Ambari 配置dfs.http.policy=HTTPS_ONLY

1,生成 keystore

在其中一个节点上执行如下命令

openssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days 9999 -subj '/C=CN/ST=beijing/L=chaoyang/O=xxxx/OU=dt/CN=xxxx.com'

生成 hdfs_ca_key,hdfs_ca_cert

将hdfs_ca_key,hdfs_ca_cert拷贝到集群中的每个节点上

分别登录每个节点执行一下命令

mkdir tmp
cd tmp
cp ../hdfs_ca_key .
cp ../hdfs_ca_cert .

// 生成 keystore

/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=${本节点的fqdn}, OU=DT, O=DT, L=CY, ST=BJ, C=CN"

//添加 CA 到 truststore

/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert

//从 keystore 中导出 cert

/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -certreq -alias localhost -keystore keystore -file cert

//用 CA 对 cert 签名

openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial

//将 CA 的 cert 和用 CA 签名之后的 cert 导入 keystore

/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -keystore keystore -alias CARoot -import -file hdfs_ca_cert
/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -keystore keystore -alias localhost -import -file cert_signed

将生成的文件拷贝到对应的目录下

sudo mkdir /etc/https
sudo cp keystore /etc/https/keystore.jks
sudo cp truststore /etc/https/truststore.jks
sudo chmod 755 /etc/https
sudo chmod 644 /etc/https/keystore.jks
sudo chmod 644 /etc/https/truststore.jks

2,修改hdfs的配置

advanced hdfs-site选项中修改

dfs.datanode.address=0.0.0.0:61004
dfs.http.policy=HTTPS_ONLY

custom hdfs-site选项中添加

dfs.client.https.need-auth=false
dfs.data.transfer.protection=integrity

修改hadoop-env.sh,注释以下内容

#On secure datanodes, user to run the datanode as after dropping privileges 
#export HADOOP_SECURE_DN_USER=

配置ssl-client.xml

<configuration>
 <property>
  <name>ssl.client.truststore.location</name>
  <value>/etc/https/truststore.jks</value>
  <description>Truststore to be used by clients like distcp. Must be specified.</description>
</property>
 <property>
  <name>ssl.client.truststore.password</name>
  <value>adminadmin</value>
  <description>Optional. Default value is "".</description>
</property>
 <property>
  <name>ssl.client.truststore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".</description>
</property>
<property>
  <name>ssl.client.truststore.reload.interval</name>
  <value>10000</value>
  <description>Truststore reload check interval, in milliseconds.Default value is 10000 (10 seconds).</description>
</property>
<property>
  <name>ssl.client.keystore.location</name>
  <value>/etc/https/keystore.jks</value>
  <description>Keystore to be used by clients like distcp. Must be specified.</description>
</property>
<property>
  <name>ssl.client.keystore.password</name>
  <value>adminadmin</value>
  <description>Optional. Default value is "".</description>
</property>
<property>
  <name>ssl.client.keystore.keypassword</name>
  <value>adminadmin</value>
  <description>Optional. Default value is "".</description>
</property>
<property>
  <name>ssl.client.keystore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".</description>
</property>
</configuration>

配置ssl-server.xml

<configuration>
 <property>
  <name>ssl.server.truststore.location</name>
  <value>/etc/https/truststore.jks</value>
  <description>Truststore to be used by NN and DN. Must be specified.</description>
</property>
<property>
  <name>ssl.server.truststore.password</name>
  <value>adminadmin</value>
  <description>Optional. Default value is "".</description>
</property>
 <property>
  <name>ssl.server.truststore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".</description>
</property>
<property>
  <name>ssl.server.truststore.reload.interval</name>
  <value>10000</value>
  <description>Truststore reload check interval, in milliseconds.Default value is 10000 (10 seconds).</description>
</property>
<property>
  <name>ssl.server.keystore.location</name>
  <value>/etc/https/keystore.jks</value>
  <description>Keystore to be used by NN and DN. Must be specified.</description>
</property>
<property>
  <name>ssl.server.keystore.password</name>
  <value>adminadmin</value>
  <description>Must be specified.</description>
</property>
 <property>
  <name>ssl.server.keystore.keypassword</name>
  <value>adminadmin</value>
  <description>Must be specified.</description>
</property>
 <property>
  <name>ssl.server.keystore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".</description>
</property>
</configuration>

为Ambari_server设置truststore

ambari-server setup-security
Using python  /usr/bin/python2.6
Security setup options...
===========================================================================
Choose one of the following options:
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): *4*
Do you want to configure a truststore [y/n] (y)? *y*
TrustStore type [jks/jceks/pkcs12] (jks): *jks*
Path to TrustStore file : /etc/https/truststore.jks
Password for TrustStore:
Re-enter password:
Ambari Server 'setup-security' completed successfully.

重启ambari-server

ambari-server restart

 

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值