hive配置Kerbros安全认证_hive kereveros

最新推荐文章于 2024-10-31 08:53:48 发布

2401_86951207

最新推荐文章于 2024-10-31 08:53:48 发布

阅读量1.1k

点赞数 23

文章标签： hive 安全 hadoop

本文链接：https://blog.csdn.net/2401_86951207/article/details/142136901

版权

Kerberos是一种基于对称密钥技术的身份认证协议，它作为一个独立且可靠的的第三方的身份认证服务，可以为其它服务提供身份认证功能，且支持SSO（即客户端身份认证后，可以访问多个服务如HBase/HDFS等）。

Kerberos协议过程主要有两个阶段，第一个阶段是KDC对Client身份认证，第二个阶段是Service对Client身份认证。如下图：

俗语：

KDC：Kerberos的服务端程序;密钥分发中心，负责管理发放票据，记录授权。
Client：需要访问服务的用户（principal），KDC和Service会对用户的身份进行认证。
Service：集成了Kerberos的服务，如HDFS/YARN/HBase等。
principal：当每添加一个用户或服务的时候都需要向kdc添加一条principal，principl的形式为 主名称／实例名@领域名。
TGT : 票证授予票证。
SGT : 服务授予票证。

认证步骤：

KDC对Client身份认证
当客户端用户（principal）访问一个集成了Kerberos的服务之前，需要先通过KDC的身份认证。
若身份认证通过，则客户端会获取到一个TGT（Ticket Granting Ticket,票据），后续就可以使用该TGT去访问集成了Kerberos的服务。
Service对Client身份认证
当用户获取TGT后，就可以继续访问Service服务。它会使用TGT以及需要访问的服务名称（如 HDFS）去KDC获取SGT（Service Granting Ticket），然后使用SGT去访问 Service，Service会利用相关信息对Client进行身份认证，认证通过后就可以正常访问Service服务。

1.3 Kerbros的安装部署

1.3.1 Kerbros服务端安装(KDC)

[root@hadoop01 ~]# yum install -y krb5-server krb5-lib krb5-workstation
或者使用下面这个：
yum install -y krb5-server krb5-libs krb5-auth-dialog krb5-workstation

1.3.2 Kerbros客户端安装

客户机在hadoop的从节点上安装即可。
[root@hadoop02 ~]# yum install -y krb5-libs krb5-workstation
[root@hadoop03 ~]# yum install -y krb5-libs krb5-workstation

1.3.3 KDC的配置

在安装的kerbros服务端上修改即可。

[root@hadoop01 ~]# vi /var/kerberos/krb5kdc/kdc.conf
修改内容如下：
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
# EXAMPLE.COM = {
#  #master_key_type = aes256-cts
#  acl_file = /var/kerberos/krb5kdc/kadm5.acl
#  dict_file = /usr/share/dict/words
#  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
#  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
# }

 HIVE.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  max_renewable_life = 7d
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

配置说明：

HIVE.COM:是设定的realms。名字随意。Kerberos可以支持多个realms，一般全用大写
master_key_type，supported_enctypes默认使用aes256-cts。由于，JAVA使用aes256-cts验证方式需要安装额外的jar包，这里暂不使用
acl_file:标注了admin的用户权限。文件格式是
Kerberos_principal permissions [target_principal] [restrictions]支持通配符等
admin_keytab:KDC进行校验的keytab
supported_enctypes:支持的校验方式。注意把aes256-cts去掉

1.3.4 krb5.conf配置

krb5.conf需要再kerbros的服务和客户端都配置。
kerbros服务端配置：
[root@hadoop01 ~]# vi /etc/krb5.conf

替换内容如下：
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
# dns_lookup_realm = false
# ticket_lifetime = 24h
# renew_lifetime = 7d
# forwardable = true
# rdns = false
# pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
## default_realm = EXAMPLE.COM
# default_ccache_name = KEYRING:persistent:%{uid}
 default_realm = HIVE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 clockskew = 120
 udp_preference_limit = 1

