(接上一篇)
五、Kerberos
1、jsvc
所有节点:
# cd ~/soft
# wget http://mirror.bit.edu.cn/apache/commons/daemon/source/commons-daemon-1.0.15-native-src.tar.gz
# tar zxfcommons-daemon-1.0.15-native-src.tar.gz
# cd commons-daemon-1.0.15-native-src/unix;./configure; make
# cp jsvc /usr/local/hadoop-2.4.0/libexec/
# cd ~/soft
# wgethttp://mirror.bit.edu.cn/apache//commons/daemon/binaries/commons-daemon-1.0.15-bin.tar.gz
# tar zxf commons-daemon-1.0.15-bin.tar.gz
# cpcommons-daemon-1.0.15/commons-daemon-1.0.15.jar/usr/local/hadoop-2.4.0/share/hadoop/hdfs/lib/
# cpcommons-daemon-1.0.15/commons-daemon-1.0.15.jar/usr/local/hadoop-2.4.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/lib/
# rm -f /usr/local/hadoop-2.4.0/share/hadoop/hdfs/lib/commons-daemon-1.0.13.jar
# rm -f/usr/local/hadoop-2.4.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/lib/commons-daemon-1.0.13.jar
# # vim/usr/local/hadoop-2.4.0/etc/hadoop/hadoop-env.sh
exportJSVC_HOME=/usr/local/hadoop-2.4.0/libexec/
2、256位加密
所有节点:
# wget–c http://download.oracle.com/otn-pub/java/jce/7/UnlimitedJCEPolicyJDK7.zip?AuthParam=1400207941_ee158c414c707a057960c521a7b29866
# unzipUnlimitedJCEPolicyJDK7.zip
# cp UnlimitedJCEPolicy/*.jar/usr/java/jdk1.7.0_65/jre/lib/security/
cp:是否覆盖"/usr/java/jdk1.7.0_51/jre/lib/security/local_policy.jar"? y
cp:是否覆盖"/usr/java/jdk1.7.0_51/jre/lib/security/US_export_policy.jar"? y
3、部署KDC
主机test3:
安装kdc server
# yum -y install krb5\*
配置文件krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc= FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = cc.cn
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
[realms]
cc.cn = {
kdc = test3
admin_server = test3
}
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
配置文件kdc.conf
# vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
cc.cn = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normaldes3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normaldes-cbc-md5:normal des-cbc-crc:normal
}
配置文件kadm5.acl
# vim /var/kerberos/krb5kdc/kadm5.acl
*/admin@cc.cn *
创建数据库
# kdb5_util create -r cc.cn –s
Enter KDC database master key:
启动及开机启动
# service krb5kdc start
# service kadmin start
# chkconfig krb5kdc on
# chkconfig kadmin on
创建管理员用户
# kadmin.local
kadmin.local: addprinc root/admin
Enter password for principal "root/admin@cc.cn":
六、Hadoop整合Kerberos
1、配置节点认证
主机test1:
# yum -y install krb5\*
# scp test3:/etc/krb5.conf /etc/
# kadmin –p root/admin
kadmin: addprinc -randkey root/test1
kadmin: addprinc -randkey HTTP/test1
kadmin: ktadd -k /hadoop/krb5.keytab root/test1 HTTP/test1
主机test2:
# yum -y install krb5\*
# scp test3:/etc/krb5.conf /etc/
# kadmin -p root/admin
kadmin: addprinc -randkey root/test2
kadmin: addprinc -randkey HTTP/test2
kadmin: ktadd -k /hadoop/krb5.keytab root/test2 HTTP/test2
主机test3:
# kadmin.local
kadmin.local: addprinc -randkey root/test3
kadmin.lcoal: addprinc -randkey HTTP/test3
kadmin.local: ktadd -k /hadoop/krb5.keytab root/test3 HTTP/test3
2、添加配置
配置文件core-site.xml
主机test1:
# vim/usr/local/hadoop-2.4.0/etc/hadoop/core-site.xml
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>
配置文件hdfs-site.xm
主机test1:
# vim /usr/local/hadoop-2.4.0/etc/hadoop/hdfs-site.xml
<property>
<name>dfs.journalnode.keytab.file</name>
<value>/hadoop/krb5.keytab</value>
</property>
<property>
<name>dfs.journalnode.kerberos.principal</name>
<value>root/_HOST@cc.cn</value>
</property>
<property>
<name>dfs.journalnode.kerberos.internal.spnego.principal</name>
<value>HTTP/_HOST@cc.cn</value>
</property>
<property>
<name>dfs.block.access.token.enable</name>
<value>true</value>
</property>
<property>
<name>dfs.namenode.keytab.file</name>
