概述(感谢hidataplus的共享共建,才有今天的分享_)
本文主要是集成FreeIPA LDAP HA
起稿后,主要分为ambari ranger atlas三方面。故还是拆分三。会清晰点
本文目的:为HDP 3.3.2.0的推广,接个力 ambari 集成 FreeIPA LDAP HA
原目录:
升级目录:
接前文总规划HDP3.3.2.0-002实践试范,展开第十五章
十五、ambari 集成 FreeIPA LDAP HA
补充路演:
1,替换 ambari-server-2.7.6.0.0.jar
/usr/lib/ambari-server/ambari-server-2.7.6.0.0.jar
以修复 ambari-server check-database报错问题。(003版已修复)
2,开启ranger kafka plugin,同时替换脚本
/var/lib/ambari-agent/cache/stacks/HDP/3.3/services/KAFKA3/package/scripts/params.py
以修改如下问题。(003版已修复)
15.1 了解 ambari 密钥库,信任库
密钥库 /var/lib/ambari-server/keys/credentials.jceks(默认) 存放加密密码
信任库 /etc/ambari-server/certs/ambari-server-truststore(手动设置) 存放信任ca证书
mkdir -p /etc/ambari-server/certs
15.1.1 证书导入信任库
一步到位
keytool -import -trustcacerts -alias root -file /etc/ipa/ca.crt -keystore /etc/ambari-server/certs/ambari-server-truststore -storepass 123456 -noprompt
或分两步A、B
A: 设置证书库
ambari-server setup-security --security-option=setup-truststore --truststore-type=jks --truststore-path=/etc/ambari-server/certs/ambari-server-truststore --truststore-password=123456 --truststore-reconfigure
或
[root@ambari admin]# ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 4
Do you want to configure a truststore [y/n] (y)?
The truststore is already configured. Do you want to re-configure the truststore [y/n] (y)?
TrustStore type [jks/jceks/pkcs12] (jks):
Path to TrustStore file :/etc/ambari-server/certs/ambari-server-truststore
Password for TrustStore: 123456
Re-enter password: 123456
Ambari Server 'setup-security' completed successfully.
B: 导入证书
ambari-server setup-security --security-option=import-certificate --import-cert-alias=root --import-cert-path=/etc/ipa/ca.crt
回车
或
[root@ambari admin]# ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 5
Do you want to configure a truststore [y/n] (y)?
Do you want to import a certificate [y/n] (y)?
Please enter an alias for the certificate: root
Enter path to certificate: /etc/ipa/ca.crt
Ambari Server 'setup-security' completed successfully.
15.1.2 查看证书条目
keytool -list -keystore /etc/ambari-server/certs/ambari-server-truststore -storetype jks -storepass 123456
15.1.3 删除条目(便于测试)
keytool -delete -alias root -keystore /etc/ambari-server/certs/ambari-server-truststore -storepass 123456
15.2 LDAP(ipa)创建五个用户组&用户:
1).ambari_admin 是管理员组 Cluster Administrator
用户:hadoopadmin 密码123456…
2). ambari_op 是操作员组 Cluster Operator
用户:hadoopop 密码123456…
3). ambari_read 是“只读”帐号组 Cluster User
用户:hadoopread 密码123456…
4). service_admin 是“只读”帐号组 Service Administrator
用户:serviceadmin 密码123456…
5). service_op 是“只读”帐号组 Service Operator
用户:serviceop 密码123456…
15.3 ambari-server 集成 FreeIPA LDAP
15.3.1 ambari-server setup-ldap(非SSL)
ambari-server setup-ldap \
--ldap-type=IPA \
--ldap-force-setup \
--ambari-admin-username=admin \
--ambari-admin-password=admin \
--ldap-url=ipa.tssj.com:389 \
--ldap-secondary-url=ipa2.tssj.com:389 \
--ldap-ssl=false \
--ldap-user-class=person \
--ldap-user-attr=uid \
--ldap-group-class=groupofnames \
--ldap-group-attr=cn \
--ldap-member-attr=member \
--ldap-dn=dn \
--ldap-base-dn='cn=accounts,dc=tssj,dc=com' \
--ldap-referral=follow \
--ldap-bind-anonym=false \
--ldap-manager-dn='uid=hadoopadmin,cn=users,cn=accounts,dc=tssj,dc=com' \
--ldap-manager-password=123456.. \
--ldap-sync-username-collisions-behavior=convert \
--ldap-force-lowercase-usernames=false \
--ldap-pagination-enabled=false \
--ldap-save-settings
15.3.2 同步ldap用户
ambari-server sync-ldap --all \
--ldap-sync-admin-name=admin --ldap-sync-admin-password=admin
[root@ambari admin]# ambari-server sync-ldap --all \
> --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin
Using python /usr/bin/python
Syncing with LDAP...
Fetching LDAP configuration from DB.
Syncing all......
Completed LDAP Sync.
Summary:
memberships:
removed = 0
created = 32
users:
skipped = 0
removed = 0
updated = 1
created = 23
groups:
updated = 0
removed = 0
created = 12
Ambari Server 'sync-ldap' completed successfully.
15.3.1 尝试SSL同步
ambari-server setup-ldap \
--ldap-type=IPA \
--ldap-force-setup \
--ambari-admin-username=admin \
--ambari-admin-password=admin \
--ldap-url=ipa.tssj.com:636 \
--ldap-secondary-url=ipa2.tssj.com:636 \
--ldap-ssl=true \
--ldap-sync-disable-endpoint-identification=true \
--truststore-type=jks \
--truststore-path=/etc/ambari-server/certs/ambari-server-truststore \
--truststore-password=123456 \
--ldap-user-class=person \
--ldap-user-attr=uid \
--ldap-group-class=groupofnames \
--ldap-group-attr=cn \
--ldap-member-attr=member \
--ldap-dn=dn \
--ldap-base-dn='cn=accounts,dc=tssj,dc=com' \
--ldap-referral=follow \
--ldap-bind-anonym=false \
--ldap-manager-dn='uid=hadoopadmin,cn=users,cn=accounts,dc=tssj,dc=com' \
--ldap-manager-password=123456.. \
--ldap-sync-username-collisions-behavior=convert \
--ldap-force-lowercase-usernames=false \
--ldap-pagination-enabled=false \
--ldap-save-settings
添加1用户与1用户组,用户组添加该用户。
再同步试试:
[root@ambari ~]# ambari-server sync-ldap --all --ldap-sync-admin-name=admin --ldap-sync-admin-password=admin
Using python /usr/bin/python
Syncing with LDAP...
Fetching LDAP configuration from DB.
Syncing all.....
Completed LDAP Sync.
Summary:
memberships:
removed = 0
created = 2
users:
skipped = 0
removed = 0
updated = 0
created = 1
groups:
updated = 0
removed = 0
created = 1
Ambari Server 'sync-ldap' completed successfully.
15.4 看效果
已经同步进来了
15.5 ldap用户登录
把 url中的#/login 去掉便可进入
15.6 总结
开始并非这样顺利。开始时直接ssl,是有失败过,且原因不明显。还以为是:不要带端口。带上在同步时失败了!~~~
原因原来是:(引以为戒吧)