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }
 HIVE.COM = {
  kdc = hadoop01
  admin_server = hadoop01
 }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 .hive.com = HIVE.COM
 hive.com = HIVE.COM
 
 
 kerbros客户端配置：
[root@hadoop02 ~]# vi /etc/krb5.conf
内容如上
[root@hadoop03 ~]# vi /etc/krb5.conf
内容如上

配置说明：

[logging]：表示server端的日志的打印位置
udp_preference_limit = 1 禁止使用udp可以防止一个Hadoop中的错误
ticket_lifetime： 表明凭证生效的时限，一般为24小时。
renew_lifetime： 表明凭证最长可以被延期的时限，一般为一个礼拜。当凭证过期之后，对安全认证的服务的后续访问则会失败。
clockskew：时钟偏差是不完全符合主机系统时钟的票据时戳的容差，超过此容差将不接受此票据，单位是秒
修改其中的realm，把默认的EXAMPLE.COM修改为自己要定义的值，如：HIVE.COM。其中，以下参数需要修改：
default_realm：默认的realm。设置为realm。如HIVE.COM
kdc：代表要kdc的位置。添加格式是 机器名
admin_server:代表admin的位置。格式是机器名
default_domain：代表默认的域名。（设置master主机所对应的域名，如hive.com）

1.3.5 database administrator的ACL权限

数据库管理员权限配置。在kerbros的服务端配置。

[root@hadoop01 ~]# vi /var/kerberos/krb5kdc/kadm5.acl
修改如下：
*/admin@HIVE.COM        *

配置说明：

kadm5.acl 文件更多内容可参考：kadm5.acl文档
想要管理 KDC 的资料库有两种方式， 一种直接在 KDC 本机上面直接执行，可以不需要密码就登入资料库管理；一种则是需要输入账号密码才能管理～这两种方式分别是：
kadmin.local：需要在 KDC server 上面操作，无需密码即可管理资料库
kadmin：可以在任何一台 KDC 领域的系统上面操作，但是需要输入管理员密码

1.3.6 配置Kerberos服务操作

1.3.6.1 创建kerbros数据库

创建Kerberos数据库，需要设置管理员密码，创建成功后会在/var/Kerberos/krb5kdc/下生成一系列文件，如果重新创建的话，需要先删除/var/kerberos/krb5kdc下面principal相关文件。

kerbros服务器上操作命令：

[root@hadoop01 ~]# kdb5_util create -s -r HIVE.COM

输入kdc的密码。一定要记住。我这儿设置为root,两次相同即可。

1.3.6.2 kerberos开机启动配置

kerbros的服务端执行即可。

[root@hadoop01 ~]# chkconfig krb5kdc on
[root@hadoop01 ~]# chkconfig kadmin on
[root@hadoop01 ~]# service krb5kdc start
[root@hadoop01 ~]# service kadmin start
[root@hadoop01 ~]# service krb5kdc status

1.3.6.3 kerberos的管理员创建

在kerbros服务端执行如下命令。

kadmin.local输入后，，添加规则：addprinc admin/admin@HIVE.COM。
[root@hadoop01 ~]# kadmin.local
Authenticating as principal root/admin@HIVE.COM with password.
继续如下图的填写：

输入规则和密码，，两次密码相同即可，我是用的是root。

最后使用q、quit或者exist退出即可。

第二章 hadoop集群配置Kerbros

一些概念：
Kerberos principal用于在kerberos加密系统中标记一个唯一的身份。
kerberos为kerberos principal分配tickets使其可以访问由kerberos加密的hadoop服务。
对于hadoop，principals的格式为username/fully.qualified.domain.name@YOUR-REALM.COM.

keytab是包含principals和加密principal key的文件。 keytab文件对于每个host是唯一的，因为key中包含hostname。keytab文件用于不需要人工交互和保存纯文本密码，实现到kerberos上验证一个主机上的principal。因为服务器上可以访问keytab文件即可以以principal的身份通过kerberos的认证，所以，keytab文件应该被妥善保存，应该只有少数的用户可以访问。

hive配置kerberos的前提是Hadoop集群已经配置好Kerberos，因此我们先来配置Hadoop集群的认证。

2.1 添加用户

如下的创建用户，密码都是用户名。可以随意设置。
#创建hadoop用户
[root@hadoop01 hadoop]# useradd hadoop
[root@hadoop01 hadoop]# passwd hadoop

