Installing Kerberos on Redhat 7
Linux下搭建zookeeper+kafka+kerberos(基于centos7)
Kerberos常用命令总结
Storm Guide
服务器规划
s160
:安装kerberos
服务s156
: 安装kafka,zookeeper
kerberos服务安装
0.下载jce的jar包
下载地址:orcle-jce-8.jars
将zip解压,并将两个jar放置到%JAVA_HOME%/jre/lib/security
目录下。
1.安装kerberos服务
yum install krb5-server krb5-libs krb5-auth-dialog
2.配置hosts文件
修改各机器上的hosts文件
192.168.129.160 kdc
192.168.129.156 kafka
3.配置kerberos配置文件
安装完kerberos之后,有两个配置文件。
/etc/krb5.conf
: 配置realm name/var/kerberos/krb5kdc/kdc.conf
配置domain-to-realm mappings,主机到域的映射。
接下来分别配置:
- vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
### `BOP.COM` 可随意取,代表一个realm,可配置多个realm。
### 此处的`BOP.COM`必须和`/etc/krb5.conf`中配置的保持一致。
BOP.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
- vi /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
###[logging]:表示server端的日志的打印位置
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
### ticket_lifetime表明凭证生效的时限,一般为24小时。
ticket_lifetime = 24h
### renew_lifetime表明凭证最长可以被延期的时限,一般为一个礼拜。当凭证过期之后,对安全认证的服务的后续访问则会失败。
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
### 默认的realm,必须跟要配置的realm的名称一致。
default_realm = BOP.COM
default_ccache_name = KEYRING:persistent:%{uid}
#禁止使用udp
udp_preference_limit = 1
[realms]
BOP.COM = {
### kdc:代表要kdc的位置。格式是 机器:端口
kdc = kdc
### admin_server:代表admin的位置。格式是机器:端口
admin_server = kdc
}
[domain_realm]
.bop.com = BOP.COM
bop.com = BOP.COM
4.初始化kerberos并启动
-
创建database
: 使用命令:kdb5_util create -s -r BOP.COM
.[s]
: 表示stash file,并在其中存储master server key (krb5kdc);[r]
指定一个realm name。当krb5.conf定义了多个realm时才是必要的。
在创建过程中需要输入密码,此密码需要牢记.(密码是:bop
)。
当kerberos database创建好了之后,可以在/var/kerberos/krb5kdc
目录下看到如下6个文件:
-
启动服务
systemctl start krb5kdc.service
systemctl start kadmin.service
-
设置开机自启动
systemctl enable krb5kdc.service
systemctl enable kadmin.service
5.添加kerberos用户,并生成keytab文件
kadmin.local
addprinc -randkey zookeeper/s156@BOP.COM
xst -k /etc/security/keytabs/s156_zookeeper.keytab zookeeper/s156@BOP.COM
addprinc -randkey kafka/s156@BOP.COM
xst -k /etc/security/keytabs/s156_kafka.keytab kafka/s156@BOP.COM
6.在kerberos服务器验证用户是否可用
kinit -kt /etc/security/keytabs/s156_zookeeper.keytab zookeeper/s156@BOP.COM
klist
kinit -kt /etc/security/keytabs/s156_kafka.keytab kafka/s156@BOP.COM
klist
此处可能会无法识别
klist
命令,
需要安装 :yum -y install krb5-workstation
- Default principal就是建立的用户,
- Valid starting是认证开始时间
- Expires是到期时间。
7.安装客户端
使用命令yum -y install krb5-workstation krb5-libs
安装客户端,
配置 /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = BOP.COM
default_ccache_name = KEYRING:persistent:%{uid}
udp_preference_limit = 1
[realms]
BOP.COM = {
kdc = kdc
}
[domain_realm]
.example.com = BOP.COM
example.com = BOP.COM
8.拷贝keytab文件至客户端并验证
复制keytab
scp /etc/security/keytabs/s156_zookeeper.keytab root@s156:/etc/security/keytabs/s156_zookeeper.keytab
scp /etc/security/keytabs/s156_kafka.keytab root@s156:/etc/security/keytabs/s156_kafka.keytab
验证
:(注意keytab文件的权限,保险起见chomd 777)
##客户端验证
klist -ke xxx.keytab
Zookeeper
1.zoo.cfg
zoo.cfg
添加配置信息:
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000
2.新增配置文件:zoo_jaas
在`${ZK_HOME}\conf``目录下新增该配置文件:
Server{
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/etc/security/keytabs/s156_zookeeper.keytab"
principal="zookeeper/s156@BOP.COM";
};
Client{
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/etc/security/keytabs/s156_zookeeper.keytab"
principal="zookeeper/s156@BOP.COM";
};
3.设置jvm环境变量
在/zookeeper/conf/ 目录创建 java.env,
export JVMFLAGS="-Djava.security.auth.login.config=/home/kk/zookeeper-3.4.12/conf/zoo_jaas.conf"
