集群说明:
【SSD集群1】
10.129.168.80
10.129.168.156
10.129.165.105
10.129.69.251
【SSD集群2】
10.129.160.24
10.129.160.13
10.129.160.46
开启认证CM的认证配置截屏,KDC server保持一致
可以在kerberos服务器查询所有的认证内容,筛选选其他hdfs相关的认证信息看到2个集群机器都在
[bx-16:06:13root@a2-test-kerberos-8-33 /root]
#kadmin.local -q "list_principals" | grep hdfs | grep data
hdfs/a2-test-datanode-16-20.sh@hadoop.com
hdfs/a2-test-datanode-16-21.sh@hadoop.com
hdfs/a2-test-datanode-16-22.sh@hadoop.com
hdfs/a2-test-datanode-20-14.sh@hadoop.com
hdfs/a2-test-datanode-20-17.sh@hadoop.com
hdfs/a2-test-datanode-32-34.sh@hadoop.com
hdfs/a2-test-datanode-64-154.sh@hadoop.com
hdfs/a2-test-datanode-vm-66-156.sh@hadoop.com
hdfs/b2-cm-datanode-22-220.sh@hadoop.com
hdfs/b2-test-datanode-18-244.sh@hadoop.com
hdfs/b2-test-datanode-22-151.sh@hadoop.com
hdfs/b2-test-datanode-22-63.sh@hadoop.com
(1)分别在2个集群服务器上查看认证kerberos和查询用户正常使用
SSD1集群
#id risk_user1
uid=90002(risk_user1) gid=30002(pt_group) groups=30002(pt_group)
[bx-11:02:41root@a2-prod-buffer-165-105 /home/admin]
#/usr/bin/kinit -k -t /home/admin/hadoop.keytab hadoop/admin
[bx-11:03:28root@a2-prod-buffer-165-105 /home/admin]
#klist
Ticket cache: FILE:/home/admin/cache_file/krb5cc_0
Default principal: hadoop/admin@hadoop.com
Valid starting Expires Service principal
03/22/2024 11:03:28 03/23/2024 11:03:28 krbtgt/hadoop.com@hadoop.com
renew until 03/29/2024 11:03:28
[bx-11:03:30root@a2-prod-buffer-165-105 /home/admin]
#hadoop fs -ls /
Found 3 items
drwxr-xr-x - hadoop supergroup 0 2024-03-19 16:30 /system
drwxrwxrwt - hdfs supergroup 0 2024-03-14 10:07 /tmp
drwxr-xr-x - hdfs supergroup 0 2024-03-14 15:40 /user
[bx-11:03:37root@a2-prod-buffer-165-105 /home/admin]
#hive
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
2024-03-22 11:04:55,315 WARN [main] mapreduce.TableMapReduceUtil: The hbase-prefix-tree module jar containing PrefixTreeCodec is not present. Continuing without it.
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
Logging initialized using configuration in jar:file:/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/jars/hive-common-1.1.0-cdh5.8.0.jar!/hive-log4j.properties
WARNING: Hive CLI is deprecated and migration to Beeline is recommended.
hive> show databases;
OK
default
ssb
SSD2集群
#hadoop fs -ls /
Found 3 items
drwxrwxrwt - hdfs supergroup 0 2024-03-21 16:51 /tmp
drwxr-xr-x - hdfs supergroup 0 2024-03-21 16:51 /user
drwxr-xr-x - hadoop supergroup 0 2024-03-22 11:04 /zw02
[bx-11:04:15root@a2-prod-datanode-160-46 /root]
#id risk_user1
uid=90002(risk_user1) gid=30002(pt_group) groups=30002(pt_group)
[bx-11:09:05root@a2-prod-datanode-160-46 /root]
#hadoop fs -ls /
Found 3 items
drwxrwxrwt - hdfs supergroup 0 2024-03-21 16:51 /tmp
drwxr-xr-x - hdfs supergroup 0 2024-03-21 16:51 /user
drwxr-xr-x - hadoop supergroup 0 2024-03-22 11:04 /zw02
[bx-11:09:09root@a2-prod-datanode-160-46 /root]
#hive
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
2024-03-22 11:09:13,213 WARN [main] mapreduce.TableMapReduceUtil: The hbase-prefix-tree module jar containing PrefixTreeCodec is not present. Continuing without it.
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0
Logging initialized using configuration in jar:file:/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/jars/hive-common-1.1.0-cdh5.8.0.jar!/hive-log4j.properties
WARNING: Hive CLI is deprecated and migration to Beeline is recommended.
hive> show databases;
OK
default
zw02
(2)hadoop client访问测试hdfs集群
SSD2集群
[bx-11:02:47root@a2-prod-datanode-160-24 /etc/ansible/roles/ldap-client]
#hadoop fs -ls hdfs://a2-prod-buffer-165-105.sh:8020/
Found 3 items
drwxr-xr-x - hadoop supergroup 0 2024-03-19 16:30 hdfs://a2-prod-buffer-165-105.sh:8020/system
drwxrwxrwt - hdfs supergroup 0 2024-03-14 10:07 hdfs://a2-prod-buffer-165-105.sh:8020/tmp
drwxr-xr-x - hdfs supergroup 0 2024-03-14 15:40 hdfs://a2-prod-buffer-165-105.sh:8020/user
[bx-11:16:43root@a2-prod-datanode-160-24 /etc/ansible/roles/ldap-client]
#hadoop fs -ls hdfs://test2nameservice/
Found 3 items
drwxrwxrwt - hdfs supergroup 0 2024-03-21 16:51 hdfs://test2nameservice/tmp
drwxr-xr-x - hdfs supergroup 0 2024-03-21 16:51 hdfs://test2nameservice/user
drwxr-xr-x - hadoop supergroup 0 2024-03-22 11:04 hdfs://test2nameservice/zw02
SSD1集群
[bx-11:15:54root@a2-prod-buffer-165-105 /home/admin]
#hadoop fs -ls hdfs://a2-prod-buffer-165-105.sh:8020/
Found 3 items
drwxr-xr-x - hadoop supergroup 0 2024-03-19 16:30 hdfs://a2-prod-buffer-165-105.sh:8020/system
drwxrwxrwt - hdfs supergroup 0 2024-03-14 10:07 hdfs://a2-prod-buffer-165-105.sh:8020/tmp
drwxr-xr-x - hdfs supergroup 0 2024-03-14 15:40 hdfs://a2-prod-buffer-165-105.sh:8020/user
[bx-11:16:00root@a2-prod-buffer-165-105 /home/admin]
#hadoop fs -ls hdfs://test2nameservice/
-ls: java.net.UnknownHostException: test2nameservice
Usage: hadoop fs [generic options] -ls [-d] [-h] [-R] [ ...]
[bx-11:16:13root@a2-prod-buffer-165-105 /home/admin]
#hadoop fs -ls hdfs://a2-prod-datanode-160-24.sh:8020/
Found 3 items
drwxrwxrwt - hdfs supergroup 0 2024-03-21 16:51 hdfs://a2-prod-datanode-160-24.sh:8020/tmp
drwxr-xr-x - hdfs supergroup 0 2024-03-21 16:51 hdfs://a2-prod-datanode-160-24.sh:8020/user
drwxr-xr-x - hadoop supergroup 0 2024-03-22 11:04 hdfs://a2-prod-datanode-160-24.sh:8020/zw02
可以跨机房访问不同集群,访问使用需要写具体namenode地址(hostname:port方式),如果使用nameserver访问无法跨机房访问。
(3)在LDAP创建新用户验证集群的使用
查看用户是否正常
####SSD2
[bx-17:36:41root@a2-prod-datanode-160-46 /root]
#id zw11
uid=1000(zw11) gid=500(zw11) groups=500(zw11)
####SSD1
a2-buffer-server-168-156.sh[bx-17:39:43root@a2-buffer-server-168-156 /root]
#id zw11
uid=1000(zw11) gid=500(zw11) groups=500(zw11)
在kerberos添加认证,并在client机器上使用用户名和密码认证。
SSD2集群测试
###创建Ldap认证的用户
[bx-17:36:45root@a2-prod-datanode-160-46 /root]
#kadmin.local -q "addprinc -pw zw11 zw11/zw11@hadoop.com"
Authenticating as principal hadoop/admin@hadoop.com with password.
WARNING: no policy specified for zw11/zw11@hadoop.com; defaulting to no policy
Principal "zw11/zw11@hadoop.com" created.
[bx-17:42:50root@a2-prod-datanode-160-46 /root]
#klist
Ticket cache: FILE:/home/admin/cache_file/krb5cc_0
Default principal: hadoop/admin@hadoop.com
Valid starting Expires Service principal
03/22/2024 09:03:08 03/23/2024 09:03:08 krbtgt/hadoop.com@hadoop.com
renew until 03/29/2024 09:03:08
####切换认证用户
[bx-17:43:27root@a2-prod-datanode-160-46 /root]
#/usr/bin/expect /script/login/login_kdc.sh zw11/zw11 zw11
spawn /usr/bin/kinit zw11/zw11
Password for zw11/zw11@hadoop.com:
[bx-17:44:02root@a2-prod-datanode-160-46 /root]
#klist
Ticket cache: FILE:/home/admin/cache_file/krb5cc_0
Default principal: zw11/zw11@hadoop.com
Valid starting Expires Service principal
03/25/2024 17:44:02 03/26/2024 17:44:02 krbtgt/hadoop.com@hadoop.com
renew until 04/01/2024 17:44:02
###查看hdfs数据验证用户
[bx-17:44:08root@a2-prod-datanode-160-46 /root]
#hadoop fs -ls /
Found 3 items
drwxrwxrwt - hdfs supergroup 0 2024-03-21 16:51 /tmp
drwxr-xr-x - hdfs supergroup 0 2024-03-21 16:51 /user
drwxr-xr-x - hadoop supergroup 0 2024-03-22 11:04 /zw02
SSD1集群测试
[bx-17:39:45root@a2-buffer-server-168-156 /root]
#klist
klist: No credentials cache found (filename: /home/admin/cache_file/krb5cc_0)
[bx-17:47:22root@a2-buffer-server-168-156 /root]
#/usr/bin/expect /script/login/login_kdc.sh zw11/zw11 zw11
spawn /usr/bin/kinit zw11/zw11
Password for zw11/zw11@hadoop.com:
[bx-17:47:36root@a2-buffer-server-168-156 /root]
#klist
Ticket cache: FILE:/home/admin/cache_file/krb5cc_0
Default principal: zw11/zw11@hadoop.com
Valid starting Expires Service principal
03/25/2024 17:47:36 03/26/2024 17:47:36 krbtgt/hadoop.com@hadoop.com
renew until 04/01/2024 17:47:36
[bx-17:47:39root@a2-buffer-server-168-156 /root]
#hadoop fs -ls /
Found 3 items
drwxr-xr-x - hadoop supergroup 0 2024-03-19 16:30 /system
drwxrwxrwt - hdfs supergroup 0 2024-03-14 10:07 /tmp
drwxr-xr-x - hdfs supergroup 0 2024-03-14 15:40 /user
创建用户在2个CM集群都正常认证和使用。