc]# systemctl enable krb5kdc.service
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@node1 krb5kdc]# systemctl enable kadmin.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@node1 krb5kdc]#
安装Kerberos客户端
每一个node节点都需要安装客户端及其配置。
yum安装
yum install krb5-libs krb5-workstation -y
vim /etc/krb5.conf
或者直接将server节点的该配置文件拷贝到各个节点即可:
[root@node1 krb5kdc]# scp /etc/krb5.conf node2:/etc/krb5.conf
krb5.conf 100% 557 544.7KB/s 00:00
[root@node1 krb5kdc]# scp /etc/krb5.conf node3:/etc/krb5.conf
krb5.conf 100% 557 561.7KB/s 00:00
[root@node1 krb5kdc]# scp /etc/krb5.conf node4:/etc/krb5.conf
krb5.conf 100% 557 490.3KB/s 00:00
[root@node1 krb5kdc]# scp /etc/krb5.conf node5:/etc/krb5.conf
krb5.conf 100% 557 472.8KB/s 00:00
[root@node1 krb5kdc]#
客户端登录服务端
kinit root/admin@HADOOP.COM
#输入密码后没任何输出表示正确
klist
#登录 输入密码后进入
kadmin
listprincs
规划Hadoop中各个服务分配kerberos的principal
nm和nodemanager可自定义,易于识别即可
配置HDFS
配置HDFS相关的kerberos账户
keytab文件就相当于kerberos账户的钥匙,有了它就可以免密使用该账户。
mkdir /etc/security/keytabs
cd /etc/security/keytabs
kadmin
node1上的服务:
建一个就行了,其他的多余!!
addprinc -rankey hdfs/node1@HADOOP.COM
kadmin
addprinc -rankey nn/node1@HADOOP.COM
addprinc -rankey rm/node1@HADOOP.COM
addprinc -rankey HTTP/node1@HADOOP.COM
ktadd -k /etc/security/keytabs/nn.service.keytab nn/node1@HADOOP.COM
ktadd -k /etc/security/keytabs/rm.service.keytab rm/node1@HADOOP.COM
ktadd -k /etc/security/keytabs/spnego.service.keytab HTTP/node1@HADOOP.COM
ll /etc/security/keytabs
cd /etc/security/keytabs
chmod 400 *
编译及拷贝程序
core-site.xml
hdfs-site.xml
自己配置
kerberos server上执行kadmin.local
:
kadmin.local: addprinc hdfs/node1@HADOOP.COM
kadmin.local: addprinc hdfs/node2@HADOOP.COM
kadmin.local: addprinc hdfs/node3@HADOOP.COM
kadmin.local: addprinc hdfs/node4@HADOOP.COM
kadmin.local: addprinc hdfs/node5@HADOOP.COM
kadmin.local: addprinc http/node1@HADOOP.COM
kadmin.local: addprinc http/node2@HADOOP.COM
kadmin.local: addprinc http/node3@HADOOP.COM
kadmin.local: addprinc http/node4@HADOOP.COM
kadmin.local: addprinc http/node5@HADOOP.COM
kadmin.local: ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node1@HADOOP.COM
kadmin.local: ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node2@HADOOP.COM
kadmin.local: ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node3@HADOOP.COM
kadmin.local: ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node4@HADOOP.COM
kadmin.local: ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node5@HADOOP.COM
kadmin.local: ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node1@HADOOP.COM
kadmin.local: ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node2@HADOOP.COM
kadmin.local: ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node3@HADOOP.COM
kadmin.local: ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node4@HADOOP.COM
kadmin.local: ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node5@HADOOP.COM