export CLIENT_JVMFLAGS="-Djava.security.auth.login.config=/home/kk/zookeeper-3.4.12/conf/zoo_jaas.conf"
4.启动命令
./zkServer.sh start …/conf/zoo.cfg
Kafka
1.添加kafka_jaas.conf
在${KAFKA_HOME}/conf
目录下添加该名称文件:
KafkaServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
serviceName="kafka"
keyTab="/etc/security/keytabs/s156_kafka.keytab"
principal="kafka/s156@BOP.COM";
};
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
serviceName="kafka"
keyTab="/etc/security/keytabs/s156_kafka.keytab"
principal="kafka/s156@BOP.COM";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/etc/security/keytabs/s156_zookeeper.keytab"
principal="zookeeper/s156@BOP.COM";
};
其中Client为zookeeper的配置。
2.修改server.properties
listeners=SASL_PLAINTEXT://slave1:9092
advertised.listeners=SASL_PLAINTEXT://slave1:9092
security.inter.broker.protocol=SASL_PLAINTEXT
sasl.mechanism.inter.broker.protocol=GSSAPI
isasl.enabled.mechanisms=GSSAPI
#principal.to.local.class=kafka.security.auth.KerberosPrincipalToLocal
sasl.kerberos.service.name=kafka
3.修改kafka-run-class.sh,添加jvm参数
在文件的最末尾部分,进行修改:
KAFKA_SASL_OPTS='-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/home/kk/kafka_2.11-0.10.2.0/config/kafka_jaas.conf'
if [ "x$DAEMON_MODE" = "xtrue" ]; then
nohup $JAVA $KAFKA_HEAP_OPTS $KAFKA_JVM_PERFORMANCE_OPTS $KAFKA_GC_LOG_OPTS $KAFKA_SASL_OPTS $KAFKA_JMX_OPTS $KAFKA_LOG4J_OPTS -cp $CLASSPATH $KAFKA_OPTS "$@" > "$CONSOLE_OUTPUT_FILE" 2>&1 < /dev/null &
else
exec $JAVA $KAFKA_HEAP_OPTS $KAFKA_JVM_PERFORMANCE_OPTS $KAFKA_GC_LOG_OPTS $KAFKA_JMX_OPTS $KAFKA_LOG4J_OPTS -cp $CLASSPATH $KAFKA_OPTS $KAFKA_SASL_OPTS "$@"
fi
4.修改 producer.properties和consumer.properties
security.protocol=SASL_PLAINTEXT
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
5.使用命令
./kafka-console-producer.sh --broker-list s156:9092 --topic test --producer.config ../config/producer.properties
./kafka-console-consumer.sh --bootstrap-server s156:9092 --topic test --new-consume r --from-beginning --consumer.config ../config/consumer.properties
storm 配置 (最坑的部分)
storm部分,参照storm-kafka-kerberos 这部分代码。
最重要部分:
- storm无需修改storm.yaml
- 需要在
${STORM_HOME}/conf
下添加storm_jaas.conf
文件(很多地方没有提到这一点,这个问题卡住n久
):
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
serviceName="kafka"
keyTab="/etc/security/keytabs/s156_kafka.keytab"
principal="kafka/s156@BOP.COM";
};
测试可用.
Kerberos常用命令
说明 | 命令 |
---|---|
进入kadmin | kadmin.local/kadmin |
创建数据库 | kdb5_util create -r BOP.COM -s |
启动kdc服务 | service krb5kdc start |
启动kadmin服务 | service kadmin start |
修改当前密码 | kpasswd |
测试keytab可用性 | kinit -k -t /etc/security/keytabs/zookeeper.keytab zookeeper/kdc@BOP.COM |
查看keytab | klist -e -k -t /etc/krb5.keytab |
清除缓存 | kdestroy |
通过keytab文件认证登录 | kinit -kt /var/run/cloudera-scm-agent/process/***-HIVESERVER2/hive.keytab hive/node2 |
kadmin模式下: | |
生成随机key的principal | addprinc -randkey zookeeper/kdc@BOP.COM |
生成指定key的principal | addprinc -pw *** zookeeper/kdc@BOP.COM |
查看principal | listprincs |
修改admin/admin的密码 | cpw -pw xxxx admin/admin |
添加/删除principle | addprinc/delprinc admin/admin |
直接生成到keytab | ktadd -k /etc/krb5.keytab host/kdc@BOP.COM |
设置密码策略(policy) | addpol -maxlife “90 days” -minlife “75 days” -minlength 8 -minclasses 3 -maxfailure 10 -history 10 user |
添加带有密码策略的用户 | addprinc -policy user hello/kdc@BOP.COM |
修改用户的密码策略 | modprinc -policy user hello/kdc@BOP.COM |
删除密码策略 | delpol [-force] user |
修改密码策略 | modpol -maxlife “90 days” -minlife “75 days” -minlength 8 -minclasses 3 -maxfailure 10 user |