1 安装
1.1.1 server节点安装kerberos相关软件
[root@fan102 ~]# yum install -y krb5-server krb5-workstation krb5-libs
#查看结果
[root@fan102 ~]# rpm -qa | grep krb5
krb5-libs-1.15.1-46.el7.x86_64
krb5-server-1.15.1-46.el7.x86_64
krb5-devel-1.15.1-46.el7.x86_64
krb5-workstation-1.15.1-46.el7.x86_64
1.1.2 client节点安装
[root@fan103 ~]# yum install -y krb5-workstation krb5-libs krb5-devel-1.15.1-46.el7.x86_64
[root@fan104 ~]# yum install -y krb5-workstation krb5-libs krb5-devel-1.15.1-46.el7.x86_64
#查看结果
[root@fan103 ~]# rpm -qa | grep krb5
krb5-workstation-1.15.1-46.el7.x86_64
krb5-libs-1.15.1-46.el7.x86_64
krb5-devel-1.15.1-46.el7.x86_64
1.2. 配置
需要配置的文件有两个为kdc.conf和krb5.conf , kdc配置只是需要Server服务节点配置,即fan102.
1.2.1 kdc配置
[root@fan102 ~]# vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HADOOP.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_life = 1d
max_renewable_life = 7d
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
说明:
HADOOP.COM:realm名称,Kerberos支持多个realm,一般全用大写。
acl_file:admin的用户权。
admin_keytab:KDC进行校验的keytab。
supported_enctypes:支持的校验方式,JAVA使用aes256-cts验证方式需要安装额外的jar包,或者可以去掉。
1.2.2 krb5文件配置
[root@fan102 ~]# vim /etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = HADOOP.COM
#default_ccache_name = KEYRING:persistent:%{uid}
udp_preference_limit = 1
[realms]
HADOOP.COM = {
kdc = fan102
admin_server = fan102
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
说明:
default_realm:默认的realm,设置 Kerberos 应用程序的默认领域,必须跟要配置的realm的名称一致。
ticket_lifetime:表明凭证生效的时限,一般为24小时。
renew_lifetime : 表明凭证最长可以被延期的时限,一般为一个礼拜。当凭证过期之后,对安全认证的服务的后续访问则会失败。
udp_preference_limit= 1:禁止使用 udp,可以防止一个 Hadoop 中的错误。
realms:配置使用的 realm,如果有多个领域,只需向 [realms] 节添加其他的语句。
domain_realm:集群域名与Kerberos realm的映射关系,单个realm的情况下,可忽略。
1.3.3 同步krb5到Client节点
[root@fan102 ~]# scp /etc/krb5.conf fan103:/etc
[root@fan102 ~]# scp /etc/krb5.conf fan104:/etc
1.4. 生成Kerberos数据库
1.4.1 在server节点执行
[root@fan102 ~]# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'HADOOP.COM',
master key name 'K/M@HADOOP.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: (输入密码)
Re-enter KDC database master key to verify:(确认密码)
1.4.2 创建完成后/var/kerberos/krb5kdc目录下会生成对应的文件
[root@fan102 ~]# ls /var/kerberos/krb5kdc/
kadm5.acl kdc.conf principal principal.kadm5 principal.kadm5.lock principal.ok
1.5. 赋予Kerberos管理员所有权限
[root@fan102 ~]# vim /var/kerberos/krb5kdc/kadm5.acl
#修改为以下内容:
*/admin@HADOOP.COM *
说明:
*/admin:admin实例的全部主体
@HADOOP.COM:realm
*:全部权限
这个授权的意思:就是授予admin实例的全部主体对应HADOOP.COM领域的全部权限。也就是创建Kerberos主体的时候如果实例为admin,就具有HADOOP.COM领域的全部权限,比如创建如下的主体user1/admin就拥有全部的HADOOP.COM领域的权限。
1.6 启动Kerberos服务
#启动krb5kdc
[root@fan102 ~]# systemctl start krb5kdc
Starting Kerberos 5 KDC: [OK]
#启动kadmin
[root@fan102 ~]# systemctl start kadmin
Starting Kerberos 5 Admin Server: [OK]
#设置开机自启
[root@fan102 ~]# systemctl enable krb5kdc
#查看是否设置为开机自启
[root@hadoop102 ~]# systemctl is-enabled krb5kdc
[root@fan102 ~]# systemctl enable kadmin
#查看是否设置为开机自启
[root@fan102 ~]# systemctl is-enabled kadmin
注意:启动失败时可以通过/var/log/krb5kdc.log和/var/log/kadmind.log来查看。
1.7 创建管理员主体/实例
[root@fan102 ~]# kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@HADOOP.COM with password.
