hbase1.1.1 连接集群_使用FreeIPA为CDP DC7.1集群部署安全

1. 文档编写目的 Cloudera从CM6.3版本开始，引入了 Red Hat IdM 来做整个集群的认证， Red Hat IdM 对应的软件为FreeIPA，在本文中描述如何使用FreeIPA来做CDP-DC集群的认证。关于 FreeIPA服务器搭建参考。 文档内容文档主要包括以下内容

1) FreeIPA客户端配置

2) CDP DC7.1集群使用FreeIPA启用Kerberos

3) Kerberos使用

假设前提这篇文档将重点介绍如何在CDH集群使用FreeIPA启用及配置Kerberos，并基于以下假设：

1) CDP DC集群运行正常

2) 集群未启用Kerberos

3) FreeIPA Server搭建完成

4) MySQL 5.1.73

测试环境以下是本次测试环境，但不是本操作手册的必需环境：

1) 操作系统：CentOS7.7

2) CM和Cloudera Runtime的版本为7.1.1

3) 采用root用户进行操作

集群所有节点部署FreeIPA客户端 在集群的所有节点上安装FreeIPA客户端介质：

yum -y install ipa-client

2) 配置IPA客户端

[root@grocery ~]#  ipa-client-installWARNING: ntpd time&date synchronization service will not be configured asconflicting service (chronyd) is enabledUse --force-ntpd option to disable it and force configuration of ntpdDNS discovery failed to determine your DNS domainProvide the domain name of your IPA server (ex: example.com): vpc.cloudera.comProvide your IPA server name (ex: ipa.example.com): XXX.vpc.cloudera.comThe failure to use DNS to find your IPA server indicates that your resolv.conf file is not properly configured.Autodiscovery of servers for failover cannot work with this configuration.If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure.Proceed with fixed values and no DNS discovery? [no]: yesClient hostname: grocery.vpc.cloudera.comRealm: VPC.CLOUDERA.COMDNS Domain: vpc.cloudera.comIPA Server: xuefeng.vpc.cloudera.comBaseDN: dc=vpc,dc=cloudera,dc=comContinue to configure the system with these values? [no]: yes

3) 修改集群节点的/etc/krb5.conf配置文件。a) 注释掉default_ccache_nameb) 添加 renew_lifetime = 7d

[root@wangxf ~]# vi /etc/krb5.conf