[root@hadoop02 hadoop]# useradd hadoop
[root@hadoop02 hadoop]# passwd hadoop

[root@hadoop03 hadoop]# useradd hadoop
[root@hadoop03 hadoop]# passwd hadoop

#新建用户yarn，其中需设定userID<1000，命令如下：
[root@hadoop01 ~]# useradd -u 502 yarn -g hadoop
#并使用passwd命令为新建用户设置密码
[root@hadoop01 ~]# passwd yarn
passwd yarn 输入新密码

#创建hdfs用户
[root@hadoop01 hadoop]# useradd hdfs -g hadoop
[root@hadoop01 hadoop]# passwd hdfs

[root@hadoop02 hadoop]# useradd hdfs -g hadoop
[root@hadoop02 hadoop]# passwd hdfs

[root@hadoop03 hadoop]# useradd hdfs -g hadoop
[root@hadoop03 hadoop]# passwd hdfs

#创建HTTP用户
[root@hadoop01 hadoop]# useradd HTTP
[root@hadoop01 hadoop]# passwd HTTP

[root@hadoop02 hadoop]# useradd HTTP
[root@hadoop02 hadoop]# passwd HTTP

[root@hadoop03 hadoop]# useradd HTTP
[root@hadoop03 hadoop]# passwd HTTP

2.2 创建 kerberos的普通用户及密钥文件，为配置 YARN kerberos security 时，各节点可以相互访问用

在服务端节点的root用户下分别执行以下命令：

[root@hadoop01 ~]# cd /var/kerberos/krb5kdc/
#登录管理用户
[root@hadoop01 krb5kdc]# kadmin.local
#创建用户
addprinc -randkey yarn/hadoop01@HIVE.COM
addprinc -randkey yarn/hadoop02@HIVE.COM
addprinc -randkey yarn/hadoop03@HIVE.COM
addprinc -randkey hdfs/hadoop01@HIVE.COM
addprinc -randkey hdfs/hadoop02@HIVE.COM
addprinc -randkey hdfs/hadoop03@HIVE.COM
addprinc -randkey HTTP/hadoop01@HIVE.COM
addprinc -randkey HTTP/hadoop02@HIVE.COM
addprinc -randkey HTTP/hadoop03@HIVE.COM
#生成密钥文件（生成到当前路径下）
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k yarn.keytab  yarn/hadoop01@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k yarn.keytab  yarn/hadoop02@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k yarn.keytab  yarn/hadoop03@HIVE.COM"

[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k HTTP.keytab  HTTP/hadoop01@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k HTTP.keytab  HTTP/hadoop02@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k HTTP.keytab  HTTP/hadoop03@HIVE.COM"

[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k hdfs-unmerged.keytab hdfs/hadoop01@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k hdfs-unmerged.keytab  hdfs/hadoop02@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k hdfs-unmerged.keytab hdfs/hadoop03@HIVE.COM"

#合并成一个keytab文件，rkt表示展示,wkt表示写入
[root@hadoop01 krb5kdc]# ktutil
ktutil:  rkt hdfs-unmerged.keytab
ktutil:  rkt HTTP.keytab
ktutil:  rkt yarn.keytab
ktutil:  wkt hdfs.keytab
ktutil:  q
注意：ktutil：以后面的是输入的。

