Ambari配置LDAP账号支持

最新推荐文章于 2024-01-26 10:55:30 发布

luoyoumou

最新推荐文章于 2024-01-26 10:55:30 发布

阅读量2.9k

点赞数

分类专栏： LDAP Ambari

本文链接：https://blog.csdn.net/luoyoumou/article/details/81504767

版权

LDAP 同时被 2 个专栏收录

2 篇文章 0 订阅

订阅专栏

Ambari

1 篇文章 0 订阅

订阅专栏

-- http://www.therebel.eu/2015/08/setting-password-expiry-in-ipa/

--------------------------------------------------------------------------------------------------
-- ############################################################################################ --

-- 配置 Ambari 支持 LDAP (环境：Ambari 2.7.0 + HDP 3.0.0 + FreeIPA 4.5.4)
-- 参考：https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/_configure_ambari_to_use_ldap_server.html
-- http://www.freeipa.org/page/HowTo/LDAP
-- https://github.com/abajwa-hw/security-workshops/blob/master/Setup-Ambari.md

-- 若安装中遇到问题，欢迎加QQ群交流：661945126

--------------------------------------------------------------------------------------------------
-- ############################################################################################ --

[root@wfldap001 ~]# ipa group-show ambari
Group name: ambari
Description: ambari
GID: 1757400029
Member users: xujunyang, luoyoumou

-- 目标：只导入ipa ambari 组的成员作为 ambari 的用户登陆

-- 登陆 ambari-server 所在服务器，执行如下命令：
mkdir /etc/ambari-server/keys

$JAVA_HOME/bin/keytool -import -trustcacerts -alias root \
-file /etc/ipa/ca.crt \
-keystore /etc/ambari-server/keys/ldaps-keystore.jks

-- 以上命令详细输出类似如下：
--------------------------------------------------------------------------------------------------
[root@wfambari ambari-server]# $JAVA_HOME/bin/keytool -import -trustcacerts -alias root \
> -file /etc/ipa/ca.crt \
> -keystore /etc/ambari-server/keys/ldaps-keystore.jks
Enter keystore password: bee56915 -- 密码随便设置，自己记得就OK
Re-enter new password: bee56915
Owner: CN=Certificate Authority, O=WANFENG.COM
Issuer: CN=Certificate Authority, O=WANFENG.COM
Serial number: 1
Valid from: Fri Jul 27 00:35:47 CST 2018 until: Tue Jul 27 00:35:47 CST 2038
Certificate fingerprints:
   MD5: C9:EB:6E:42:A7:CD:B5:10:C3:6A:03:DF:28:4D:0F:3D
   SHA1: D2:8B:29:FB:A9:B1:EF:89:22:3C:82:5B:B7:9D:79:8F:49:05:96:8B
   SHA256: 58:61:33:B1:DB:D6:41:7C:C3:54:D3:17:F6:29:C2:16:80:1B:43:13:67:6C:4D:63:36:D1:48:D0:04:66:A8:9C
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ipa-ca.wanfeng.com/ca/ocsp
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 15 E9 A9 39 6B F7 0E 8A E4 3E 1A 54 B5 06 51 9D ...9k....>.T..Q.
0010: 6E FD D4 AF n...
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 15 E9 A9 39 6B F7 0E 8A E4 3E 1A 54 B5 06 51 9D ...9k....>.T..Q.
0010: 6E FD D4 AF n...
]
]

Trust this certificate? [no]: yes
Certificate was added to keystore

--------------------------------------------------------------------------------------------------
-- 配置前，先备份 ambari-server 配置文件：
cp /etc/ambari-server/conf/ambari.properties /etc/ambari-server/conf/ambari.properties.bak.20180731

