使用Ambari给HDP集群安装Kerberos
来源:互联网 发布:冰鉴 出版社 知乎 编辑:程序博客网 时间:2024/05/19 13:59
环境:Amabri 2.2.2、HDP 2.4.2、CentOS 6.5以下没有特殊说明的操作都是在ws1es机器上进行的:1.在集群中找台机器安装KDC
#这台机器自带了kerberos client的两个包,需要先升级再安装server[root@ws1es sysconfig]# rpm -qa | grep krbkrb5-workstation-1.10.3-10.el6_4.6.x86_64krb5-libs-1.10.3-10.el6_4.6.x86_64python-krbV-1.0.90-3.el6.x86_64pam_krb5-2.3.11-9.el6.x86_64[root@ws1es ~]# rpm -Uvh krb5-libs-1.10.3-57.el6.x86_64.rpm krb5-workstation-1.10.3-57.el6.x86_64.rpm warning: krb5-libs-1.10.3-57.el6.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEYPreparing... ########################################### [100%] 1:krb5-libs ########################################### [50%] 2:krb5-workstation ########################################### [100%][root@ws1es ~]# rpm -qa | grep krbkrb5-libs-1.10.3-57.el6.x86_64python-krbV-1.0.90-3.el6.x86_64pam_krb5-2.3.11-9.el6.x86_64krb5-workstation-1.10.3-57.el6.x86_64[root@ws1es ~]# rpm -ivh krb5-server-1.10.3-57.el6.x86_64.rpm warning: krb5-server-1.10.3-57.el6.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEYPreparing... ########################################### [100%] 1:krb5-server ########################################### [100%]
#这么装是因为我们的机器都不允许联网,如果您的机器能联网直接下就可以了。如下:yum install krb5-server krb5-libs krb5-workstation
2.增加主机名与IP映射(别忘了发给其它节点)
[root@ws1es ~]# cat /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4::1 localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.1.66 ws1es.wondersoft.cn ws1es192.168.1.65 ws1m.wondersoft.cn ws1m192.168.1.64 ws1nn1.wondersoft.cn ws1nn1192.168.1.61 ws1dn1.wondersoft.cn ws1dn1192.168.1.62 ws1dn2.wondersoft.cn ws1dn2192.168.1.63 ws1dn3.wondersoft.cn ws1dn3
3.修改三个配置文件
#第一个文件,修改[realms]里的kdc和admin_server所在主机,EXAMPLE.COM这个域名也应修改,因为改了后面都得改我就没改。[root@ws1es ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true[realms] EXAMPLE.COM = { kdc = ws1es.wondersoft.cn admin_server = ws1es.wondersoft.cn }[domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
第二个文件,前面域名改了的话这里的域名也得改,与之对应。其余保持默认[root@ws1es ~]# cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88[realms] EXAMPLE.COM = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
第三个文件,没有的话手动建一个。#Set up the KDC Access Control List (ACL)[root@ws1es ~]# cat /var/kerberos/krb5kdc/kadm5.acl */admin@EXAMPLE.COM *
4.Copy the krb5.conf to every cluster node(用不着,只拷给ambari server所在机器就可以,其它节点后面会自动分发)
[root@ws1es ~]# scp /etc/krb5.conf ws1dn1:/etc/[root@ws1es ~]# scp /etc/krb5.conf ws1dn2:/etc/[root@ws1es ~]# scp /etc/krb5.conf ws1dn3:/etc/[root@ws1es ~]# scp /etc/krb5.conf ws1nn1:/etc/[root@ws1es ~]# scp /etc/krb5.conf ws1m:/etc/
5.Use the utility kdb5_util to create the Kerberos database
[root@ws1es ~]# /usr/sbin/kdb5_util create -s -r EXAMPLE.COMLoading random dataInitializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM',master key name 'K/M@EXAMPLE.COM'You will be prompted for the database Master Password.It is important that you NOT FORGET this password.Enter KDC database master key: Re-enter KDC database master key to verify:出现 Loading random data 的时候另开个终端执行点消耗CPU的命令如 cat /dev/sda > /dev/urandom 可以加快随机数采集。
6.Start the KDC server and the KDC admin server
[root@ws1es ~]# service krb5kdc start正在启动 Kerberos 5 KDC: [确定][root@ws1es ~]# service kadmin start正在启动 Kerberos 5 Admin Server: [确定]
7.Set up the KDC server to auto-start on boot
[root@ws1es ~]# chkconfig krb5kdc on[root@ws1es ~]# chkconfig kadmin on
8.Create a KDC admin by creating an admin principal
[root@ws1es ~]# kadmin.local Authenticating as principal root/admin@EXAMPLE.COM with password.kadmin.local: addprinc admin/admin@EXAMPLE.COMWARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policyEnter password for principal "admin/admin@EXAMPLE.COM": Re-enter password for principal "admin/admin@EXAMPLE.COM": Principal "admin/admin@EXAMPLE.COM" created.kadmin.local: listprincs K/M@EXAMPLE.COMadmin/admin@EXAMPLE.COMkadmin/admin@EXAMPLE.COMkadmin/changepw@EXAMPLE.COMkadmin/ws1es.wondersoft.cn@EXAMPLE.COMkrbtgt/EXAMPLE.COM@EXAMPLE.COM
9.Restart the kadmin process.
