hadoop2.0 安全配置 kerberos

在安装配置 kerberos 之前,需要了解一些背景资料:

 http://www.freebsd.org/doc/zh_CN/books/handbook/kerberos5.html

http://blog.wgzhao.com/2005/12/02/kerberos-authentication-configuration/

http://dongxicheng.org/mapreduce-nextgen/hadoop-yarn-security/

http://hi.baidu.com/goseec/item/1614b21220b7bc0fb98a1a26


cdh4 配置 kerberos 官方文档:

http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.3.0/CDH4-Security-Guide/cdh4sg_topic_3_4.html#../CDH4-Security-Guide/cdh4sg_topic_3.html


http://blog.chinaunix.net/uid-1838361-id-3243243.html

1、kdc服务器上安装kerberos-server(centos默认会安装kerberos的客户端)

                 rpm -qa | grep krb

                 sudo yum install -y krb5-server

2、配置krb server

             vim /etc/krb5.conf

 
以下是需要修改的地方:
[libdefaults]
 default_realm =*****.COM
 
[realms]
  ****.COM = {
  kdc = host1:88
  admin_server = host1:749
  default_domain = example.com
 }

[domain_realm]
 .example.com = ****.COM
 example.com = ****.COM

将krb5.conf复制到到其他节点上。


3、创建krb的数据库

       kdb5_util create -r ****.COM -s


4.创建管理员 -添加root为管理员

kadmin.local -q "addprinc root/admin@****.COM"


5.配置 kadmin的操作权限  简单修改赋予所有权限

vi  /var/kerberos/krb5kdc/kadm5.acl

修改内容为 */admin@hadoop.server      *


6.设置初始信息 

kadmin.local: addprinc admin/admin@hdfs.server 

7.生成admin keytab文件(changepw也是系统初始化生成的)

kadmin.local: ktadd -k /var/kerberos/krb5kdc /kadm5.keytab kadmin/admin kadmin/changepw

8.启动 kdc 服务

/etc/init.d/krb5kdc start

/etc/init.d/kadmin start

9.新增hadoop为管理员


kadmin.local: addprinc hadoop/admin

客户端操作

在客户机上登录kdc 服务器 新建本机用户的keytab

kadmin: addprinc -randkey HTTP/域名                 // 生产本机的host 随机key 用于鉴权https请求

kadmin: addprinc -randkey hadoop/本机域名            //生产本机的hadoop 随机key 用户启动datanode

kadmin: ktadd -k 本地路径/hadoop.keytab hadoop/本机域名 HTTP/本机域名


配置 hdfs:

<!-- NameNode security config -->
        <property>
                <name>dfs.namenode.keytab.file</name>
                <value>/home/q/hadoop-2.2.0/etc/keytab/user.keytab</value> <!-- path to the HDFS keytab -->
        </property>
        <property>
                <name>dfs.namenode.kerberos.principal</name>
                <value>user/host1@****.COM</value>
        </property>
        <property>
                <name>dfs.namenode.kerberos.internal.spnego.principal</name>
                <value>HTTP/host1@****.COM</value>
        </property>

<!-- DataNode security config -->
        <property>
                <name>dfs.datanode.data.dir.perm</name>
                <value>700</value>
        </property>
        <property>
                <name>dfs.datanode.address</name>
                <value>0.0.0.0:1004</value>
        </property>
        <property>
                <name>dfs.datanode.http.address</name>
                <value>0.0.0.0:1006</value>
        </property>
        <!-- for quorm jounal node-->
        <property>
                <name>dfs.journalnode.keytab.file</name>
                <value>/home/q/hadoop-2.2.0/etc/keytab/user.keytab</value> <!-- path to the HDFS keytab -->
        </property>

        <property>
                <name>dfs.journalnode.kerberos.principal</name>
                <value>user/host1@****.COM</value>
        </property>
        <property>
                <name>dfs.journalnode.kerberos.internal.spnego.principal</name>
                <value>HTTP/host@****.COM</value>
        </property>

配好后我重启 journalnode 正常。

但是,format namenode的时候出现下面的问题:



13/10/25 10:52:24 ERROR security.UserGroupInformation: PriviledgedActionException as:user/host1@****.COM (auth:KERBEROS) cause:java.io.IOException: java.lang.IllegalArgumentException: Server has invalid Kerberos principal: user/host2@****.COM
13/10/25 10:52:24 WARN ipc.Client: Exception encountered while connecting to the server : java.lang.IllegalArgumentException: Server has invalid Kerberos principal: user/host3@****.COM
13/10/25 10:52:24 ERROR security.UserGroupInformation: PriviledgedActionException as:user/host1@****.COM (auth:KERBEROS) cause:java.io.IOException: java.lang.IllegalArgumentException: Server has invalid Kerberos principal: user/host2@****.COM

就是解析不了kerberos 其他节点的principal,真头疼

查了好多资料也没有能解决,不知道哪位大神能指点一下,kerberos配置卡到这里,先写这么多



展开阅读全文

没有更多推荐了,返回首页