#查看
[root@hadoop01 krb5kdc]# klist -ket  hdfs.keytab
Keytab name: FILE:hdfs.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (aes128-cts-hmac-sha1-96)
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (des3-cbc-sha1)
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (arcfour-hmac)
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (camellia256-cts-cmac)
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (camellia128-cts-cmac)
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (des-hmac-sha1)
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (des-cbc-md5)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (aes128-cts-hmac-sha1-96)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (des3-cbc-sha1)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (arcfour-hmac)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (camellia256-cts-cmac)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (camellia128-cts-cmac)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (des-hmac-sha1)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (des-cbc-md5)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (aes128-cts-hmac-sha1-96)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des3-cbc-sha1)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (arcfour-hmac)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (camellia256-cts-cmac)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (camellia128-cts-cmac)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des-hmac-sha1)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des-cbc-md5)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (aes128-cts-hmac-sha1-96)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (des3-cbc-sha1)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (arcfour-hmac)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (camellia256-cts-cmac)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (camellia128-cts-cmac)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (des-hmac-sha1)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (des-cbc-md5)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (aes128-cts-hmac-sha1-96)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (des3-cbc-sha1)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (arcfour-hmac)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (camellia256-cts-cmac)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (camellia128-cts-cmac)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (des-hmac-sha1)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (des-cbc-md5)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (aes128-cts-hmac-sha1-96)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des3-cbc-sha1)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (arcfour-hmac)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (camellia256-cts-cmac)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (camellia128-cts-cmac)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des-hmac-sha1)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des-cbc-md5)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (aes128-cts-hmac-sha1-96)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (des3-cbc-sha1)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (arcfour-hmac)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (camellia256-cts-cmac)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (camellia128-cts-cmac)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (des-hmac-sha1)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (des-cbc-md5)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (aes128-cts-hmac-sha1-96)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (des3-cbc-sha1)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (arcfour-hmac)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (camellia256-cts-cmac)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (camellia128-cts-cmac)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (des-hmac-sha1)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (des-cbc-md5)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (aes128-cts-hmac-sha1-96)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (des3-cbc-sha1)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (arcfour-hmac)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (camellia256-cts-cmac)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (camellia128-cts-cmac)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (des-hmac-sha1)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (des-cbc-md5)

将生成的hdfs.keytab文件复制到hadoop配置路径下，并授权后面经常会遇到使用keytab login失败的问题，首先需要检查的就是文件的权限。

[root@hadoop01 krb5kdc]# cp ./hdfs.keytab /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop01 krb5kdc]# cd /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop01 krb5kdc]# chown hdfs:hadoop hdfs.keytab && chmod 400 hdfs.keytab

2.3 配置hadoop集群

core-site.xml配置：

<!--添加以下配置-->
<property>
    <name>hadoop.security.authorization</name>
    <value>true</value>
</property>
<property>
    <name>hadoop.security.authentication</name>
    <value>kerberos</value>
</property>

yarn-site.xml

<!--添加以下内容，内存不足就不要配置
<property>
      <name>yarn.nodemanager.resource.memory-mb</name>
      <value>1024</value>
</property>
-->
<!-- ResourceManager security configs -->
<property>
  <name>yarn.resourcemanager.keytab</name>
  <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>
<property>
  <name>yarn.resourcemanager.principal</name>
  <value>hdfs/_HOST@HIVE.COM</value>
</property>
<!-- NodeManager security configs -->
<property>
  <name>yarn.nodemanager.keytab</name>
  <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>
<property>
  <name>yarn.nodemanager.principal</name>
  <value>hdfs/_HOST@HIVE.COM</value>
</property>
<property>
  <name>yarn.nodemanager.container-executor.class</name>
  <value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>
</property>
<property>
  <name>yarn.nodemanager.linux-container-executor.group</name>
  <value>yarn</value>
</property>
<property>
  <name>yarn.resourcemanager.proxy-user-privileges.enabled</name>
  <value>true</value>
</property>
<property>
  <name>yarn.nodemanager.local-dirs</name>
  <value>/usr/local/hadoop-2.7.6/tmp/nm-local-dir</value>
</property>