<value>/hadoop/krb5.keytab</value>
</property>
<property>
<name>dfs.namenode.kerberos.principal</name>
<value>root/_HOST@cc.cn</value>
</property>
<property>
<name>dfs.web.authentication.kerberos.keytab</name>
<value>/hadoop/krb5.keytab</value>
</property>
<property>
<name>dfs.web.authentication.kerberos.principal</name>
<value>HTTP/_HOST@cc.cn</value>
</property>
<property>
<name>ignore.secure.ports.for.testing</name>
<value>true</value>
</property>
<property>
<name>dfs.datanode.keytab.file</name>
<value>/hadoop/krb5.keytab</value>
</property>
<property>
<name>dfs.datanode.kerberos.principal</name>
<value>root/_HOST@cc.cn</value>
</property>
<property>
<name>hadoop.http.staticuser.user</name>
<value>root</value>
</property>
配置文件yarn-site.xml
主机test1:
# vim/usr/local/hadoop-2.4.0/etc/hadoop/yarn-site.xml
<property>
<name>yarn.resourcemanager.keytab</name>
<value>/hadoop/krb5.keytab</value>
</property>
<property>
<name>yarn.resourcemanager.principal</name>
<value>root/_HOST@cc.cn</value>
</property>
<property>
<name>yarn.nodemanager.keytab</name>
<value>/hadoop/krb5.keytab</value>
</property>
<property>
<name>yarn.nodemanager.principal</name>
<value>root/_HOST@cc.cn</value>
</property>
配置文件mapred-site.xml
主机test1:
# vim /usr/local/hadoop-2.4.0/etc/hadoop/mapred-site.xml
<property>
<name>mapreduce.jobhistory.keytab</name>
<value>/hadoop/krb5.keytab</value>
</property>
<property>
<name>mapreduce.jobhistory.principal</name>
<value>root/_HOST@cc.cn</value>
</property>
3、同步配置文件
主机test1:
# scp -r/usr/local/hadoop-2.4.0/ test2:/usr/local/
# scp -r/usr/local/hadoop-2.4.0/ test3:/usr/local/
4、启动
主机test1:
# start-all.sh
5、验证
主机test3:
# kinit -k -t /hadoop/krb5.keytab root/test3
# hdfs dfs –ls /
七、Hbase整合Kerberos
1、添加配置
配置文件hbase-site.xml
主机test1:
# vim/usr/local/hbase-0.98.1/conf/hbase-site.xml
<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hbase.rpc.engine</name>
<value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.token.TokenProvider</value>
</property>
<property>
<name>hbase.master.keytab.file</name>
<value>/hadoop/krb5.keytab</value>
</property>
<property>
<name>hbase.master.kerberos.principal</name>
<value>root/_HOST@cc.cn</value>
</property>
<property>
<name>hbase.regionserver.keytab.file</name>
<value>/hadoop/krb5.keytab</value>
</property>
<property>
<name>hbase.regionserver.kerberos.principal</name>
<value>root/_HOST@cc.cn</value>
</property>
2、同步配置文件
主机test1:
# scp/usr/local/hbase-0.98.1/conf/hbase-site.xml test2:/usr/local/hbase-0.98.1/conf/
# scp /usr/local/hbase-0.98.1/conf/hbase-site.xmltest3:/usr/local/hbase-0.98.1/conf/
3、启动
主机test1:
# start-hbase.sh
4、验证
主机test3:
# kinit -k -t /hadoop/krb5.keytab root/test3
# hbase shell
八、集群连接方式
1、keytab文件位置
/etc/xiaofeiyun.keytab
创建过程
主机test1:
# kadmin -p root/admin
Password for root/admin@cc.cn:
kadmin: addprinc -randkey data/xiaofeiyun
kadmin: addprinc -randkey platform/xiaofeiyun
kadmin: ktadd -k /etc/xiaofeiyun.keytab data/xiaofeiyun platform/xiaofeiyun
# scp /etc/xiaofeiyun.keytab test2:/etc/
# scp /etc/xiaofeiyun.keytab test3:/etc/
2、krb5.conf文件位置
/etc/krb5.conf
3、hadoop连接
conf.set("fs.defaultFS","hdfs://cluster1");
conf.set("dfs.nameservices","cluster1");
conf.set("dfs.ha.namenodes.cluster1","test1,test2");
conf.set("dfs.namenode.rpc-address.cluster1.test1","test1:9000");
conf.set("dfs.namenode.rpc-address.cluster1.test2","test2:9000");
conf.set("dfs.client.failover.proxy.provider.cluster1","org.apache.hadoop.hdfs.server.namenode.ha.ConfiguredFailoverProxyProvider");
4、hbase连接
<name>ha.zookeeper.quorum</name>
<value>test1:2181,test2:2181,test3:2181</value>