概述(感谢hidataplus的共享共建,才有今天的分享_)
本文主要是集成 knox
本文目的:为HDP 3.3.2.0的推广,接个力 集成 knox
接前文总规划HDP3.3.2.0-002实践试范,展开第十八章
十八、集成 Knox
18.1 安装 knox
删除 HTTP/ambari.tssj.com@TSSJ.COM 重试。
重试还是不成功!!!
取消并删了knox服务,重新安装
确认已删除 HTTP/ambari.tssj.com@TSSJ.COM
回看原因:
ok。安装已完成。
18.2 登录
登录账号是什么??
默认是连接自带的LDAP服务。端口是33389。
启动看看。。。
Ldap用户在配置文件里定义的:
admin
admin-password
自带LDAP演示了登录。接着会集成FreeIPA LDAP。故停掉自带LDAP
knox 启动报/var/lib/ambari-agent/lib/fast-hdfs-resource.jar不存在。
故补丁上 ln -s
/var/lib/ambari-agent/cache/stack-hooks/before-START/files/fast-hdfs-resource.jar
/var/lib/ambari-agent/lib/fast-hdfs-resource.jar
18.3 配置 统一ldap认证
18.3.1 Advanced knoxsso-topology
18.3.2 ldap登录
18.4 配置 服务代理
18.4.1 Advanced topology
API
UI
<service>
<role>HDFSUI</role>
<url>http://ambari.tssj.com:50070</url>
<version>3.0.0</version>
</service>
<service>
<role>YARNUI</role>
<url>http://master.tssj.com:8088</url>
</service>
<service>
<role>YARNUIV2</role>
<url>http://master.tssj.com:8088</url>
</service>
<service>
<role>HBASEUI</role>
<url>http://master.tssj.com:16010</url>
<version>2.1.0</version>
</service>
<service>
<role>SPARKHISTORYUI</role>
<url>http://ambari.tssj.com:18081/</url>
</service>
<service>
<role>JOBHISTORYUI</role>
<url>http://master.tssj.com:19888</url>
</service>
<service>
<role>JOBTRACKER</role>
<url>http://master.tssj.com:19888</url>
</service>
<service>
<role>RANGER</role>
<url>http://ambari.tssj.com:6080</url>
</service>
<service>
<role>RANGERUI</role>
<url>http://ambari.tssj.com:6080</url>
<version>1.0.0</version>
</service>
<service>
<role>ATLAS</role>
<url>http://ambari.tssj.com:21000</url>
</service>
<service>
<role>ATLAS-API</role>
<url>http://ambari.tssj.com:21000</url>
</service>
<service>
<role>AMBARIUI</role>
<url>http://ambari.tssj.com:8080</url>
</service>
<service>
<role>AMBARI</role>
<url>http://ambari.tssj.com:8080</url>
</service>
<service>
<role>AMBARIWS</role>
<url>ws://ambari.tssj.com:8080</url>
</service>
18.4.2 ranger 权限放开
ranger knox 配置
18.4.3 hdfs-core.xml
以便knox doAs生效
参考 https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/HttpAuthentication.html
org.apache.hadoop.security.authentication.server.ProxyUserAuthenticationFilterInitializer
18.5 配置SSO ambari ranger atlas
18.5.1 导出密钥
[root@ambari ~]# mkdir -p /opt/key
[root@ambari ~]# keytool -export -alias gateway-identity -rfc -file /opt/key/cert.pem -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks
输入密钥库口令:
存储在文件 </opt/key/cert.pem> 中的证书
Warning:
JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks -destkeystore /usr/hdp/current/knox-server/data/security/keystores/gate迁移到行业标准格式 PKCS12。
[root@ambari ~]# cat /opt/key/cert.pem
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIJAL84h9BFYBTvMA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNV
BAYTAlVTMQ0wCwYDVQQIEwRUZXN0MQ0wCwYDVQQHEwRUZXN0MQ8wDQYDVQQKEwZI
YWRvb3AxDTALBgNVBAsTBFRlc3QxGDAWBgNVBAMTD2FtYmFyaS50c3NqLmNvbTAe
Fw0yMzEwMjIwODEwMTJaFw0yNDEwMjEwODEwMTJaMGUxCzAJBgNVBAYTAlVTMQ0w
CwYDVQQIEwRUZXN0MQ0wCwYDVQQHEwRUZXN0MQ8wDQYDVQQKEwZIYWRvb3AxDTAL
BgNVBAsTBFRlc3QxGDAWBgNVBAMTD2FtYmFyaS50c3NqLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMMeLSAuqWZJUQUBp8N6APgMSAt4Mc+GKtct
cZfSK11ys6tHSBelZyIXm9N3IHl+iTdDjqRBXTDRW2yl0EFoy9pFoR1146pAwIGo
JA0iTDCVSqZ9JUAmKPk10hzBdntP78S3J82qeKeBx66hPLedtDmERu7xP8u7l4nJ
3Pfnrx33ls9nkUT1I4FmrBwiuv5lnIrhyKAZh1bHoA7oxP4rtV68qrBhCyijH8lS
i0sOK5YPITRRxLbPOdssmFWjDCLwqSfXSblC2z9agHuAsk+13UAxrAi6t9XeNWc1
Kgy+Uz5vPmz5F7ZIbKfYA/p32dDRsipLJ7mKoIk6kEZLJLdzpPsCAwEAAaMeMBww
GgYDVR0RBBMwEYIPYW1iYXJpLnRzc2ouY29tMA0GCSqGSIb3DQEBBQUAA4IBAQB8
PRQRKAyqihQJfDB0OpLl1dn9fZB0GX/oy+8MrDas1Wxd63pm21/0BjOcJVYUaFk5
MxbNq0TWW8fvQulwg9xHpabOzJwrAG14ruVDOU0vW/fJjzucwG/LJQ5tZSXP1QFK
sfTWSaNy12Y0oSwvV/QOVTAnsOhZ2K1kowZ8mN9oaDgqNc0icF69NmQsQ+h3DA0U
QV/JWdB5Po+LqaqvWrmNmwT0kH5MtqdIQfO55mzpWOUKxgiP5BjP/bAut+xowsZ2
exdTlciYZVIZRTRTIlzw2h/P8X2LmR3QMDoTgjbP7CLHgrpkSXjNEl/+aJ3yxWMY
13pi7fuvs0zYrHk4Uqlq
-----END CERTIFICATE-----
18.5.2 ambari-server setup-sso
[root@ambari ~]# ambari-server setup-sso --ambari-admin-username=admin --ambari-admin-password=admin
Using python /usr/bin/python
Setting up SSO authentication properties...