hdfs-site.xml

<!--添加以下内容-->
<property>
  <name>dfs.block.access.token.enable</name>
  <value>true</value>
</property>
<property>  
  <name>dfs.datanode.data.dir.perm</name>  
  <value>700</value>  
</property>
<property>
  <name>dfs.namenode.keytab.file</name>
  <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>
<property>
  <name>dfs.namenode.kerberos.principal</name>
  <value>hdfs/_HOST@HIVE.COM</value>
</property>
<property>
  <name>dfs.namenode.kerberos.https.principal</name>
  <value>HTTP/_HOST@HIVE.COM</value>
</property>
<property>
  <name>dfs.datanode.address</name>
  <value>0.0.0.0:1004</value>
</property>
<property>
  <name>dfs.datanode.http.address</name>
  <value>0.0.0.0:1006</value>
</property>
<property>
  <name>dfs.datanode.keytab.file</name>
  <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>
<property>
  <name>dfs.datanode.kerberos.principal</name>
  <value>hdfs/_HOST@HIVE.COM</value>
</property>
<property>
  <name>dfs.datanode.kerberos.https.principal</name>
  <value>HTTP/_HOST@HIVE.COM</value>
</property>

<property>
  <name>dfs.webhdfs.enabled</name>
  <value>true</value>
</property>
 
<property>
  <name>dfs.web.authentication.kerberos.principal</name>
  <value>HTTP/_HOST@HIVE.COM</value>
</property>
 
<property>
  <name>dfs.web.authentication.kerberos.keytab</name>
  <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>

<property>
<name>dfs.secondary.namenode.keytab.file</name>
<value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>

<property>
<name>dfs.secondary.namenode.kerberos.principal</name>
<value>hdfs/_HOST@HIVE.COM</value>
</property>

<property>
  <name>hadoop.tmp.dir</name>
  <value>/usr/local/hadoop-2.7.6/tmp</value>
</property>

mapred-site.xml:

<!--添加以下内容-->
<property>
  <name>mapreduce.jobhistory.keytab</name>
  <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>
<property>
  <name>mapreduce.jobhistory.principal</name>
  <value>hdfs/_HOST@HIVE.COM</value>
</property>
<property>
  <name>mapreduce.jobhistory.http.policy</name>
  <value>HTTPS_ONLY</value>
</property>

container-executor.cfg

<!--覆盖以下内容-->
yarn.nodemanager.linux-container-executor.group=hadoop

#configured value of yarn.nodemanager.linux-container-executor.group

banned.users=hdfs

#comma separated list of users who can not run applications

min.user.id=0

#Prevent other super-users

allowed.system.users=root,yarn,hdfs,mapred,nobody

##comma separated list of system users who CAN run applications

2.4 编译安装JSVC

当设置了安全的datanode时,启动datanode需要root权限,需要修改hadoop-env.sh文件.且需要安装jsvc,同时重新下载编译包commons-daemon-1.0.15.jar,并把$HADOOP_HOME/share/hadoop/hdfs/lib下替换掉.
否则报错Cannot start secure DataNode without configuring either privileged resources

启动datanode具体报错如下：

2020-04-14 15:56:35,164 FATAL org.apache.hadoop.hdfs.server.datanode.DataNode: Exception in secureMain
java.lang.RuntimeException: Cannot start secure DataNode without configuring either privileged resources or SASL RPC data transfer protection and SSL for HTTP.  Using privileged resources in combination with SASL RPC data transfer protection is not supported.
        at org.apache.hadoop.hdfs.server.datanode.DataNode.checkSecureConfig(DataNode.java:1208)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.startDataNode(DataNode.java:1108)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.<init>(DataNode.java:429)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.makeInstance(DataNode.java:2414)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.instantiateDataNode(DataNode.java:2301)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.createDataNode(DataNode.java:2348)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.secureMain(DataNode.java:2530)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.main(DataNode.java:2554)
2020-04-14 15:56:35,173 INFO org.apache.hadoop.util.ExitUtil: Exiting with status 1
2020-04-14 15:56:35,179 INFO org.apache.hadoop.hdfs.server.datanode.DataNode: SHUTDOWN_MSG:

2.4.1 下载安装包

下载解压commons-daemon-1.2.2-src.tar.gz及commons-daemon-1.2.2-bin.tar.gz

2.4.2 安装操作

[root@hadoop01 hadoop]# cd /usr/local
[root@hadoop01 local]# cd ./JSVC_packages/
[root@hadoop01 JSVC_packages]# wget http://apache.fayea.com//commons/daemon/source/commons-daemon-1.2.2-src.tar.gz
[root@hadoop01 JSVC_packages]# wget http://apache.fayea.com//commons/daemon/binaries/commons-daemon-1.2.2-bin.tar.gz
[root@hadoop01 JSVC_packages]# tar xf commons-daemon-1.2.2-bin.tar.gz
[root@hadoop01 JSVC_packages]# tar xf commons-daemon-1.2.2-src.tar.gz

[root@hadoop01 JSVC_packages]# ll
total 472
drwxr-xr-x. 3 root root    278 Apr 14 16:25 commons-daemon-1.2.2
-rw-r--r--. 1 root root 179626 Apr 14 16:24 commons-daemon-1.2.2-bin.tar.gz
drwxr-xr-x. 3 root root    180 Apr 14 16:25 commons-daemon-1.2.2-src
-rw-r--r--. 1 root root 301538 Apr 14 16:24 commons-daemon-1.2.2-src.tar.gz

#编译生成jsvc，并拷贝至指定目录
[root@hadoop01 JSVC_packages]# cd commons-daemon-1.2.2-src/src/native/unix/
[root@hadoop01 unix]# ./configure
[root@hadoop01 unix]# make
[root@hadoop01 unix]# cp ./jsvc /usr/local/hadoop-2.7.6/libexec/

#拷贝commons-daemon-1.2.2.jar
[root@hadoop01 unix]# cd /usr/local/JSVC_packages/commons-daemon-1.2.2/
[root@hadoop01 commons-daemon-1.2.2]# cp /usr/local/hadoop-2.7.6/share/hadoop/hdfs/lib/commons-daemon-1.0.13.jar /usr/local/hadoop-2.7.6/share/hadoop/hdfs/lib/commons-daemon-1.0.13.jar.bak

[root@hadoop01 commons-daemon-1.2.2]# cp ./commons-daemon-1.2.2.jar /usr/local/hadoop-2.7.6/share/hadoop/hdfs/lib/


[root@hadoop01 /opt/JSVC_packages/commons-daemon-1.2.2]# cd /opt/hadoop-2.7.2/share/hadoop/hdfs/lib/
[root@hadoop01 /opt/hadoop-2.7.2/share/hadoop/hdfs/lib]# chown hdfs:hadoop commons-daemon-1.2.2.jar

2.4.3 hadoop-env.sh

[root@hadoop01 hadoop-2.7.6]# vi ./etc/hadoop/hadoop-env.sh

追加如下内容：
export HADOOP_SECURE_DN_USER=hdfs
export JSVC_HOME=/usr/local/hadoop-2.7.6/libexec/

2.5 分发到其它服务器

[root@hadoop01 local]# scp -r /usr/local/hadoop-2.7.6/ hadoop02:/usr/local/

[root@hadoop01 local]# scp -r /usr/local/hadoop-2.7.6/ hadoop03:/usr/local/

2.6 启动hadoop集群


[root@hadoop01 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop01@HIVE.COM
[root@hadoop02 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop02@HIVE.COM
[root@hadoop03 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop03@HIVE.COM

[root@hadoop02 krb5kdc]# cd /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop02 krb5kdc]# chown hdfs:hadoop hdfs.keytab && chmod 400 hdfs.keytab

[root@hadoop03 krb5kdc]# cd /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop03 krb5kdc]# chown hdfs:hadoop hdfs.keytab && chmod 400 hdfs.keytab

[root@hadoop01 hadoop-2.7.6]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/hadoop01@HIVE.COM

Valid starting       Expires              Service principal
04/14/2020 16:49:17  04/15/2020 16:49:17  krbtgt/HIVE.COM@HIVE.COM
        renew until 04/21/2020 16:49:17
        
 
 
