服务器配置kerberos服务
注意一下配置@后面的域名为kerberos配置域名,文件路径以实际为准
hdfs-site.xml
/usr/local/service/hadoop/etc/hadoop/hdfs-site.xml
"dfs.namenode.kerberos.principal", "hadoop/_HOST@" + realm(kerberos域名)
"dfs.namenode.keytab.file", "/etc/security/keytab/emr.keytab",
"dfs.namenode.kerberos.internal.spnego.principal", "HTTP/_HOST@BINGSHENG.TC-SIT"
"dfs.secondary.namenode.kerberos.principal", "hadoop/_HOST@BINGSHENG.TC-SIT"
"dfs.secondary.namenode.keytab.file", "/etc/security/keytab/emr.keytab"
"dfs.secondary.namenode.kerberos.internal.spnego.principal", "HTTP/_HOST@" + realm,
"dfs.journalnode.kerberos.principal", "hadoop/_HOST@" + realm,
"dfs.journalnode.keytab.file", "/etc/security/keytab/emr.keytab",
"dfs.journalnode.kerberos.internal.spnego.principal", "HTTP/_HOST@" + realm,
"dfs.datanode.kerberos.principal", "hadoop/_HOST@" + realm,
"dfs.datanode.keytab.file", "/etc/security/keytab/emr.keytab",
"dfs.web.authentication.kerberos.principal", "HTTP/_HOST@" + realm,
"dfs.web.authentication.kerberos.keytab", "/etc/security/keytab/emr.keytab",
"ignore.secure.ports.for.testing", "true",
"dfs.blockdfs.webhdfs.enabled.access.token.enable", "true",
"dfs.block.access.token.enable", "true",
httpfs-site.xml
vim /usr/local/service/hadoop/etc/hadoop/httpfs-site.xml
"httpfs.authentication.type", "kerberos"
"httpfs.hadoop.authentication.type", "kerberos"
"httpfs.authentication.kerberos.principal", "HTTP/_HOST@" + realm
"httpfs.hadoop.authentication.kerberos.principal", "hadoop/_HOST@" + realm
"httpfs.authentication.kerberos.keytab", "/var/krb5kdc/emr.keytab"
"httpfs.hadoop.authentication.kerberos.keytab", "/var/krb5kdc/emr.keytab"
"httpfs.authentication.kerberos.principal", "HTTP/" + ip + "@" + realm
"httpfs.hadoop.authentication.kerberos.principal", "hadoop/" + ip + "@" + realm
core-site.xml
/usr/local/service/hadoop/etc/hadoop/core-site.xml
"hadoop.security.authentication", "kerberos"
"hadoop.security.authorization", "true"
zoo.cfg
/usr/local/service/zookeeper/conf/zoo.cfg
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
usr/local/service/zookeeper/conf/jaas.conf
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/var/krb5kdc/emr.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/172.21.64.7@EMR-BAGBUZZ6";
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/var/krb5kdc/emr.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/172.21.64.7@EMR-BAGBUZZ6";
};
/usr/local/service/zookeeper/conf/java.env
export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/service/zookeeper/conf/jaas.conf"
yarn服务
yarn-site.xml
/usr/local/service/hadoop/etc/hadoop/yarn-site.xml
<property>
<name>yarn.nodemanager.keytab</name>
<value>/var/krb5kdc/emr.keytab</value>
</property>
<property>
<name>yarn.nodemanager.principal</name>
<value>hadoop/_HOST@EMR-BAGBUZZ6</value>
</property>
<property>
<name>yarn.resourcemanager.keytab</name>
<value>/var/krb5kdc/emr.keytab</value>
</property>
<property>
<name>yarn.resourcemanager.principal</name>
<value>hadoop/_HOST@EMR-BAGBUZZ6