E-MapReduce集群中HDFS服务集成Kerberos

来源：互联网发布：太阁立志传5 町数据编辑：程序博客网时间：2024/06/05 22:05

一、安装配置Kerberos

1. 安装Kerberos

master节点执行:

sudo yum install krb5-server krb5-devel krb5-workstation -y

slave节点执行:

sudo yum install krb5-devel krb5-workstation -y

2. 配置Kerberos

master节点上面修改配置：
a) /etc/krb5.conf
备注： 配置中emr-header-1.cluster-xxxx替换成自己集群的hostname

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = EMR.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true[realms] EMR.COM = {  kdc = emr-header-1.cluster-xxxx  admin_server = emr-header-1.cluster-xxxx }[domain_realm] .emr.com = EMR.COMemr.com = EMR.COM

b) /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88[realms] EMR.COM = {  #master_key_type = aes256-cts  acl_file = /var/kerberos/krb5kdc/kadm5.acl  dict_file = /usr/share/dict/words  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }

c) /var/kerberos/krb5kdc/kadm5.acl

*/admin@EMR.COM *

slave节点修改配置
只需将上面master节点修改过的/etc/krb5.conf文件拷贝到slave节点对应文件夹即可。

3. 创建数据库

在master节点上面执行：

sudo kdb5_util create -r EMR.COM -s

备注：
若出现Loading random data卡住(需要等一会)，可以另外开一个终端执行一些耗费cpu的操作，增加随机数采集

4. 启动Kerberos

在master节点执行:

sudo service krb5kdc startsudo service kadmin start

5. 创建kadmin管理员账号

在master节点root账号上面执行

$kadmin.local  #进入kadmin后继续执行:$addprinc root/admin#输入密码，记住后面执行kadmin时需要输入

后续可以在所有集群所有节点上使用kadmin命令来管理Kerberos的一些数据库操作(如添加principal等)

备注:
kadmin.local只能在kadmin server所在的机器(即master节点)且拥有root权限情况下才能执行，其它情况使用kadmin

二、HDFS服务集成Kerberos

1. 创建keytab文件

在集群的每个节点上面创建对应的keytab文件，用于HDFS服务各个Daemon(如NameNode/DataNode等)之间的身份认证，防止非法的节点加入集群。

E-MapReduce集群中的HDFS的所有Daemon都是在hdfs账号下启动，所以各个Daemon使用共用相同的keytab配置。

接下来分别在集群的每台机器上面分别执行下面命令：
以master节点为例，其它节点按照同样的方式操作

$sudo su hdfs$hostname   emr-header-1.cluster-xxxx#后面需要使用hostname$sudo kadmin#输入密码，进入kadmin后执行# principal使用了上面的hostname即emr-header-1.cluster-xxxx$kadmin: addprinc -randkey hdfs/emr-header-1.cluster-xxxx@EMR.COM$kadmin: addprinc -randkey HTTP/emr-header-1.cluster-xxxx@EMR.COM$kadmin: xst -k hdfs-unmerged.keytab hdfs/emr-header-1.cluster-xxxx@EMR.COM$kadmin: xst -k http.keytab HTTP/emr-header-1.cluster-xxxx@EMR.COM$kadmin: exit#合并http.keytab和hdfs-unmerged.keytab$sudo ktutil#进入ktutil后执行:$ktutil:  rkt hdfs-unmerged.keytab$ktutil:  rkt http.keytab$ktutil:  wkt hdfs.keytab$ktutil:  exit#将hdfs.keytab拷贝到/etc/emr/hadoop-conf$sudo cp hdfs.keytab /etc/emr/hadoop-conf$sudo chown hdfs:hadoop /etc/emr/hadoop-conf/hdfs.keytab$sudo chmod 400 /etc/emr/hadoop-conf/hdfs.keytab

2. 修改HDFS服务配置

HDFS服务集成Kerberos需要修改core-site.xml和hdfs-site.xml,如下：

备注: 集群所有节点都需要修改

a) core-site.xml
路径: /etc/emr/hadoop-conf/core-site.xml
使用hadoop账号来操作sudo su hadoop