 
 [root@hadoop02 ~]# useradd hdfs
 [root@hadoop02 hadoop-2.7.6]# passwd hdfs
 [root@hadoop03 ~]# useradd hdfs
 [root@hadoop03 hadoop-2.7.6]# passwd hdfs
 
 #启动hdfs，，直接root用户
[root@hadoop01 hadoop-2.7.6]# start-dfs.sh
#启动DataNode，直接root用户
[root@hadoop01 hadoop-2.7.6]# start-secure-dns.sh
#启动yarn，直接root用户启动即可(亲测没有问题)
[root@hadoop01 hadoop-2.7.6]# start-yarn.sh
 #启动historyserver，，直接root用户
[root@hadoop01 hadoop-2.7.6]# mr-jobhistory-daemon.sh start historyserver


停止集群：
#停止DataNode，需要切换到root用户
[root@hadoop01 hadoop-2.7.6]# stop-secure-dns.sh
 #停止hdfs
[root@hadoop01 hadoop-2.7.6]# stop-dfs.sh

#停止yarn，直接root用户启动即可(亲测没有问题)
[root@hadoop01 hadoop-2.7.6]# stop-yarn.sh

2.7 测试hadoop集群

访问地址：http://hadoop01:50070

yarn的访问地址：http://hadoop01:8088

hdfs的测试：

[root@hadoop01 hadoop-2.7.6]# hdfs dfs -ls /
[root@hadoop01 hadoop-2.7.6]# hdfs dfs -put /home/words /
[root@hadoop01 hadoop-2.7.6]# hdfs dfs -cat /words
hello qianfeng
hello flink
wuhan jiayou hello wuhan wuhan hroe


# 如下使用hdfs测试，当hdfs未获取授权验证，是不能访问hdfs的文件系统的
[hdfs@hadoop02 hadoop]$ hdfs dfs -cat /words
20/04/15 15:04:41 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
cat: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "hadoop02/192.168.216.112"; destination host is: "hadoop01":9000;

#解决方法：
[hdfs@hadoop02 hadoop]$ kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop02@HIVE.COM
[hdfs@hadoop02 hadoop]$ hdfs dfs -cat /words
hello qianfeng
hello flink
wuhan jiayou hello wuhan wuhan hroe

yarn的测试：

[root@hadoop01 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab yarn/hadoop01@HIVE.COM

[root@hadoop01 hadoop-2.7.6]# yarn jar ./share/hadoop/mapreduce/hadoop-mapreduce-examples-2.7.6.jar wordcount /words /out/00

错误1：
20/04/15 23:42:45 INFO mapreduce.Job: Job job_1586934815492_0008 failed with state FAILED due to: Application application_1586934815492_0008 failed 2 times due to AM Container for appattempt_1586934815492_0008_000002 exited with  exitCode: -1000
For more detailed output, check application tracking page:http://hadoop01:8088/cluster/app/application_1586934815492_0008Then, click on links to logs of each attempt.
Diagnostics: Application application_1586934815492_0008 initialization failed (exitCode=255) with output: Requested user hdfs is banned

错误2：
Caused by: java.io.IOException: Exceeded MAX_FAILED_UNIQUE_FETCHES; bailing-out.
解决方案：
hdfs-site.xml中配置临时目录
yarn-site.xml中也要配置零食目录，，并且和hdfs中的前边一样，后边加一点固定的

