Hadoop KMS环境安装

最新推荐文章于 2023-09-30 17:06:13 发布

wangleigiser

最新推荐文章于 2023-09-30 17:06:13 发布

阅读量706

点赞数 1

分类专栏： Hadoop 文章标签： hadoop hdfs 大数据

本文链接：https://blog.csdn.net/wangleigiser/article/details/128480448

版权

Hadoop 专栏收录该内容

1 篇文章 0 订阅

订阅专栏

环境介绍：

Soft	Verison
Hadoop	hadoop-3.3.4

Hadoop HDFS 环境安装

Java环境准备：

wget https://repo.huaweicloud.com/java/jdk/8u202-b08/jdk-8u202-linux-x64.tar.gz
tar -xzvf jdk-8u202-linux-x64.tar.gz

Java 环境配置：vim /etc/profile

export JAVA_HOME=/root/jdk1.8.0_202
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib:$CLASSPATH
export JAVA_PATH=${JAVA_HOME}/bin:${JRE_HOME}/bin
export PATH=$PATH:${JAVA_PATH}

Hadoop3.3.4 下载

wget https://mirrors.tuna.tsinghua.edu.cn/apache/hadoop/common/hadoop-3.3.4/hadoop-3.3.4.tar.gz
tar -xzvf hadoop-3.3.4.tar.gz

Hadoop环境配置

export HADOOP_HOME=/root/hadoop-3.3.4
export HADOOP_CONF_DIR=$HADOOP_HOME/etc/hadoop
export HADOOP_HDFS_HOME=$HADOOP_HOME
export PATH=$PATH:$HADOOP_HOME/sbin:$HADOOP_HOME/bin

Lacalhost SSH 免密登录

  ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
  cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
  chmod 0600 ~/.ssh/authorized_keys
  ssh localhost

执行 ssh localhost，会弹出安全提示，填写yes即可。

如果是docker环境下，需要手动启动sshd服务。

 /usr/sbin/sshd

core-site.xml配置

[root@17a5da45700b hadoop]# cat etc/hadoop/core-site.xml
<configuration>
   <property>
        <name>fs.defaultFS</name>
        <value>hdfs://localhost:9000</value>
</property>
<property>
  <name>hadoop.proxyuser.root.hosts</name>
  <value>*</value>
</property>

<property>
  <name>hadoop.proxyuser.root.groups</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.security.key.provider.path</name>
  <value>kms://http@localhost:9600/kms</value>
  <description>
    The KeyProvider to use when interacting with encryption keys used
    when reading and writing to an encryption zone.
  </description>
</property>
        <property>
		<name>hadoop.proxyuser.kms.groups</name>
		<value>*</value>
	</property>
</configuration>

hdfs-site.xml配置

[root@VM-0-62-centos hadoop-3.3.4]# cat etc/hadoop/hdfs-site.xml 
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<!--
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License. See accompanying LICENSE file.
-->

<!-- Put site-specific property overrides in this file. -->

<configuration>
 <property>
        <name>dfs.replication</name>
        <value>1</value>
</property>

<property>
  <name>hadoop.security.key.provider.path</name>
  <value>kms://http@localhost:9600/kms</value>
  <description>
    The KeyProvider to use when interacting with encryption keys used
    when reading and writing to an encryption zone.
  </description>
</property>
</configuration>

hadoop-env.sh配置：添加如下配置到hadoop-env.sh。

export JAVA_HOME=/root/jdk1.8.0_202
export HDFS_NAMENODE_USER=root
export HDFS_DATANODE_USER=root
export HDFS_SECONDARYNAMENODE_USER=root
export YARN_RESOURCEMANAGER_USER=root
export YARN_NODEMANAGER_USER=root
export HADOOP_SHELL_EXECNAME=root