SSO is currently not configured
Do you want to configure SSO authentication [y/n] (y)?
Provider URL (https://knox.example.com:8443/gateway/knoxsso/api/v1/websso): https://ambari.tssj.com:8443/gateway/knoxsso/api/v1/websso
Public Certificate PEM (empty line to finish input):
MIIDazCCAlOgAwIBAgIJAL84h9BFYBTvMA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNV
BAYTAlVTMQ0wCwYDVQQIEwRUZXN0MQ0wCwYDVQQHEwRUZXN0MQ8wDQYDVQQKEwZI
YWRvb3AxDTALBgNVBAsTBFRlc3QxGDAWBgNVBAMTD2FtYmFyaS50c3NqLmNvbTAe
Fw0yMzEwMjIwODEwMTJaFw0yNDEwMjEwODEwMTJaMGUxCzAJBgNVBAYTAlVTMQ0w
CwYDVQQIEwRUZXN0MQ0wCwYDVQQHEwRUZXN0MQ8wDQYDVQQKEwZIYWRvb3AxDTAL
BgNVBAsTBFRlc3QxGDAWBgNVBAMTD2FtYmFyaS50c3NqLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMMeLSAuqWZJUQUBp8N6APgMSAt4Mc+GKtct
cZfSK11ys6tHSBelZyIXm9N3IHl+iTdDjqRBXTDRW2yl0EFoy9pFoR1146pAwIGo
JA0iTDCVSqZ9JUAmKPk10hzBdntP78S3J82qeKeBx66hPLedtDmERu7xP8u7l4nJ
3Pfnrx33ls9nkUT1I4FmrBwiuv5lnIrhyKAZh1bHoA7oxP4rtV68qrBhCyijH8lS
i0sOK5YPITRRxLbPOdssmFWjDCLwqSfXSblC2z9agHuAsk+13UAxrAi6t9XeNWc1
Kgy+Uz5vPmz5F7ZIbKfYA/p32dDRsipLJ7mKoIk6kEZLJLdzpPsCAwEAAaMeMBww
GgYDVR0RBBMwEYIPYW1iYXJpLnRzc2ouY29tMA0GCSqGSIb3DQEBBQUAA4IBAQB8
PRQRKAyqihQJfDB0OpLl1dn9fZB0GX/oy+8MrDas1Wxd63pm21/0BjOcJVYUaFk5
MxbNq0TWW8fvQulwg9xHpabOzJwrAG14ruVDOU0vW/fJjzucwG/LJQ5tZSXP1QFK
sfTWSaNy12Y0oSwvV/QOVTAnsOhZ2K1kowZ8mN9oaDgqNc0icF69NmQsQ+h3DA0U
QV/JWdB5Po+LqaqvWrmNmwT0kH5MtqdIQfO55mzpWOUKxgiP5BjP/bAut+xowsZ2
exdTlciYZVIZRTRTIlzw2h/P8X2LmR3QMDoTgjbP7CLHgrpkSXjNEl/+aJ3yxWMY
13pi7fuvs0zYrHk4Uqlq
Use SSO for Ambari [y/n] (n)?
Manage SSO configurations for eligible services [y/n] (n)? y
Use SSO for all services [y/n] (n)? y
JWT Cookie name (hadoop-jwt):
JWT audiences list (comma-separated), empty for any ():
Ambari Server 'setup-sso' completed successfully.
18.5.3 重启相应服务ambari ranger atlas
ambari-server restart
18.6 主页入口
https://ambari.tssj.com:8443/gateway/homepage/home/
总结 knox路演质量不如意。
1, 安装要删除:HTTP/ambari.tssj.com@TSSJ.COM。备免报错被坑。
2,org.apache.hadoop.security.authentication.server.ProxyUserAuthenticationFilterInitializer 代替 org.apache.hadoop.security.AuthenticationFilterInitializer ,以便knox doAs生效。
3,在测试进入代理页面时,还是报不少问题。在003版里又复一不了。如下图: