1.环境
centos 6.5
192.168.17.138 master NameNode,SecondaryNameNode,impala-catalog,impala-state-tore
192.168.17.153 slave1 DateNode,impala-server
192.168.17.156 slave2 DateNode,impala-server
2.安装Kerberos
master作为KDC Server也作为client端
yum install krb5-server -y
yum -y install krb5-workstation ##krb5-client
slave1,slave2
yum -y install krb5-workstation ##krb5-client
slave1,slave2节点安装一下依赖
yum install python-devel openssl-devel python-pip cyrus-sasl cyrus-sasl-gssapi cyrus-sasl-devel -y
否则在启动impala-server 时E1017 03:24:43.111243 10855 authentication.cc:178] SASL message (Kerberos (internal)): No worthy mechs found
3.master 下配置/etc/krb5.conf
logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ABC.COM --随便写
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
ABC.COM = {
kdc = master
admin_server = master
}
[domain_realm]
.abc.com = ABC.COM
abc.com = GTLAND.COM
同步到slave
scp /etc/krb5.conf slave1:/etc/krb5.conf
scp /etc/krb5.conf slave2:/etc/krb5.conf
4.master下配置/var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
ABC.COM = {
max_life = 24h
max_renewable_life = 7d
default_principal_flags = +renewable, +forwardable
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
5.创建KDC数据库
/usr/sbin/kdb5_util create -s -r ABC.COM
其中需要设置管理员密码,创建完成会在/var/kerberos/krb5kdc/下面生成一系列文件,若重建数据库则需先删除/var/kerberos/krb5kdc下面principal相关文件
6.给数据库管理员添加ACL权限,修改kadm5.acl文件,*代表全部权限
test/test@ABC.COM * //在ABC.COM域内指定包含 admin 实例的所有主体
表达式:principal privileges [principal-target]
修改完成后需要重启kadmin服务:service kadmin start
https://docs.oracle.com/cd/E24847_01/html/819-7061/aadmin-9.html#aadmin-14
7.添加数据库管理员
在master主节点运行kadmin.local
,该命令可以避免登录直接管理 kdc数据库
kadmin.local: addprinc test/test@ABC.COM
WARNING: no policy specified for test/test@ABC.COM; defaulting to no policy
Enter password for principal "test/test@ABC.COM": test
Re-enter password for principal "test/test@ABC.COM": test
Principal "test/test@ABC.COM" created.
8.启动服务
service krb5kdc start
service kadmin start
chkconfig krb5kdc on
chkconfig kadmin on
通过/var/log/krb5kdc.log 和 /var/log/kadmind.log查看日志,通过kinit检查Kerberos正常运行
9.验证客户端可以访问KDC
在slave2使用test/test@ABC.COM主体进行登录
[root@slave2 impala]# kadmin -p 'test/test@ABC.COM' -m master -w test
Authenticating as principal test/test@ABC.COM with password.
kadmin: listprincs
K/M@ABC.COM
test/test@ABC.COM
impala/master@ABC.COM
impala/slave1@ABC.COM
impala/slave2@ABC.COM
kadmin/admin@ABC.COM
kadmin/changepw@ABC.COM
kadmin/master@ABC.COM
krbtgt/ABC.COM@ABC.COM
测试:配置test/test/@ABC.COM主休只允许添加任何实例且主体名为impala的主体(impala/*@ABC.COM)
修改kadm5.acl添加
test/test@ABC.COM a impala/*@ABC.COM
然后重启在master重启kadmin服务
到slave2测试权限
[root@slave2 impala]# kadmin -p 'test/test@ABC.COM' -m master -w test
Authenticating as principal test/test@ABC.COM with password.
