cdh5.12.2 開啓kerberos認證

• 一：kdc 服務的安裝與配置
• 二：集羣全部節點安裝Kerberos客戶端(包括CM)
• 三：CDH集羣啓用Kerberos

---

一： kdc 服務的安裝與配置

1.1 安裝kdc服務

# yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation -y

1.2 配置kdc 服務

vim /etc/krb5.conf

---
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_kdc = false
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = GEMS.COM
 default_tgs_enctypes = rc4-hmac
 default_tkt_enctypes = rc4-hmac
 permitted_enctypes = rc4-hmac
 udp_preference_limit = 1
 kdc_timeout = 3000

# default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 GEMS.COM = {
  kdc = node01.yangyang.com
  admin_server = node01.yangyang.com
 }

[domain_realm]
 .node01.yangyang.com = GEMS.COM
 node01.yangyang.com = GEMS.COM

1.3 修改/var/kerberos/krb5kdc/kadm5.acl

vim /var/kerberos/krb5kdc/kadm5.acl

*/admin@GEMS.COM        *

1.4 修改/var/kerberos/krb5kdc/kdc.conf

vim /var/kerberos/krb5kdc/kdc.conf
----
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 GEMS.COM = {
  #master_key_type = aes256-cts
  max_renewable_life = 7d
  max_life = 1d
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  default_principal_flags = +renewable, +forwardable
 }

1.5 建立Kerberos數據庫

# kdb5_util create -r GEMS.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'GEMS.COM',
master key name 'K/M@GEMS.COM'
You will be prompted for the database Master Password. 
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:

輸入認證的密碼爲： GEMS.COM

1.6 建立Kerberos的管理帳號

# kadmin.local
Authenticating as principal root/admin@GEMS.COM with password.
kadmin.local:  addprinc admin/admin@GEMS.COM 
WARNING: no policy specified for admin/admin@GEMS.COM; defaulting to no policy
Enter password for principal "admin/admin@GEMS.COM":  [輸入密碼]
Re-enter password for principal "admin/admin@GEMS.COM":  [輸入密碼]
Principal "admin/admin@GEMS.COM" created.

kadmin.local: exit

1.7 啓動krb5 的 服務

service krb5kdc start 
service kadmin start 

chkconfig krb5kdc on 
chkconfig kadmin on

1.8 測試kerberos 的管理員帳號

kinit admin/admin@GEMS.COM
---> 輸入密碼：admin

# klist

二：集羣全部節點安裝Kerberos客戶端(包括CM)

所有節點都要安裝：
yum -y install krb5-libs krb5-workstation （全部節點都要安裝）
CM節點安裝額外組件
yum -y install openldap-clients （kdc-server 節點安裝）

2.1 節點同步krb5.conf 文件

scp /etc/krb5.conf  node02:/etc 
scp /etc/krb5.conf  node03:/etc

三： CDH集羣啓用Kerberos

3.1 配置jdk 的 jce_policy-8.zip

# unzip jce_policy-8.zip

# cd UnlimitedJCEPolicyJDK8/
# cp -p *.jar /usr/java/jdk1.8.0_151/jre/lib/security/
# scp *.jar node02:/usr/java/jdk1.8.0_151/jre/lib/security/
# scp *.jar node03:/usr/java/jdk1.8.0_151/jre/lib/security/

3.2 打開CM 的 界面配置啓用kerberos

3.2.1 配置jdk 的目錄：

3.2.2 KDC添加Cloudera Manager管理員帳號

kadmin.local
Authenticating as principal admin/admin@GEMS.COM with password.
kadmin.local:  addprinc cloudera-scm/admin@GEMS.COM
WARNING: no policy specified for cloudera-scm/admin@GEMS.COM; defaulting to no policy
Enter password for principal "cloudera-scm/admin@GEMS.COM": [輸入密碼] 
Re-enter password for principal "cloudera-scm/admin@GEMS.COM": [輸入密碼]
Principal "cloudera-scm/admin@GEMS.COM" created.

密碼爲： Cloudera-scm

• 3.2.3 啓用kerberos