CDH6.3.2 開啓Kerberos 認證

時間  2020-05-30
標籤 cdh6.3.2 cdh 開啓 kerberos 認證 简体版
原文   原文鏈接

CDH6.3.2 開啓Kerberos 認證

標籤(空格分隔): 大數據平臺構建數據庫

  • 一:如何安裝及配置KDC服務vim

  • 二:如何經過CDH啓用Kerberos安全

  • 三:如何登陸Kerberos並訪問Hadoop相關服務

一:如何安裝及配置KDC服務

1.1 系統環境

1.操做系統:CentOS7.5x64

2.CDH6.3.2

3.採用root用戶進行操做

1.2 KDC服務安裝及配置

1.在Cloudera Manager服務器上安裝KDC服務

 yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation

image.png-78.7kB

2.修改/etc/krb5.conf配置

vim /etc/krb5.conf
----
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = LANXIN.COM
 #default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 LANXIN.COM = {
  kdc = 192.168.11.160
  admin_server = 192.168.11.160
 }

 [domain_realm]
 .lanxin.com = LANXIN.COM
 lanxin.com = LANXIN.COM

---

image.png-46.2kB

3.修改/var/kerberos/krb5kdc/kadm5.acl配置

vim /var/kerberos/krb5kdc/kadm5.acl
----
*/admin@LANXIN.COM      *
----

image.png-7.3kB

4.修改/var/kerberos/krb5kdc/kdc.conf配置

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 LANXIN.COM = {
  #master_key_type = aes256-cts
  max_renewable_life= 7d 0h 0m 0s
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

image.png-32.2kB

5.建立Kerberos數據庫
kdb5_util create –r LANXIN.COM -s
  密碼:LANXIN.COM
---
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'LANXIN.COM',
master key name 'K/M@LANXIN.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:
---
此處須要輸入Kerberos數據庫的密碼。

image.png-29.5kB

6.建立Kerberos的管理帳號
   admin/admin@LANXIN.COM

----
Authenticating as principal root/admin@LANXIN.COM with password.
kadmin.local:  
kadmin.local:  addprinc admin/admin@LANXIN.COM   
WARNING: no policy specified for admin/admin@LANXIN.COM; defaulting to no policy
Enter password for principal "admin/admin@LANXIN.COM":     【輸入密碼爲admin】
Re-enter password for principal "admin/admin@LANXIN.COM": 
Principal "admin/admin@LANXIN.COM" created.
kadmin.local:  
kadmin.local:  
kadmin.local:  list_principals 
K/M@LANXIN.COM
admin/admin@LANXIN.COM
kadmin/admin@LANXIN.COM
kadmin/changepw@LANXIN.COM
kadmin/dev01.lanxintec.cn@LANXIN.COM
kiprop/dev01.lanxintec.cn@LANXIN.COM
krbtgt/LANXIN.COM@LANXIN.COM
----

image.png-46.3kB

7.將Kerberos服務添加到自啓動服務,並啓動krb5kdc和kadmin服務

  systemctl enable krb5kdc
  systemctl enable kadmin
  systemctl start krb5kdc
  systemctl start kadmin

image.png-48.5kB

8.測試Kerberos的管理員帳號

  kinit admin/admin@LANXIN.COM
 ---
 Password for admin/admin@LANXIN.COM: 
[root@dev01 ~]# 
[root@dev01 ~]# klist 
Ticket cache: KEYRING:persistent:0:0
Default principal: admin/admin@LANXIN.COM

Valid starting       Expires              Service principal
05/26/2020 16:26:36  05/27/2020 16:26:36  krbtgt/LANXIN.COM@LANXIN.COM
    renew until 06/02/2020 16:26:36
 ---

image.png-30.7kB

爲集羣安裝全部Kerberos客戶端,包括Cloudera Manager

yum -y install krb5-libs krb5-workstation

image.png-74.2kB

10.在Cloudera Manager Server服務器上安裝額外的包

yum -y install openldap-clients

image.png-81.3kB

11.將KDC Server上的krb5.conf文件拷貝到全部Kerberos客戶端

scp /etc/krb5.conf root@192.168.11.161:/etc
scp /etc/krb5.conf root@192.168.11.162:/etc

image.png-21.8kB

二:CDH集羣啓用Kerberos服務器

1.在KDC中給Cloudera Manager添加管理員帳號
    cloudera/admin@LANXIN.COM
----
[root@dev01 ~]# kadmin.local 
Authenticating as principal root/admin@LANXIN.COM with password.
kadmin.local:  addprinc cloudera/admin@LANXIN.COM
WARNING: no policy specified for cloudera/admin@LANXIN.COM; defaulting to no policy
Enter password for principal "cloudera/admin@LANXIN.COM":       [密碼:cloudera]
Re-enter password for principal "cloudera/admin@LANXIN.COM": 
Principal "cloudera/admin@LANXIN.COM" created.
kadmin.local:  list_principals 
K/M@LANXIN.COM
admin/admin@LANXIN.COM
cloudera/admin@LANXIN.COM
kadmin/admin@LANXIN.COM
kadmin/changepw@LANXIN.COM
kadmin/dev01.lanxintec.cn@LANXIN.COM
kiprop/dev01.lanxintec.cn@LANXIN.COM
krbtgt/LANXIN.COM@LANXIN.COM

----

image.png-45kB

2.進入Cloudera Manager的「管理」->「安全」界面

image.png-59.3kB

image.png-181kB

image.png-129.2kB

image.png-52.6kB

image.png-71.9kB

image.png-143.5kB

image.png-140.6kB

使用 xst -k 命令:將全部的principal 導入到一個 /etc/devcdh.keytab 測試

kadminl.local

xst -k /etc/devcdh.keytab admin/admin@LANXIN.COM 

xst -k /etc/devcdh.keytab cloudera/admin@LANXIN.COM

xst -k /etc/devcdh.keytab hdfs/dev01.lanxintec.cn@LANXIN.COM 
.......

image.png-48.2kB

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程