WARNING: no policy specified for admin/admin@HADOOP.COM; defaulting to no policy
Enter password for principal "admin/admin@HADOOP.COM": (输入密码)
Re-enter password for principal "admin/admin@HADOOP.COM": (确认密码)
Principal "admin/admin@HADOOP.COM" created.
1.8 kinit管理员验证
[root@fan102 ~]# kinit admin/admin
Password for admin/admin@HADOOP.COM: (输入密码)
[root@fan102 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@HADOOP.COM
Valid starting Expires Service principal
02/01/19 14:41:39 02/02/19 14:41:39 krbtgt/HADOOP.COM@HADOOP.COM
renew until 02/08/19 14:41:39
在fan103登录,如果出现:kadmin: GSS-API (or Kerberos) error while initializing kadmin interface,则重启ntp服务:
[root@fan103 ~]# service ntpd restart
关闭 ntpd: [确定]
正在启动 ntpd:
2. Kerberos操作
2.1 登录Kerberos数据库
2.1.1 本地登录(无需认证)
[root@fan102 ~]# kadmin.local
Authenticating as principal root/admin@HADOOP.COM with password.
kadmin.local:
2.1.2 远程登录(需进行主体认证)
[root@fanp103 ~]# kadmin
Authenticating as principal admin/admin@HADOOP.COM with password.
Password for admin/admin@HADOOP.COM:
kadmin:
2.1.3 退出登录
kadmin: exit
2.2 创建Kerberos主体
[root@fan102 ~]# kadmin.local -q "addprinc zion/zion"
Authenticating as principal root/admin@HADOOP.COM with password.
WARNING: no policy specified for zion/zion@HADOOP.COM; defaulting to no policy
Enter password for principal "zion/zion@HADOOP.COM": (输入密码)
Re-enter password for principal "zion/zion@HADOOP.COM": (输入密码)
Principal "zion/zion@HADOOP.COM" created.
2.3 修改主体密码
[root@hadoop102 ~]# kadmin.local -q "cpw zion/zion"
Authenticating as principal root/admin@HADOOP.COM with password.
Enter password for principal "zion/zion@HADOOP.COM": (输入密码)
Re-enter password for principal "zion/zion@HADOOP.COM": (输入密码)
Password for "zion/zion@HADOOP.COM" changed.
2.4 查看所有主体
[root@fan102 ~]# kadmin.local -q "list_principals"
Authenticating as principal root/admin@HADOOP.COM with password.
K/M@HADOOP.COM
admin/admin@HADOOP.COM
zion/zion@HADOOP.COM
kadmin/admin@HADOOP.COM
kadmin/changepw@HADOOP.COM
kadmin/hadoop105@HADOOP.COM
kiprop/hadoop105@HADOOP.COM
krbtgt/HADOOP.COM@HADOOP.COM
2.5 Kerberos主体认证
2.5.1 密码认证
2.5.1.1 使用kinit进行主体认证
[root@fan102 ~]# kinit zion/zion
Password for zion/zion@HADOOP.COM:
2.5.1.2 查看认证凭证
[root@fan102 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: zion/zion@HADOOP.COM
Valid starting Expires Service principal
02/01/2019 18:23:57 02/01/2019 18:23:57 krbtgt/HADOOP.COM@HADOOP.COM
renew until 02/08/2019 18:23:57
2.5.2 keytab密钥文件认证
2.5.2.1 生成主体zion/zion的keytab文件到指定目录/var/keytab/zion.keytab
[root@fan102 ~]# kadmin.local -q "xst -k /var/keytab/zion.keytab zion/zion@HADOOP.COM"
2.5.2.2 使用keytab进行认证
[root@fan102 ~]# kinit -kt /var/keytab/zion.keytab zion/zion
2.5.2.3 查看认证凭证
[root@fan102 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: zion/zion@HADOOP.COM
Valid starting Expires Service principal
02/01/2019 18:23:57 02/01/2019 18:23:57 krbtgt/HADOOP.COM@HADOOP.COM
renew until 02/08/2019 18:23:57
2.5.3 销毁凭证
[root@fan102 ~]# kdestroy
[root@fan102 ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
文章有用的话,请点赞+关注,您的鼓励是我最大的动力,更多好帖敬请期待,加油🆙
+++++++++++++++++++++++++++++++++++++++++
+ 如有问题可+Q:1602701980 共同探讨 +
+++++++++++++++++++++++++++++++++++++++++