格式化hdfs文件系统
```
bin/hdfs namenode -format
```

启动hadoop服务

 ./start-all.sh

查看进程

[root@VM-0-62-centos sbin]# jps
83586 NameNode
84005 SecondaryNameNode
90937 Jps
84283 ResourceManager
84442 NodeManager
83773 DataNode

KMS配置和启动

使用keytool生成秘钥文件:

keytool -genkey  -alias 'key1';

执行上面命令，密码为123456，其他都为空，遇到yes/no时输入yes

[root@57f4b0d7c137 common]# keytool -genkey  -alias 'key1';
Enter keystore password:  123456
What is your first and last name?
  [Unknown]:  
What is the name of your organizational unit?
  [Unknown]:  
What is the name of your organization?
  [Unknown]:  
What is the name of your City or Locality?
  [Unknown]:  
What is the name of your State or Province?
  [Unknown]:  
What is the two-letter country code for this unit?
  [Unknown]:  
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

Enter key password for <key2>
	(RETURN if same as keystore password):  123456
Re-enter new password:123456

也可以使用如下命令：

keytool -genkey -alias 'kmskey' -keystore /root/kms.keystore -dname "CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN" -keypass 123456 -storepass 123456 -validity 180

在 etc/hadoop/下创建kms.keystore.password 文件，并写入密码123456

[root@VM-0-62-centos hadoop-3.3.4]# cat etc/hadoop/kms.keystore.password 
123456

kms-site.xml配置

 cat etc/hadoop/kms-site.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed under the Apache License, Version 2.0 (the "License");
  you may not use this file except in compliance with the License.
  You may obtain a copy of the License at

  http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->

<!-- Put site-specific property overrides in this file. -->

<configuration>
	 <property>
     <name>hadoop.kms.key.provider.uri</name>
     <!--keytools生成的keystore文件 -->
     <value>jceks://file@/root/kms.keystore</value>
  </property>

  <property>
    <name>hadoop.security.keystore.java-keystore-provider.password-file</name>
    <!-- etc/hadoop/kms.keystore.password 文件名称，文件中包含了密码 -->
    <value>kms.keystore.password</value>
  </property>
</configuration>

启动KMS

 hadoop --daemon start kms

查看kms进程

[root@VM-0-62-centos hadoop-3.3.4]# ps axu|grep kms
root       87089  0.3  3.4 3698484 270792 pts/1  Sl   17:52   0:07 /root/jdk1.8.0_202/bin/java -Dproc_kms -Djava.net.preferIPv4Stack=true -Dkms.config.dir=/root/hadoop-3.3.4/etc/hadoop -Dkms.log.dir=/root/hadoop-3.3.4/logs -Dyarn.log.dir=/root/hadoop-3.3.4/logs -Dyarn.log.file=hadoop-root-kms-VM-0-62-centos.log -Dyarn.home.dir=/root/hadoop-3.3.4 -Dyarn.root.logger=INFO,console -Djava.library.path=/root/hadoop-3.3.4/lib/native -Dhadoop.log.dir=/root/hadoop-3.3.4/logs -Dhadoop.log.file=hadoop-root-kms-VM-0-62-centos.log -Dhadoop.home.dir=/root/hadoop-3.3.4 -Dhadoop.id.str=root -Dhadoop.root.logger=INFO,RFA -Dhadoop.policy.file=hadoop-policy.xml -Dhadoop.security.logger=INFO,NullAppender org.apache.hadoop.crypto.key.kms.server.KMSWebServer
root       93056  0.0  0.0   9208  1100 pts/2    S+   18:30   0:00 grep --color=auto kms

KMS使用

#创建秘钥
hadoop key create key1 
#查询列表
hadoop key list –metadata
#创建目录
hadoop fs -mkdir /sub    
#使用key1加密sub目录
hdfs crypto -createZone -keyName key1 -path /sub 
#像加密区sub写入数据
hdfs dfs -copyFromLocal  NOTICE.txt /sub
#读取加密区sub的数据
hdfs dfs -copyToLocal  /sub NOTICE.txt.1

参考：