1:在hadoop01机器上添加其他节点的3个认证
t添加对hdfs的认证:
kadmin.local -q "addprinc -randkey hdfs/hadoop01@DYLAN.COM"
kadmin.local -q "addprinc -randkey hdfs/hadoop02@DYLAN.COM"
kadmin.local -q "addprinc -randkey hdfs/hadoop03@DYLAN.COM"
添加对http的认证:
kadmin.local -q "addprinc -randkey HTTP/hadoop01@DYLAN.COM"
kadmin.local -q "addprinc -randkey HTTP/hadoop02@DYLAN.COM"
kadmin.local -q "addprinc -randkey HTTP/hadoop03@DYLAN.COM"
2:生产keytab文件
cd /var/kerberos/krb5kdc/
kadmin.local -q "xst -k hdfs-unmerged.keytab hdfs/hadoop01@DYLAN.COM"
kadmin.local -q "xst -k hdfs-unmerged.keytab hdfs/hadoop02@DYLAN.COM"
kadmin.local -q "xst -k hdfs-unmerged.keytab hdfs/hadoop03@DYLAN.COM"
生成 hdfs-unmerged.keytab 文件。
/usr/bin/klist -ket hdfs-unmerged.keytab 查看这个文件的princal.
kadmin.local -q "xst -k HTTP.keytab HTTP/hadoop01@DYLAN.COM"
kadmin.local -q "xst -k HTTP.keytab HTTP/hadoop02@DYLAN.COM"
kadmin.local -q "xst -k HTTP.keytab HTTP/hadoop03@DYLAN.COM"
3:使用ktutil合并文件,进入命令 /usr/bin/ktutil
rkt hdfs-unmerged.keytab
rkt HTTP.keytab
wkt hdfs.keytab
4:获取证书
/usr/bin/kinit -k -t hdfs.keytab hdfs/hadoop01@DYLAN.COM
/usr/bin/kinit -k -t hdfs.keytab HTTP/hadoop01@DYLAN.COM
5:keytab文件部署
cp hdfs.keytab /etc/hadoop/conf
scp -r hdfs.keytab root@hadoop02:/etc/hadoop/conf
scp -r hdfs.keytab root@hadoop03:/etc/hadoop/conf
cd /etc/hadoop/conf
chown -R hdfs:hadoop hdfs.keytab
只设置读权限: chown 400 hdfs.keytab
切换到 hadoop02:
chown -R hdfs:hadoop hdfs.keytab
chown 400 hdfs.keytab
切换到 hadoop03:
chown -R hdfs:hadoop hdfs.keytab
chown 400 hdfs.keytab
cdh集群:
kinit -kt /run/cloudera-scm-agent/process/845-hdfs-NAMENODE-nnRpcWait/hdfs.keytab hdfs/hadoop01@HADOOP.COM
kinit -kt /run/cloudera-scm-agent/process/838-hdfs-DATANODE/hdfs.keytab hdfs/hadoop01@HADOOP.COM