ambari-server setup-ldap
-- 以上命令输出类似如下:
--------------------------------------------------------------------------------------------------
[root@wfambari scripts]# ambari-server setup-ldap
Using python /usr/bin/python
Primary URL Host* : wfldap001.wanfeng.com
Primary URL Port* : 636
Secondary URL Host : wfldap002.wanfeng.com
Secondary URL Port : 636
Use SSL* [true/false] (false): true
User object class* (person):
User name attribute* (uid):
Group object class* (posixGroup):
Group name attribute* (cn):
Group member attribute* (memberUid):
Distinguished name attribute* (dn):
Base DN* (dc=ambari,dc=apache,dc=org): dc=wanfeng,dc=com
Referral method [follow/ignore] : follow
Bind anonymously* [true/false] (false): false
Handling behavior for username collisions [convert/skip] for LDAP sync* (convert): skip
Force lower-case user names [true/false] :true
Results from LDAP are paginated when requested [true/false] :true
Manager DN* : uid=hadoopadmin,cn=users,cn=accounts,dc=wanfeng,dc=com
Enter Manager Password* :
Re-enter password:
Do you want to provide custom TrustStore for Ambari [y/n] (y)?y
TrustStore type [jks/jceks/pkcs12] (jks):
Path to TrustStore file (/etc/ambari-server/keys/ldaps-keystore.jks):
Password for TrustStore:
Re-enter password:
====================
Review Settings
====================
Primary URL Host* : wfldap001.wanfeng.com
Primary URL Port* : 636
Secondary URL Host : wfldap002.wanfeng.com
Secondary URL Port : 636
Use SSL* [true/false] (false): true
User object class* (person): person
User name attribute* (uid): uid
Group object class* (posixGroup): posixGroup
Group name attribute* (cn): cn
Group member attribute* (memberUid): memberUid
Distinguished name attribute* (dn): dn
Base DN* (dc=ambari,dc=apache,dc=org): dc=wanfeng,dc=com
Referral method [follow/ignore] : follow
Bind anonymously* [true/false] (false): false
Handling behavior for username collisions [convert/skip] for LDAP sync* (convert): skip
Force lower-case user names [true/false] : true
Results from LDAP are paginated when requested [true/false] : true
ambari.ldap.connectivity.bind_dn: uid=hadoopadmin,cn=users,cn=accounts,dc=wanfeng,dc=com
ambari.ldap.connectivity.bind_password: *****
ssl.trustStore.type: jks
ssl.trustStore.path: /etc/ambari-server/keys/ldaps-keystore.jks
ssl.trustStore.password: *****
Save settings [y/n] (y)? y
Saving LDAP properties...
Enter Ambari Admin login: admin
Enter Ambari Admin password:
Saving LDAP properties finished
Ambari Server 'setup-ldap' completed successfully.

--------------------------------------------------------------------------------------------------
[root@wfambari scripts]# cat ambari.txt
ambari

[root@wfambari scripts]# ambari-server sync-ldap --groups=ambari.txt
Using python /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:

Fetching LDAP configuration from DB.
Syncing specified users and groups...

Completed LDAP Sync.
Summary:
memberships:
removed = 0
created = 2
users:
skipped = 0
removed = 0
updated = 0
created = 2
groups:
updated = 0
removed = 0
created = 1

Ambari Server 'sync-ldap' completed successfully.

--------------------------------------------------------------------------------------------------
-- 安装 expect
yum install expect*

--------------------------------------------------------------------------------------------------
-- 我们先创建一个 ambari_group.txt 文件（里面是要同步到 ambari 的 ipa 组名称)
[root@wfambari scripts]# cat ambari_group.txt
ambari

--------------------------------------------------------------------------------------------------
-- 编辑 ambari_sync_ldap.sh 文件，内容如下：
[root@wfambari scripts]# cat ambari_sync_ldap.sh
#!/usr/bin/expect
spawn /usr/sbin/ambari-server sync-ldap --groups=./ambari_group.txt --existing
expect "Enter Ambari Admin login:"
send "admin\r"
expect "Enter Ambari Admin password:"
send "admin\r"
expect eof

--------------------------------------------------------------------------------------------------
-- 运行同步测试
[root@wfambari scripts]# ./ambari_sync_ldap.sh
spawn ambari-server sync-ldap --groups=./ambari_group.txt --existing
Using python /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:

Fetching LDAP configuration from DB.
Syncing existing...

Completed LDAP Sync.
Summary:
memberships:
removed = 0
created = 0
users:
skipped = 0
removed = 0
updated = 0
created = 0
groups:
updated = 0
removed = 0
created = 0

Ambari Server 'sync-ldap' completed successfully.

--------------------------------------------------------------------------------------------------
-- 最后 crontab 每五分钟同步 ipa 的 ambari 组成员到 ambari
# ambari-server sync-ldap
*/5 * * * * cd /root/scripts && ./ambari_sync_ldap.sh > ./ambari_sync_ldap.log 2>&1

--------------------------------------------------------------------------------------------------
-- 我们可以看到同步日志中的内容类似如下：( created = 1 表示新加的ipa ambari 组的某一个成员自动同步到 ambari 了 )

[root@wfambari scripts]# cat ambari_sync_ldap.log
spawn /usr/sbin/ambari-server sync-ldap --groups=./ambari_group.txt --existing
Using python /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password:

Fetching LDAP configuration from DB.
Syncing existing...

Completed LDAP Sync.
Summary:
memberships:
removed = 0
created = 1
users:
skipped = 0
removed = 0
updated = 0
created = 1
groups:
updated = 0
removed = 0
created = 0

Ambari Server 'sync-ldap' completed successfully.

--------------------------------------------------------------------------------------------------

-- 最后的效果图类似如下：