kadmin: listprincs
get_principals: Operation requires ``list'' privilege while retrieving list. //因为主体中有impala/master@ABC.COM等,所以没权限列出
kadmin: addprinc impala/test@ABC.COM
WARNING: no policy specified for impala/test@ABC.COM; defaulting to no policy
Enter password for principal "impala/test@ABC.COM":
Re-enter password for principal "impala/test@ABC.COM":
Principal "impala/test@ABC.COM" created. //只有添加权限,成功添加
kadmin: delprinc impala/test@ABC.COM
Are you sure you want to delete the principal "impala/test@ABC.COM"? (yes/no): yes
delete_principal: Operation requires ``delete'' privilege while deleting principal "impala/test@ABC.COM" //无删除权限
回到master使用kadmin.local或者在slave使用其它没被限制权限的主体登录查看所有主体:
K/M@ABC.COM
test/test@ABC.COM
impala/master@ABC.COM
impala/slave1@ABC.COM
impala/slave2@ABC.COM
impala/test@ABC.COM
kadmin/admin@ABC.COM
kadmin/changepw@ABC.COM
kadmin/master@ABC.COM
krbtgt/ABC.COM@ABC.COM
impala/test@ABC.COM
成功添加
10.生成keytab
cd /var/kerberos/krb5kdc/
kadmin.local -q "addprinc -randkey impala/master@ABC.COM "
kadmin.local -q "addprinc -randkey impala/slave1@ABC.COM "
kadmin.local -q "addprinc -randkey impala/slave2@ABC.COM "
kadmin.local -q "xst -k impala.keytab impala/master@ABC.COM "
kadmin.local -q "xst -k impala.keytab impala/slave1@ABC.COM "
kadmin.local -q "xst -k impala.keytab impala/slave2@ABC.COM "
复制到各个节点
scp impala.keytab master:/etc/impala/conf
scp impala.keytab slave1:/etc/impala/conf
scp impala.keytab slave2:/etc/impala/conf
并设置权限
ssh master "cd /etc/impala/conf/;chown impala:hadoop *.keytab ;chmod 400 *.keytab"
ssh slave1 "cd /etc/impala/conf/;chown impala:hadoop *.keytab ;chmod 400 *.keytab"
ssh slave2 "cd /etc/impala/conf/;chown impala:hadoop *.keytab ;chmod 400 *.keytab"
否则启动impala服务时会报Could not init kerberos: Runtime error: unable to kinit: unable to login from keytab: Permission denied
11.修改/etc/default/impala
IMPALA_CATALOG_SERVICE_HOST=master
IMPALA_STATE_STORE_HOST=master
IMPALA_STATE_STORE_PORT=24000
IMPALA_BACKEND_PORT=22000
IMPALA_LOG_DIR=/var/log/impala
hostname=`hostname -f |tr "[:upper:]" "[:lower:]"`
IMPALA_CATALOG_ARGS=" -log_dir=${IMPALA_LOG_DIR} -state_store_host=${IMPALA_STATE_STORE_HOST} \
-kerberos_reinit_interval=60 \
-principal=impala/${hostname}@GTLAND.COM \
-keytab_file=/etc/impala/conf/impala.keytab
"
IMPALA_STATE_STORE_ARGS=" -log_dir=${IMPALA_LOG_DIR} -state_store_port=${IMPALA_STATE_STORE_PORT}\
-statestore_subscriber_timeout_seconds=15 \
-kerberos_reinit_interval=60 \
-principal=impala/${hostname}@ABC.COM \
-keytab_file=/etc/impala/conf/impala.keytab
"
IMPALA_SERVER_ARGS=" \
-log_dir=${IMPALA_LOG_DIR} \
-catalog_service_host=${IMPALA_CATALOG_SERVICE_HOST} \
-state_store_port=${IMPALA_STATE_STORE_PORT} \
-use_statestore \
-state_store_host=${IMPALA_STATE_STORE_HOST} \
-be_port=${IMPALA_BACKEND_PORT} \
-kerberos_reinit_interval=60 \
-principal=impala/${hostname}@ABC.COM \
-keytab_file=/etc/impala/conf/impala.keytab
"
ENABLE_CORE_DUMPS=false
同步到各节点
12.启动impala各服务
kinit -k -t /etc/impala/conf/impala.keytab impala/<各主机hostname>@ABC.COM
service impala-catalog start
service impala-state-store start
service impala-server start
impala-shell -k
13.jdbc连接impala
String hiveDriver="org.apache.hive.jdbc.HiveDriver";
String hiveUrl="jdbc:hive2://slave1:21050/default;principal=impala/slave1@ABC.COM";
System.setProperty("java.security.krb5.conf","D:/Program Files/Java/jdk1.8.0_91/jre/lib/security/krb5.conf");//简单点就从服务器上拷贝krb5.conf到javahome
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "Kerberos");
UserGroupInformation.setConfiguration(conf);
//认证的用户和对应的keytab文件
UserGroupInformation.loginUserFromKeytab("impala/master@ABC.COM","C:/Users/Administrator/Desktop/impala.keytab"); //
Class.forName(hiveDriver);
Connection con = DriverManager.getConnection(hiveUrl,"","");
HiveStatement stmt = (HiveStatement) con.createStatement();
ResultSet rs =stmt.executeQuery("select * from tb_user");
while(rs.next()){
System.out.println(rs.getString(1)+"-"+rs.getString(2)+"-"+rs.getString(3));
}
HDFS配置Kerberos认证:http://blog.javachen.com/2014/11/04/config-kerberos-in-cdh-hdfs.html
Impala配置Kerberos认证:http://blog.javachen.com/2014/11/06/config-kerberos-in-cdh-impala.html
Kerberos 基本安装与配置:https://blog.csdn.net/post_yuan/article/details/54406148
kerberos认证原理—讲的非常细致,易懂:https://blog.csdn.net/wulantian/article/details/42418231
Kerberos常用命令总结:https://blog.csdn.net/sinat_32176947/article/details/79605448