CDH6安装kerberos(一)kerberos概念理解
CDH6安装kerberos(二)kerberos部署
CDH6安装kerberos(三)CDH集群启用Kerberos
CDH6安装kerberos(四)kerberos使用示例
Kerberos部署
1.系统环境
1)操作系统:CentOS 7.6
2)CDH6.3.2
3)采用root用户进行操作
4)机器列表:(hadoop1.example.com,hadoop2.example.com,hadoop3.example.com)
2.KDC服务安装及配置
选择集群中的一台主机(hadoop1.example.com)作为Kerberos服务端,安装KDC,所有主机都需要部署Kerberos客户端。
1)在服务端主机执行以下安装命令(服务端主机就是KDC)
yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation openldap-clients -y
# 会生成/etc/krb5.conf、/var/kerberos/krb5kdc/kadm5.acl、/var/kerberos/krb5kdc/kdc.conf三个文件。
2)在客户端主机执行以下安装命令
yum install -y krb5-workstation krb5-libs
# 会生成/etc/krb5.conf 一个文件。
3.修改配置文件
(1)服务端主机(hadoop102.example.com)
修改/var/kerberos/krb5kdc/kdc.conf文件,内容如下
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
max_life = 1d
max_renewable_life = 7d
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
}
(2)客户端主机(所有主机)
修改/etc/krb5.conf文件,内容如下
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = EXAMPLE.COM
#default_ccache_name = KEYRING:persistent:%{uid}
udp_preference_limit = 1
[realms]
EXAMPLE.COM = {
kdc = hadoop1.example.com
admin_server = hadoop1.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
(3)修改管理员权限配置文件
在服务端主机(hadoop1.example.com)修改/var/kerberos/krb5kdc/kadm5.acl文件,内容如下
*/admin@EXAMPLE.COM *
(4)将KDC Server上的krb5.conf文件拷贝到所有Kerberos客户端
scp /etc/krb5.conf root@hadoop2.example.com:/etc/
scp /etc/krb5.conf root@hadoop3.example.com:/etc/
4.初始化KDC数据库
在服务端主机(hadoop1.example.com)执行以下命令
kdb5_util create –r EXAMPLE.COM -s
此处需要输入Kerberos数据库的密码,测试环境可设置为hadoop。
5.将Kerberos服务添加到自启动服务,并启动krb5kdc和kadmin服务
启动KDC
systemctl enable krb5kdc
systemctl start krb5kdc
启动Kadmin,该服务为KDC数据库访问入口
systemctl enable kadmin
systemctl start kadmin
6.创建Kerberos的管理账号
admin/admin@EXAMPLE.COM
执行:
kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:
kadmin.local: addprinc admin/admin@EXAMPLE.COM
WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy
Enter password for principal "admin/admin@EXAMPLE.COM": 【输入密码为admin】
Re-enter password for principal "admin/admin@EXAMPLE.COM":
Principal "admin/admin@EXAMPLE.COM" created.
kadmin.local:
此处需要输入admin账号的密码,设置为admin。
7.测试Kerberos的管理员账号
kinit admin/admin@EXAMPLE.COM
输入密码admin完成验证
至此,kerberos的安装已经全部完成,下面需要根据应用组件来整合kerberos。