E-MapReduce集群中HDFS服务集成Kerberos
来源:互联网 发布:太阁立志传5 町数据 编辑:程序博客网 时间:2024/06/05 22:05
一、 安装 配置Kerberos
1. 安装Kerberos
master节点执行:
sudo yum install krb5-server krb5-devel krb5-workstation -y
slave节点执行:
sudo yum install krb5-devel krb5-workstation -y
2. 配置Kerberos
master节点上面修改配置:
a) /etc/krb5.conf备注:
配置中emr-header-1.cluster-xxxx
替换成自己集群的hostname[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = EMR.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true[realms] EMR.COM = { kdc = emr-header-1.cluster-xxxx admin_server = emr-header-1.cluster-xxxx }[domain_realm] .emr.com = EMR.COMemr.com = EMR.COM
b) /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88[realms] EMR.COM = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
c) /var/kerberos/krb5kdc/kadm5.acl
*/admin@EMR.COM *
slave节点修改配置
只需将上面master节点修改过的/etc/krb5.conf
文件拷贝到slave节点对应文件夹即可。
3. 创建数据库
在master节点
上面执行:
sudo kdb5_util create -r EMR.COM -s
备注:
若出现Loading random data
卡住(需要等一会),可以另外开一个终端执行一些耗费cpu的操作,增加随机数采集
4. 启动Kerberos
在master节点
执行:
sudo service krb5kdc startsudo service kadmin start
5. 创建kadmin管理员账号
在master节点root账号
上面执行
$kadmin.local #进入kadmin后继续执行:$addprinc root/admin#输入密码,记住后面执行kadmin时需要输入
后续可以在所有集群所有节点上使用kadmin命令
来管理Kerberos的一些数据库操作(如添加principal等)
备注:kadmin.local
只能在kadmin server所在的机器(即master节点)且拥有root权限情况下才能执行,其它情况使用kadmin
二、HDFS服务集成Kerberos
1. 创建keytab文件
在集群的每个节点上面创建对应的keytab文件,用于HDFS服务各个Daemon(如NameNode/DataNode等)之间的身份认证,防止非法的节点
加入集群。
E-MapReduce集群中的HDFS的所有Daemon都是在hdfs
账号下启动,所以各个Daemon使用共用相同的keytab配置。
接下来分别在集群的每台机器上面分别执行下面命令:以master节点为例,其它节点按照同样的方式操作
$sudo su hdfs$hostname emr-header-1.cluster-xxxx#后面需要使用hostname$sudo kadmin#输入密码,进入kadmin后执行# principal使用了上面的hostname即emr-header-1.cluster-xxxx$kadmin: addprinc -randkey hdfs/emr-header-1.cluster-xxxx@EMR.COM$kadmin: addprinc -randkey HTTP/emr-header-1.cluster-xxxx@EMR.COM$kadmin: xst -k hdfs-unmerged.keytab hdfs/emr-header-1.cluster-xxxx@EMR.COM$kadmin: xst -k http.keytab HTTP/emr-header-1.cluster-xxxx@EMR.COM$kadmin: exit#合并http.keytab和hdfs-unmerged.keytab$sudo ktutil#进入ktutil后执行:$ktutil: rkt hdfs-unmerged.keytab$ktutil: rkt http.keytab$ktutil: wkt hdfs.keytab$ktutil: exit#将hdfs.keytab拷贝到/etc/emr/hadoop-conf$sudo cp hdfs.keytab /etc/emr/hadoop-conf$sudo chown hdfs:hadoop /etc/emr/hadoop-conf/hdfs.keytab$sudo chmod 400 /etc/emr/hadoop-conf/hdfs.keytab
2. 修改HDFS服务配置
HDFS服务集成Kerberos需要修改core-site.xml
和hdfs-site.xml
,如下:
备注: 集群所有节点都需要修改
a) core-site.xml
路径: /etc/emr/hadoop-conf/core-site.xml
使用hadoop账号来操作sudo su hadoop
添加
如下配置项:
<property> <name>hadoop.security.authentication</name> <value>kerberos</value> <!-- A value of "simple" would disable security. --> </property> <property> <name>hadoop.security.authorization</name> <value>true</value> </property>
修改
如下配置项:
将value值master_host_name
换成自己集群的master的hostname(如emr-header-1.cluster-xxx)
<property> <name>master_hostname</name> <value>master_host_name</value> </property>
b) hdfs-site.xml
路径: /etc/emr/hadoop-conf/hdfs-site.xml
使用hadoop账号来操作sudo su hadoop
添加如下配置项:
<!-- General HDFS security config --> <property> <name>dfs.block.access.token.enable</name> <value>true</value> </property> <!-- NameNode security config --> <property> <name>dfs.namenode.keytab.file</name> <value>/etc/emr/hadoop-conf/hdfs.keytab</value> <!-- path to the HDFS keytab --> </property> <property> <name>dfs.namenode.kerberos.principal</name> <value>hdfs/_HOST@EMR.COM</value> </property> <property> <name>dfs.namenode.kerberos.internal.spnego.principal</name> <value>HTTP/_HOST@EMR.COM</value> </property> <!-- Secondary NameNode security config --> <property> <name>dfs.secondary.namenode.keytab.file</name> <value>/etc/emr/hadoop-conf/hdfs.keytab</value> <!-- path to the HDFS keytab --> </property> <property> <name>dfs.secondary.namenode.kerberos.principal</name> <value>hdfs/_HOST@EMR.COM</value> </property> <property> <name>dfs.secondary.namenode.kerberos.internal.spnego.principal</name> <value>HTTP/_HOST@EMR.COM</value> </property> <!-- DataNode security config --> <property> <name>dfs.datanode.data.dir.perm</name> <value>700</value> </property> <property> <name>dfs.datanode.keytab.file</name> <value>/etc/emr/hadoop-conf/hdfs.keytab</value> <!-- path to the HDFS keytab --> </property> <property> <name>dfs.datanode.kerberos.principal</name> <value>hdfs/_HOST@EMR.COM</value> </property> <!-- datanode SASL配置 --> <property> <name>dfs.http.policy</name> <value>HTTPS_ONLY</value> </property> <property> <name>dfs.data.transfer.protection</name> <value>integrity</value> </property> <property> <name>dfs.web.authentication.kerberos.principal</name> <value>HTTP/_HOST@EMR.COM</value> </property> <property> <name>dfs.web.authentication.kerberos.keytab</name> <value>/etc/emr/hadoop-conf/hdfs.keytab</value> <!-- path to the HTTP keytab --> </property>
3. 生成keystore文件
HDFS中使用HTTPS来传输数据,需要有keystore相关配置。
在master节点
上面执行:
$sudo su hadoop#生成了ca相关文件$openssl req -new -x509 -keyout ca-key -out ca-cert -days 1000
继续在master节点
上重复
按照如下命令,分别为集群所有节点
生成keystore/truststore文件
备注: 每次为新节点重复
执行,需要更换命令中的一些文件名称(防止被覆盖),下面以尖括号(<>)标出
# 以为master节点生成keystore/truststore为例$keytool -keystore <keystore> -alias localhost -validity 1000 -genkey 输入密钥库口令: 再次输入新口令: 您的名字与姓氏是什么? [Unknown]: emr-header-1 #备注: 不同节点不一样,如emr-worker-1 您的组织单位名称是什么? [Unknown]: EMR 您的组织名称是什么? [Unknown]: EMR 您所在的城市或区域名称是什么? [Unknown]: EMR 您所在的省/市/自治区名称是什么? [Unknown]: EMR 该单位的双字母国家/地区代码是什么? [Unknown]: EMRCN=emr-worker-2, OU=EMR, O=EMR, L=EMR, ST=EMR, C=EMR是否正确?输入 <localhost> 的密钥口令 (如果和密钥库口令相同, 按回车):$keytool -keystore <truststore> -alias CARoot -import -file ca-cert$keytool -keystore <keystore> -alias localhost -certreq -file <cert-file>#下面命令中your_pwd替换成自己的$openssl x509 -req -CA ca-cert -CAkey ca-key -in <cert-file> -out <cert-signed> -days 1000 -CAcreateserial -passin pass:your_pwd$keytool -keystore <keystore> -alias CARoot -import -file ca-cert$keytool -keystore <keystore> -alias localhost -import -file <cert-signed>
执行完上述命令后,将在当前文件夹下会生成新文件<keystore>
和<truststore>
拷贝scp
到对应机器
的/etc/emr/hadoop-conf/
目录下
#master节点不需要scp,直接cp过去$cp keystore /etc/emr/hadoop-conf$cp keystore /etc/emr/hadoop-conf
4. 配置ssl
在master节点
上面执行
$sudo su hadoop$cp /etc/emr/hadoop-conf/ssl-server.xml.example /etc/emr/hadoop-conf/ssl-server.xml
