zookeeper+kerberos 集群安装
下载: http://mirror.bit.edu.cn/apache/zookeeper/stable/zookeeper-3.4.12.tar.gz
refer to: https://www.cnblogs.com/fesh/p/3900253.html
安装配置文件
echo "1" > /data/zookeeper/myid
在每个节点配置环境变量/etc/profile
#Set ZOOKEEPER_HOME ENVIRONMENT export ZOOKEEPER_HOME=/data/apps/zookeeper-3.4.12 export PATH=$PATH:$ZOOKEEPER_HOME/bin
修改日志输入目录:
参考: https://blog.csdn.net/dehu_zhou/article/details/81939965
加入开机启动
[root@computer9 ~]# vim /etc/rc.local // 写到这个文件的路经一定要写绝对路径
/data/apps/zookeeper-3.4.13/bin/zkServer.sh start /data/apps/zookeeper-3.4.13/conf/zoo.cfg >> /tmp/zookeeper_start.log
zkCli.sh -server 192.168.1.71:2181,192.168.1.81:2181,192.168.1.91:2181
./zkCli.sh -server computer7:2181,computer8:2181,computer9:2181
./zkCli.cmd -server computer7:2181,computer8:2181,computer9:2181
zookeeper 安装配置常见错误
84] - Cannot open channel to 2 at election address computer8/192.168.1.81:3888 java.net.ConnectException: Connection refused (Connection refused) at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) 原因:域名配置不对引起 [root@computer9 zookeeper-3.4.13]# cat /etc/hosts 127.0.0.1 computer7(这个不能加) localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.91 localhost localhost.localdomain localhost4 localhost4.localdomain4 192.168.1.61 computer6 192.168.1.71 computer7 192.168.1.81 computer8 192.168.1.91 computer9
安装配置kerberos认证
https://blog.csdn.net/lovebomei/article/details/79807484
vim bin/zkEnv.sh ZOO_LOG_DIR="$ZOOKEEPER_PREFIX/logs" ZOO_LOG4J_PROP="INFO,ROLLINGFILE" vim bin/zkServer.sh _ZOO_DAEMON_OUT="$ZOO_LOG_DIR/zookeeper.log" vim conf/log4j.properties zookeeper.root.logger=INFO, ROLLINGFILE zookeeper.log.dir=/data/apps/zookeeper-3.4.13 zookeeper.tracelog.dir=/data/zookeeper_data zookeeper.tracelog.file=zookeeper_trace.log
KDCE服务端安装
选择一个主机来运行KDC,并在该主机上安装krb-5libs,krb5-server
yum install krb5-server krb5-libs krb5-auth-dialog
vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HADOOP.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
vim /etc/krb5.conf 所有客户端都要配置。
[root@computer6 /]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = computer6
admin_server = computer6
}
[domain_realm]
.example.com = HADOOP.COM
example.com = HADOOP.COM
[root@computer6 /]#
在maste KDC上执行:
[root@vmw201 /]# /usr/sbin/kadmin.local -q "addprinc admin/admin" 并为其设置密码
我们现在为administrator设置权限:将文件/var/kerberos/krb5kdc/kadm5.acl的内容编辑为
*/admin@HADOOP.COM *
代表名称匹配/admin@HADOOP.COM 都认为是admin,权限是 。代表全部权限。
在master KDC启动Kerberos daemons
手动启动:
[root@vmw201 /]# service krb5kdc start
[root@vmw201 /]# service kadmin start
设置开机自动启动:
[root@vmw201 /]# chkconfig krb5kdc on
[root@vmw201 /]# chkconfig kadmin on
在另外两台主机安装kerberos客户端。
yum install krb5-workstation krb5-libs krb5-auth-dialog
配置krb5.conf
配置这些主机上的/etc/krb5.conf,这个文件的内容与KDC中的文件保持一致即可。
/usr/sbin/kdb5_util create -s -r HADOOP.COM //创建数据库
/usr/sbin/kadmin.local -q "addprinc admin/admin"
Zookeeper集群安装-开启kerberos
https://www.jianshu.com/p/ca78a43ec107
addprinc -randkey zookeeper/computer7@HADOOP.COM
addprinc -randkey zookeeper/computer8@HADOOP.COM
addprinc -randkey zookeeper/computer9@HADOOP.COM
xst -k zookeeper.keytab zookeeper/computer7@HADOOP.COM
xst -k zookeeper.keytab zookeeper/computer8@HADOOP.COM
xst -k zookeeper.keytab zookeeper/computer9@HADOOP.COM
addAcl /mynode sasl:zookeeper/computer9@HADOOP.COM:cdrwa 设置节点权限
vim zoo.cfg
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider jaasLoginRenew=3600000 kerberos.removeHostFromPrincipal=true kerberos.removeRealmFromPrincipal=true
vim /etc/profile
export JVMFLAGS="-Djava.security.auth.login.config=/data/apps/zookeeper-3.4.13/conf/jaas.conf"
vim jaas.conf
Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/data/apps/zookeeper-3.4.13/conf/zookeeper.keytab" storeKey=true useTicketCache=false principal="zookeeper/computer7@HADOOP.COM"; }; Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/data/apps/zookeeper-3.4.13/conf/zookeeper.keytab" storeKey=true useTicketCache=false principal="zookeeper/computer7@HADOOP.COM"; };
去除认证
去除认证时要把zookeeper-3.4.13/conf/*下的认证文件删除,不然启动时报如下错误
2018-11-30 22:25:18,980 [myid:1] - INFO [main:ServerCnxnFactory@117] - Using org.apache.zookeeper.server.NIOServerCnxnFactory as server connection factory 2018-11-30 22:26:49,104 [myid:1] - ERROR [main:QuorumPeerMain@92] - Unexpected exception, exiting abnormally java.io.IOException: Could not configure server because SASL configuration did not allow the ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: Receive timed out at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:222) at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:82) at org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:133) at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:114) at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:81) [root@computer7 bin]#
2077
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