#再次测试：
[root@hadoop01 hadoop-2.7.6]# yarn jar ./share/hadoop/mapreduce/hadoop-mapreduce-examples-2.7.6.jar wordcount /words /out/02
20/04/16 02:55:38 INFO client.RMProxy: Connecting to ResourceManager at hadoop01/192.168.216.111:8032
20/04/16 02:55:38 INFO hdfs.DFSClient: Created HDFS_DELEGATION_TOKEN token 61 for yarn on 192.168.216.111:9000
20/04/16 02:55:38 INFO security.TokenCache: Got dt for hdfs://hadoop01:9000; Kind: HDFS_DELEGATION_TOKEN, Service: 192.168.216.111:9000, Ident: (HDFS_DELEGATION_TOKEN token 61 for yarn)
20/04/16 02:55:39 INFO input.FileInputFormat: Total input paths to process : 1
20/04/16 02:55:39 INFO mapreduce.JobSubmitter: number of splits:1
20/04/16 02:55:39 INFO mapreduce.JobSubmitter: Submitting tokens for job: job_1586976916277_0001
20/04/16 02:55:39 INFO mapreduce.JobSubmitter: Kind: HDFS_DELEGATION_TOKEN, Service: 192.168.216.111:9000, Ident: (HDFS_DELEGATION_TOKEN token 61 for yarn)
20/04/16 02:55:41 INFO impl.YarnClientImpl: Submitted application application_1586976916277_0001
20/04/16 02:55:41 INFO mapreduce.Job: The url to track the job: http://hadoop01:8088/proxy/application_1586976916277_0001/
20/04/16 02:55:41 INFO mapreduce.Job: Running job: job_1586976916277_0001
20/04/16 02:56:11 INFO mapreduce.Job: Job job_1586976916277_0001 running in uber mode : false
20/04/16 02:56:11 INFO mapreduce.Job:  map 0% reduce 0%
20/04/16 02:56:13 INFO mapreduce.Job: Task Id : attempt_1586976916277_0001_m_000000_0, Status : FAILED
Application application_1586976916277_0001 initialization failed (exitCode=20) with output: main : command provided 0
main : user is yarn
main : requested yarn user is yarn
Permission mismatch for /usr/local/hadoop-2.7.6/tmp/nm-local-dir for caller uid: 0, owner uid: 502.
Couldn't get userdir directory for yarn.
20/04/16 02:56:20 INFO mapreduce.Job:  map 100% reduce 0%
20/04/16 02:56:28 INFO mapreduce.Job:  map 100% reduce 100%
20/04/16 02:56:28 INFO mapreduce.Job: Job job_1586976916277_0001 completed successfully
20/04/16 02:56:28 INFO mapreduce.Job: Counters: 51
        File System Counters
                FILE: Number of bytes read=81
                FILE: Number of bytes written=251479
                FILE: Number of read operations=0
                FILE: Number of large read operations=0
                FILE: Number of write operations=0
                HDFS: Number of bytes read=154
                HDFS: Number of bytes written=51
                HDFS: Number of read operations=6
                HDFS: Number of large read operations=0
                HDFS: Number of write operations=2
        Job Counters
                Failed map tasks=1
                Launched map tasks=2
                Launched reduce tasks=1
                Other local map tasks=1
                Data-local map tasks=1
                Total time spent by all maps in occupied slots (ms)=4531
                Total time spent by all reduces in occupied slots (ms)=3913
                Total time spent by all map tasks (ms)=4531
                Total time spent by all reduce tasks (ms)=3913
                Total vcore-milliseconds taken by all map tasks=4531
                Total vcore-milliseconds taken by all reduce tasks=3913
                Total megabyte-milliseconds taken by all map tasks=4639744
                Total megabyte-milliseconds taken by all reduce tasks=4006912
        Map-Reduce Framework
                Map input records=3
                Map output records=10
                Map output bytes=103
                Map output materialized bytes=81
                Input split bytes=91
                Combine input records=10
                Combine output records=6
                Reduce input groups=6
                Reduce shuffle bytes=81
                Reduce input records=6
                Reduce output records=6
                Spilled Records=12
                Shuffled Maps =1
                Failed Shuffles=0
                Merged Map outputs=1
                GC time elapsed (ms)=192
                CPU time spent (ms)=2120
                Physical memory (bytes) snapshot=441053184
                Virtual memory (bytes) snapshot=4211007488
                Total committed heap usage (bytes)=277348352
        Shuffle Errors
                BAD_ID=0
                CONNECTION=0
                IO_ERROR=0
                WRONG_LENGTH=0
                WRONG_MAP=0
                WRONG_REDUCE=0
        File Input Format Counters
                Bytes Read=63
        File Output Format Counters