最近在CDH集群配置Kerberos认证,遇到了不少问题,打算用这篇文章来总结一下
Kerberos基本命令使用
一、Kerberos安装配置文档
https://my.oschina.net/epoch/blog/1634325
https://www.cnblogs.com/mantoudev/p/9460712.html
二、Kerberos专有名词介绍
2.1 Kerberos主体Principal介绍
在官网上有详细的介绍Principal的介绍,链接为:http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html
主体是Kerberos可以为其分配票证的唯一标识。主体可以具有任意数量的组件。每个组件都由一个组件分隔符(通常为 /)分隔。最后一个组成部分是领域,由领域分隔符(通常为@)与主体的其余部分分隔。如果主体中没有领域组件,则将假定主体在使用它的上下文中位于默认领域中
Principal的格式一般为:primary/instance@REALM
primary是Principal的一部分,如果是用户,则为用户名,如果是主机则为主机名。
instance是一个可选字符串,用于限定主服务器。该实例与主实例之间用斜杠(/)隔开。对于用户而言,该实例通常为null,但用户可能还具有一个附加的主体,即一个名为admin的实例,用该实例来管理数据库。主体jennifer@ATHENA.MIT.EDU与主体jennifer/admin@ATHENA.MIT.EDU完全分开 ,具有单独的密码和单独的权限。对于主机,实例是标准主机名,例如 daffodil.mit.edu。
REALM是您的Kerberos领域。在大多数情况下,您的Kerberos域是您的域名,以大写字母表示。例如,机器daffodil.example.com就在领域中EXAMPLE.COM
三、Kerberos 命令使用
3.1 登陆kinit
[root@master~]# kinit admin/admin@EXAMPLE.COM
Password for admin/admin@EXAMPLE.COM: 123456
或者使用keytap登陆
[root@master~]# kinit -kt /opt/cdh/hadoop.keytab hadoop/master@EXAMPLE.COM
3.2查询登陆状态klist
[root@master~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hadoop/hadoop@EXAMPLE.COM
Valid starting Expires Service principal
2019-03-03T20:54:55 2019-03-04T20:54:55 krbtgt/EXAMPLE.COM@EXAMPLE.COM
3.3退出登陆kdestroy
[root@master~]# kdestroy
[root@master~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
3.4登录KDC后台 kadmin.local
[root@master~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local:
如果找不到kadmin.local命令,可以使用find / -name kadmin 来查找
一般的位置为:/usr/bin/kadmin
3.5查看用户列表 listprincs
[root@master~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: listprincs
K/M@EXAMPLE.COM
admin/admin@EXAMPLE.COM
hadoop@EXAMPLE.COM
hbase/hadoop1@EXAMPLE.COM
hbase/hadoop2@EXAMPLE.COM
3.6修改账号密码change_password
[root@master~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: change_password admin/admin@EXAMPLE.COM
Enter password for principal "admin/admin@EXAMPLE.COM": 123456
Re-enter password for principal "admin/admin@EXAMPLE.COM": 123456
Password for "admin/admin@EXAMPLE.COM" changed.
3.7创建用户addprinc
[root@master~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
addprinc -pw 123456 hadoop #创建用户名hadoop用户,密码为123456
创建用户时,不带REALM时,使用默认的REALM
3.8删除用户delprinc
[root@master~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: delete_principal test1
Are you sure you want to delete the principal "test1@EXAMPLE.COM"? (yes/no): yes
Principal "test1@EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
3.9导出keytab文件
[root@master~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: xst -k /opt/cdh/admin.keytab -norandkey admin/admin@EXAMPLE.COM
Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:admin.keytab.
Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:admin.keytab.
Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type des3-cbc-sha1 added to keytab WRFILE:admin.keytab.
Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type arcfour-hmac added to keytab WRFILE:admin.keytab.
Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type des-hmac-sha1 added to keytab WRFILE:admin.keytab.
Entry for principal admin/admin@EXAMPLE.COM with kvno 6, encryption type des-cbc-md5 added to keytab WRFILE:admin.keytab.
默认导出的目录为当前目录
3.10查看keytab文件中的用户列表
[root@master~]# klist -ket hbase.headless.keytab
Keytab name: FILE:hbase.headless.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
7 2018-07-30T10:19:16 hbase-flink@demo.com (des-cbc-md5)
7 2018-07-30T10:19:16 hbase-flink@demo.com (aes128-cts-hmac-sha1-96)
7 2018-07-30T10:19:16 hbase-flink@demo.com (aes256-cts-hmac-sha1-96)
7 2018-07-30T10:19:16 hbase-flink@demo.com (des3-cbc-sha1)
7 2018-07-30T10:19:16 hbase-flink@demo.com (arcfour-hmac)
3.11更新票据kinit
[root@master~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hadoop@EXAMPLE.COM
Valid starting Expires Service principal
03/03/20 20:46:40 03/04/20 08:46:40 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 03/10/20 20:21:26
[root@master~]# kinit -R
[root@master~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hadoop@EXAMPLE.COM
Valid starting Expires Service principal
03/03/20 20:46:56 03/04/20 08:46:56 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 03/10/20 20:21:26
可以看到这两个Ticket的Expires时间不一样
3.12查看Ticket详细信息
[root@master~]# kadmin.local
Authenticating as principal root/admin@EXAMPLE.COM with password.
kadmin.local: getprinc hadoop@EXAMPLE.COM
Principal: hadoop@EXAMPLE.COM
Expiration date: [never]
Last password change: Tue Mar 03 14:50:08 CST 2020
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Mar 03 14:50:08 CST 2020 (root/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 1, des3-cbc-sha1
Key: vno 1, arcfour-hmac
Key: vno 1, des-hmac-sha1
Key: vno 1, des-cbc-md5
MKey: vno 1
Attributes:
Policy: [none]