首页 > 其他 > 详细

cdh5.12.2 开启kerberos认证

时间:2018-04-10 15:01:05      阅读:714      评论:0      收藏:0      [点我收藏+]
  • 一:kdc 服务的安装与配置
  • 二:集群所有节点安装Kerberos客户端(包括CM)
  • 三:CDH集群启用Kerberos

一: kdc 服务的安装与配置

1.1 安装kdc服务

 # yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation -y

技术分享图片技术分享图片

1.2 配置kdc 服务

vim /etc/krb5.conf

---
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_kdc = false
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = GEMS.COM
 default_tgs_enctypes = rc4-hmac
 default_tkt_enctypes = rc4-hmac
 permitted_enctypes = rc4-hmac
 udp_preference_limit = 1
 kdc_timeout = 3000

# default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 GEMS.COM = {
  kdc = node01.yangyang.com
  admin_server = node01.yangyang.com
 }

[domain_realm]
 .node01.yangyang.com = GEMS.COM
 node01.yangyang.com = GEMS.COM

1.3 修改/var/kerberos/krb5kdc/kadm5.acl

vim /var/kerberos/krb5kdc/kadm5.acl

*/admin@GEMS.COM        *

技术分享图片

1.4 修改/var/kerberos/krb5kdc/kdc.conf

vim /var/kerberos/krb5kdc/kdc.conf
----
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 GEMS.COM = {
  #master_key_type = aes256-cts
  max_renewable_life = 7d
  max_life = 1d
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  default_principal_flags = +renewable, +forwardable
 }

技术分享图片

1.5 创建Kerberos数据库

# kdb5_util create -r GEMS.COM -s

---
Loading random data
Initializing database ‘/var/kerberos/krb5kdc/principal‘ for realm ‘GEMS.COM‘,
master key name ‘K/M@GEMS.COM‘
You will be prompted for the database Master Password. 
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:
---
输入认证的密码为: GEMS.COM

技术分享图片

1.6 创建Kerberos的管理账号

# kadmin.local
Authenticating as principal root/admin@GEMS.COM with password.
kadmin.local:  addprinc admin/admin@GEMS.COM 
WARNING: no policy specified for admin/admin@GEMS.COM; defaulting to no policy
Enter password for principal "admin/admin@GEMS.COM":  [输入密码]
Re-enter password for principal "admin/admin@GEMS.COM":  [输入密码]
Principal "admin/admin@GEMS.COM" created.

kadmin.local: exit 

技术分享图片

1.7 启动krb5 的 服务

service krb5kdc start 
service kadmin start 

chkconfig krb5kdc on 
chkconfig kadmin on 

1.8 测试kerberos 的管理员账号

kinit admin/admin@GEMS.COM
---> 输入密码:admin

# klist 

技术分享图片

二:集群所有节点安装Kerberos客户端(包括CM)

全部节点都要安装:
yum -y install krb5-libs krb5-workstation (所有节点都要安装)
CM节点安装额外组件
yum -y install openldap-clients (kdc-server 节点安装)

2.1 节点同步krb5.conf 文件

scp /etc/krb5.conf  node02:/etc 
scp /etc/krb5.conf  node03:/etc 

三: CDH集群启用Kerberos

3.1 配置jdk 的 jce_policy-8.zip

# unzip jce_policy-8.zip

# cd UnlimitedJCEPolicyJDK8/
# cp -p *.jar /usr/java/jdk1.8.0_151/jre/lib/security/
# scp *.jar node02:/usr/java/jdk1.8.0_151/jre/lib/security/
# scp *.jar node03:/usr/java/jdk1.8.0_151/jre/lib/security/

3.2 打开CM 的 界面配置启用kerberos

  • 3.2.1 配置jdk 的目录:

  • 3.2.2 KDC添加Cloudera Manager管理员账号
    
    kadmin.local

Authenticating as principal admin/admin@GEMS.COM with password.
kadmin.local: addprinc cloudera-scm/admin@GEMS.COM
WARNING: no policy specified for cloudera-scm/admin@GEMS.COM; defaulting to no policy
Enter password for principal "cloudera-scm/admin@GEMS.COM": [输入密码]
Re-enter password for principal "cloudera-scm/admin@GEMS.COM": [输入密码]
Principal "cloudera-scm/admin@GEMS.COM" created.

密码为: Cloudera-scm



- 3.2.3 启用kerberos

cdh5.12.2 开启kerberos认证

原文:http://blog.51cto.com/flyfish225/2096487

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!