修改,不是覆盖
ssl-server.xml文件中相关配置项对应的key
备注:
配置中密码需要替换成自己的上面生成keystore/truststore时的密码
<property> <name>ssl.server.truststore.location</name> <value>/etc/emr/hadoop-conf/truststore</value> <description>Truststore to be used by NN and DN. Must be specified. </description></property><property> <name>ssl.server.truststore.password</name> <value>YOUR_TRUSTSTORE_PASSWD</value> <description>Optional. Default value is "". </description></property><property> <name>ssl.server.keystore.location</name> <value>/etc/emr/hadoop-conf/keystore</value> <description>Keystore to be used by NN and DN. Must be specified. </description></property><property> <name>ssl.server.keystore.password</name> <value>YOUR_KEYSTORE_PASSWD</value> <description>Must be specified. </description></property><property> <name>ssl.server.keystore.keypassword</name> <value>YOUR_KEYSTORE_PASSWD</value> <description>Must be specified. </description></property>
最后,将master节点
的这个ssl-server.xml
文件 scp
到其它所有节点/etc/emr/hadoop-conf目录下面。
5. 重启HDFS服务
在master
节点上面执行:
$sudo su hdfs#停止集群HDFS服务$/usr/lib/hadoop-current/sbin/stop-dfs.sh#停止SecondaryNameNode$/usr/lib/hadoop-current/sbin/hadoop-daemon.sh stop secondarynamenode#启动NameNode$/usr/lib/hadoop-current/sbin/hadoop-daemon.sh start namenode#启动SecondaryNameNode$/usr/lib/hadoop-current/sbin/hadoop-daemon.sh start secondarynamenode
在slave
节点上面执行:
#启动DataNode$sudo su hdfs$/usr/lib/hadoop-current/sbin/hadoop-daemon.sh start datanode
6. 验证HDFS
在master节点
上面执行:
$useradd testkb$sudo su testkb$hadoop fs -ls /17/05/09 12:04:19 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "emr-header-1.cluster-xxxx/10.26.6.62"; destination host is: "emr-header-1.cluster-xxxx":9000;
出现上面错误,说明HDFS服务的Kerberos认证生效了,接着执行:
#从testkb账号退出到root账号执行# 添加testkb的principal$kadmin.local$kadmin.local: addprinc testkb
重新进入testkb账号
$sudo su testkb$hadoop fs -ls /17/05/09 12:04:19 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "emr-header-1.cluster-xxxx/10.26.6.62"; destination host is: "emr-header-1.cluster-xxxx":9000;#获取testkb的TGT$kinit testkb#验证成功$hadoop fs -ls /drwxr-xr-x - hadoop hadoop 0 2017-05-09 10:12 /appsdrwxr-xr-x - hadoop hadoop 0 2017-05-09 11:57 /spark-historydrwxrwxrwx - hadoop hadoop 0 2017-05-09 10:12 /tmpdrwxr-xr-x - hadoop hadoop 0 2017-05-09 10:14 /usr
- E-MapReduce集群中HDFS服务集成Kerberos
- E-MapReduce集群启停HDFS/YARN服务
- Hadoop集群集成kerberos
- Hadoop集群集成kerberos
- presto集群安装以及集成kerberos
- 使用API访问开启kerberos集群下的HDFS
- hadoop集群中添加kerberos认证
- Windows下运行MapReduce程序处理集群中hdfs数据所踩到的坑
- HDFS配置Kerberos认证
- HDFS配置Kerberos认证
- HDFS配置Kerberos认证
- HDFS配置Kerberos认证
- HDFS配置Kerberos认证
- HDFS配置Kerberos认证
- HDFS使用Kerberos
- hdfs kerberos 认证
- HDFS配置Kerberos认证
- E-MapReduce HDFS文件快速CRC校验工具介绍
- Linux下/etc/passwd和/etc/shadow文件详解
- ModBus通信协议
- 继承和派生
- jquery实现页面刷新后保留鼠标点击addclass的样式
- javascript数组学习
- E-MapReduce集群中HDFS服务集成Kerberos
- 极光推送(手把手教你)
- Spring.NET的AOP怎么玩
- 技术圈重磅!饿了么多活终于成功_实现首次多活生产环境全网切换
- 使用Eclipse启动Tomcat8时出现 'Starting Tomcat v8.0 Server at localhost' has encountered a problem.
- COJ-1092-Barricade
- LINUX安装步骤
- Android中的事件分发总结
- Android实习生首次面试总结