添加如下配置项:

    <property>      <name>hadoop.security.authentication</name>      <value>kerberos</value> <!-- A value of "simple" would disable security. -->    </property>    <property>      <name>hadoop.security.authorization</name>      <value>true</value>    </property>

修改如下配置项:
将value值master_host_name换成自己集群的master的hostname(如emr-header-1.cluster-xxx)

  <property>     <name>master_hostname</name>     <value>master_host_name</value>  </property>

b) hdfs-site.xml
路径: /etc/emr/hadoop-conf/hdfs-site.xml
使用hadoop账号来操作sudo su hadoop

添加如下配置项:

    <!-- General HDFS security config -->    <property>      <name>dfs.block.access.token.enable</name>      <value>true</value>    </property>    <!-- NameNode security config -->    <property>      <name>dfs.namenode.keytab.file</name>      <value>/etc/emr/hadoop-conf/hdfs.keytab</value> <!-- path to the HDFS keytab -->    </property>    <property>      <name>dfs.namenode.kerberos.principal</name>      <value>hdfs/_HOST@EMR.COM</value>    </property>    <property>      <name>dfs.namenode.kerberos.internal.spnego.principal</name>      <value>HTTP/_HOST@EMR.COM</value>    </property>    <!-- Secondary NameNode security config -->    <property>      <name>dfs.secondary.namenode.keytab.file</name>      <value>/etc/emr/hadoop-conf/hdfs.keytab</value> <!-- path to the HDFS keytab -->    </property>    <property>      <name>dfs.secondary.namenode.kerberos.principal</name>      <value>hdfs/_HOST@EMR.COM</value>    </property>    <property>      <name>dfs.secondary.namenode.kerberos.internal.spnego.principal</name>      <value>HTTP/_HOST@EMR.COM</value>    </property>    <!-- DataNode security config -->    <property>      <name>dfs.datanode.data.dir.perm</name>      <value>700</value>     </property>    <property>      <name>dfs.datanode.keytab.file</name>      <value>/etc/emr/hadoop-conf/hdfs.keytab</value> <!-- path to the HDFS keytab -->    </property>    <property>      <name>dfs.datanode.kerberos.principal</name>      <value>hdfs/_HOST@EMR.COM</value>    </property>    <!-- datanode SASL配置 -->    <property>      <name>dfs.http.policy</name>      <value>HTTPS_ONLY</value>     </property>     <property>       <name>dfs.data.transfer.protection</name>       <value>integrity</value>      </property>    <property>      <name>dfs.web.authentication.kerberos.principal</name>          <value>HTTP/_HOST@EMR.COM</value>        </property>    <property>      <name>dfs.web.authentication.kerberos.keytab</name>          <value>/etc/emr/hadoop-conf/hdfs.keytab</value> <!-- path to the HTTP keytab -->        </property>

3. 生成keystore文件

HDFS中使用HTTPS来传输数据，需要有keystore相关配置。

在master节点上面执行：

$sudo su hadoop#生成了ca相关文件$openssl req -new -x509 -keyout ca-key -out ca-cert -days 1000

继续在master节点上重复按照如下命令，分别为集群所有节点生成keystore/truststore文件

备注: 每次为新节点重复执行，需要更换命令中的一些文件名称(防止被覆盖)，下面以尖括号(<>)标出

# 以为master节点生成keystore/truststore为例$keytool -keystore <keystore> -alias localhost -validity 1000 -genkey  输入密钥库口令:  再次输入新口令:  您的名字与姓氏是什么?     [Unknown]:  emr-header-1   #备注: 不同节点不一样,如emr-worker-1  您的组织单位名称是什么?     [Unknown]:  EMR  您的组织名称是什么?     [Unknown]:  EMR  您所在的城市或区域名称是什么?     [Unknown]:  EMR  您所在的省/市/自治区名称是什么?     [Unknown]:  EMR  该单位的双字母国家/地区代码是什么?     [Unknown]:  EMRCN=emr-worker-2, OU=EMR, O=EMR, L=EMR, ST=EMR, C=EMR是否正确?输入 <localhost> 的密钥口令    (如果和密钥库口令相同, 按回车):$keytool -keystore <truststore> -alias CARoot -import -file ca-cert$keytool -keystore <keystore> -alias localhost -certreq -file <cert-file>#下面命令中your_pwd替换成自己的$openssl x509 -req -CA  ca-cert -CAkey ca-key -in <cert-file> -out <cert-signed> -days 1000 -CAcreateserial -passin pass:your_pwd$keytool -keystore <keystore> -alias CARoot -import -file ca-cert$keytool -keystore <keystore> -alias localhost -import -file <cert-signed>

