文章目录
1.KDC服务安装及配置
本文档中将KDC服务安装在Cloudera Manager Server所在服务器上(KDC服务可根据自己需要安装在其他服务器)
- 在Cloudera Manager服务器上安装KDC服务
[root@cdh001 ~]# yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
- 修改/etc/krb5.conf配置
[root@cdh001 ~]# vim /etc/krb5.conf
- 修改/var/kerberos/krb5kdc/kadm5.acl配置
[root@cdh001 ~]# vim /var/kerberos/krb5kdc/kadm5.acl
[root@cdh001 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@DEJIN.COM *
- 修改/var/kerberos/krb5kdc/kdc.conf配置
[root@cdh001 ~]# vim /var/kerberos/krb5kdc/kdc.conf
- 创建Kerberos数据库,需要输入密码
[root@cdh001 ~]# kdb5_util create –r DEJIN.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'DEJIN.COM',
master key name 'K/M@DEJIN.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
- 创建Kerberos的管理账号
[root@cdh001 ~]# kadmin.local
- 将Kerberos服务添加到自启动服务,并启动krb5kdc和kadmin服务
systemctl enable krb5kdc
systemctl enable kadmin
systemctl start krb5kdc
systemctl start kadmin
- 测试Kerberos的管理员账号
[root@cdh001 ~]# kinit admin/admin@DEJIN.COM
Password for admin/admin@DEJIN.COM:
[root@cdh001 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@DEJIN.COM
Valid starting Expires Service principal
2020-12-25T21:57:19 2020-12-26T21:57:19 krbtgt/DEJIN.COM@DEJIN.COM
renew until 2021-01-01T21:57:19
- 为集群安装所有Kerberos客户端,包括Cloudera Manager
[root@cdh001 ~]# pssh -h /node.list -i 'yum -y install krb5-libs krb5-workstation'
- 在Cloudera Manager Server服务器上安装额外的包
[root@cdh001 ~]# yum -y install openldap-clients
- 将KDC Server上的krb5.conf文件拷贝到所有Kerberos客户端
[root@cdh001 ~]# pscp -h /node.list /etc/krb5.conf /etc/
[1] 22:08:59 [SUCCESS] root@192.168.159.100:22
[2] 22:08:59 [SUCCESS] root@192.168.159.101:22
[3] 22:08:59 [SUCCESS] root@192.168.159.102:22
2. CDH集群启用Kerberos
- 在KDC中给Cloudera Manager添加管理员账号
[root@cdh001 ~]# kadmin.local
Authenticating as principal admin/admin@DEJIN.COM with password.
kadmin.local: addprinc cloudera-scm/admin@DEJIN.COM
WARNING: no policy specified for cloudera-scm/admin@DEJIN.COM; defaulting to no policy
Enter password for principal "cloudera-scm/admin@DEJIN.COM":
Re-enter password for principal "cloudera-scm/admin@DEJIN.COM":
Principal "cloudera-scm/admin@DEJIN.COM"</