安裝Kerberos服務端和客戶端

時間 2021-08-12

標籤 java node vim 安全 bash markdown dom tcp ide oop 欄目 Java 简体版

原文原文鏈接

簡介

Kerberos認證流程

環境準備

安裝Kerberos服務端

yum安裝

yum install krb5-server krb5-libs krb5-workstation -y

vim /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = HADOOP.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 clockskew = 120
 udp_preference_limit = 1
 
[realms]
 HADOOP.COM = {
  kdc = node1
  admin_server = node1
 }

[domain_realm]
 .hadoop.com = HADOOP.COM
 hadoop.com = HADOOP.COM
 node1 = HADOOP.COM
 node2 = HADOOP.COM
 node3 = HADOOP.COM
 node4 = HADOOP.COM
 node5 = HADOOP.COM

說明：
[logging]：表示server端的日誌的打印位置
udp_preference_limit = 1 禁止使用udp能夠防止一個Hadoop中的錯誤
ticket_lifetime：代表憑證生效的時限，通常爲24小時。
renew_lifetime：代表憑證最長能夠被延期的時限，通常爲一個禮拜。當憑證過時以後，對安全認證的服務的後續訪問則會失敗。
clockskew：時鐘誤差是不徹底符合主機系統時鐘的票據時戳的容差，超過此容差將不接受此票據，單位是秒java

vim /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 HADOOP.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  max_renewable_life = 7d
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

vim /var/kerberos/krb5kdc/kadm5.acl

#修改以下
*/admin@HADOOP.COM  *
#kadm5.acl 文件更多內容可參考：kadm5.acl

只要名稱知足上述規則就能夠擁有最高權限。node

初始化kerberos database

cd /var/kerberos/krb5kdc/
kdb5_util create -s -r HADOOP.COM
# hust@4400

圖示有誤，是會建立4個文件。vim

建立帳戶

kadmin.local
addprinc root/admin@HADOOP.COM
listprincs

設置開機自啓

[root@node1 krb5kdc]# systemctl restart krb5kdc.service
[root@node1 krb5kdc]# systemctl restart kadmin
[root@node1 krb5kdc]# systemctl enable krb5kdc.service
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@node1 krb5kdc]# systemctl enable kadmin.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@node1 krb5kdc]#

安裝Kerberos客戶端

每個node節點都須要安裝客戶端及其配置。安全

yum安裝

yum install krb5-libs krb5-workstation -y

vim /etc/krb5.conf

或者直接將server節點的該配置文件拷貝到各個節點便可：bash

[root@node1 krb5kdc]# scp /etc/krb5.conf node2:/etc/krb5.conf
krb5.conf                                                                                                          100%  557   544.7KB/s   00:00
[root@node1 krb5kdc]# scp /etc/krb5.conf node3:/etc/krb5.conf
krb5.conf                                                                                                          100%  557   561.7KB/s   00:00
[root@node1 krb5kdc]# scp /etc/krb5.conf node4:/etc/krb5.conf
krb5.conf                                                                                                          100%  557   490.3KB/s   00:00
[root@node1 krb5kdc]# scp /etc/krb5.conf node5:/etc/krb5.conf
krb5.conf                                                                                                          100%  557   472.8KB/s   00:00
[root@node1 krb5kdc]#

客戶端登陸服務端

kinit root/admin@HADOOP.COM
#輸入密碼後沒任何輸出表示正確
klist
#登陸 輸入密碼後進入
kadmin
listprincs

規劃Hadoop中各個服務分配kerberos的principal

nm和nodemanager可自定義，易於識別便可
markdown

配置HDFS

配置HDFS相關的kerberos帳戶

keytab文件就至關於kerberos帳戶的鑰匙，有了它就能夠免密使用該帳戶。dom

mkdir /etc/security/keytabs
cd /etc/security/keytabs
kadmin

node1上的服務：

建一個就好了，其餘的多餘！！
addprinc -rankey hdfs/node1@HADOOP.COMtcp

kadmin
addprinc -rankey nn/node1@HADOOP.COM
addprinc -rankey rm/node1@HADOOP.COM
addprinc -rankey HTTP/node1@HADOOP.COM

ktadd -k /etc/security/keytabs/nn.service.keytab nn/node1@HADOOP.COM

ktadd -k /etc/security/keytabs/rm.service.keytab rm/node1@HADOOP.COM

ktadd -k /etc/security/keytabs/spnego.service.keytab HTTP/node1@HADOOP.COM

ll /etc/security/keytabs

cd /etc/security/keytabs
chmod 400 *

編譯及拷貝程序

core-site.xml

hdfs-site.xml

本身配置

kerberos server上執行kadmin.local：ide

kadmin.local:  addprinc hdfs/node1@HADOOP.COM
kadmin.local:  addprinc hdfs/node2@HADOOP.COM
kadmin.local:  addprinc hdfs/node3@HADOOP.COM
kadmin.local:  addprinc hdfs/node4@HADOOP.COM
kadmin.local:  addprinc hdfs/node5@HADOOP.COM
kadmin.local:  addprinc http/node1@HADOOP.COM
kadmin.local:  addprinc http/node2@HADOOP.COM
kadmin.local:  addprinc http/node3@HADOOP.COM
kadmin.local:  addprinc http/node4@HADOOP.COM
kadmin.local:  addprinc http/node5@HADOOP.COM

 
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node1@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node2@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node3@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node4@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node5@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node1@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node2@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node3@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node4@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node5@HADOOP.COM