执行完上述命令后，将在当前文件夹下会生成新文件<keystore>和<truststore>拷贝scp到对应机器的/etc/emr/hadoop-conf/目录下

#master节点不需要scp，直接cp过去$cp keystore /etc/emr/hadoop-conf$cp keystore /etc/emr/hadoop-conf

4. 配置ssl

在master节点上面执行

$sudo su hadoop$cp /etc/emr/hadoop-conf/ssl-server.xml.example /etc/emr/hadoop-conf/ssl-server.xml

修改，不是覆盖ssl-server.xml文件中相关配置项对应的key
备注：
配置中密码需要替换成自己的上面生成keystore/truststore时的密码

<property>  <name>ssl.server.truststore.location</name>  <value>/etc/emr/hadoop-conf/truststore</value>  <description>Truststore to be used by NN and DN. Must be specified.  </description></property><property>  <name>ssl.server.truststore.password</name>  <value>YOUR_TRUSTSTORE_PASSWD</value>  <description>Optional. Default value is "".  </description></property><property>  <name>ssl.server.keystore.location</name>  <value>/etc/emr/hadoop-conf/keystore</value>  <description>Keystore to be used by NN and DN. Must be specified.  </description></property><property>  <name>ssl.server.keystore.password</name>  <value>YOUR_KEYSTORE_PASSWD</value>  <description>Must be specified.  </description></property><property>  <name>ssl.server.keystore.keypassword</name>  <value>YOUR_KEYSTORE_PASSWD</value>  <description>Must be specified.  </description></property>

最后，将master节点的这个ssl-server.xml文件 scp 到其它所有节点/etc/emr/hadoop-conf目录下面。

5. 重启HDFS服务

在master节点上面执行:

$sudo su hdfs#停止集群HDFS服务$/usr/lib/hadoop-current/sbin/stop-dfs.sh#停止SecondaryNameNode$/usr/lib/hadoop-current/sbin/hadoop-daemon.sh stop secondarynamenode#启动NameNode$/usr/lib/hadoop-current/sbin/hadoop-daemon.sh start namenode#启动SecondaryNameNode$/usr/lib/hadoop-current/sbin/hadoop-daemon.sh start secondarynamenode

在slave节点上面执行:

#启动DataNode$sudo su hdfs$/usr/lib/hadoop-current/sbin/hadoop-daemon.sh start datanode

6. 验证HDFS

在master节点上面执行：

$useradd testkb$sudo su testkb$hadoop fs -ls /17/05/09 12:04:19 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "emr-header-1.cluster-xxxx/10.26.6.62"; destination host is: "emr-header-1.cluster-xxxx":9000;

出现上面错误，说明HDFS服务的Kerberos认证生效了，接着执行：

#从testkb账号退出到root账号执行# 添加testkb的principal$kadmin.local$kadmin.local:  addprinc testkb

重新进入testkb账号

$sudo su testkb$hadoop fs -ls /17/05/09 12:04:19 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "emr-header-1.cluster-xxxx/10.26.6.62"; destination host is: "emr-header-1.cluster-xxxx":9000;#获取testkb的TGT$kinit testkb#验证成功$hadoop fs -ls /drwxr-xr-x   - hadoop hadoop          0 2017-05-09 10:12 /appsdrwxr-xr-x   - hadoop hadoop          0 2017-05-09 11:57 /spark-historydrwxrwxrwx   - hadoop hadoop          0 2017-05-09 10:12 /tmpdrwxr-xr-x   - hadoop hadoop          0 2017-05-09 10:14 /usr