[root@ws1es ~]# service kadmin restart
10.关闭防火墙和selinux(所有节点)
[root@ws1es ~]# service iptables stopiptables:将链设置为政策 ACCEPT:filter [确定]iptables:清除防火墙规则: [确定]iptables:正在卸载模块: [确定][root@ws1es ~]# service iptables statusiptables:未运行防火墙。[root@ws1es ~]# setenforce 0 #临时关闭selinux[root@ws1es ~]# vim /etc/selinux/config#永久关闭,需重启把里边的一行改为SELINUX=disabled
11.下载JCE补充1:JCE(Java Cryptography Extension)是一组包,它们提供用于加密、密钥生成和协商以及 Message Authentication Code(MAC)算法的框架和实现。它提供对对称、不对称、块和流密码的加密支持,它还支持安全流和密封的对象。它不对外出口,用它开发完成封装后将无法调用。补充2:If you are using Oracle JDK, you must distribute and install the JCE on all hosts in the cluster, including the Ambari Server. Be sure to restart Ambari Server after installng the JCE. If you are using OpenJDK, some distributions of the OpenJDK come with unlimited strength JCE automatically and therefore, installation of JCE is not required.
For Oracle JDK 1.8:http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.htmlFor Oracle JDK 1.7:http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
12.将下载的JCE解压并覆盖$JAVA_HOME/jre/lib/security/目录下的文件(所有节点)
[root@ws1nn1 ~]# unzip UnlimitedJCEPolicyJDK7.zip Archive: UnlimitedJCEPolicyJDK7.zip creating: UnlimitedJCEPolicy/ inflating: UnlimitedJCEPolicy/US_export_policy.jar inflating: UnlimitedJCEPolicy/local_policy.jar inflating: UnlimitedJCEPolicy/README.txt [root@ws1nn1 ~]# cd UnlimitedJCEPolicy[root@ws1nn1 UnlimitedJCEPolicy]# ll总用量 16-rw-rw-r-- 1 root root 2500 6月 1 2011 local_policy.jar-rw-r--r-- 1 root root 7289 6月 1 2011 README.txt-rw-rw-r-- 1 root root 2487 6月 1 2011 US_export_policy.jar[root@ws1nn1 UnlimitedJCEPolicy]# cp *.jar /opt/java/jre/lib/security/cp:是否覆盖"/opt/java/jre/lib/security/local_policy.jar"? ycp:是否覆盖"/opt/java/jre/lib/security/US_export_policy.jar"? y[root@ws1nn1 UnlimitedJCEPolicy]# cd /opt/java/jre/lib/security/[root@ws1nn1 security]# ll总用量 136-rw-r--r-- 1 root root 3890 9月 30 09:55 blacklist-rw-r--r-- 1 root root 92776 9月 30 09:55 cacerts-rw-r--r-- 1 root root 158 9月 30 09:55 javafx.policy-rw-r--r-- 1 root root 2593 9月 30 09:55 java.policy-rw-r--r-- 1 root root 17838 9月 30 09:55 java.security-rw-r--r-- 1 root root 98 9月 30 09:55 javaws.policy-rw-r--r-- 1 root root 2500 12月 7 17:01 local_policy.jar-rw-r--r-- 1 root root 0 9月 30 09:55 trusted.libraries-rw-r--r-- 1 root root 2487 12月 7 17:01 US_export_policy.jar#替换其它节点的JCE[root@ws1nn1 security]# scp *.jar ws1m:/opt/java/jre/lib/security/local_policy.jar 100% 2500 2.4KB/s 00:00 US_export_policy.jar 100% 2487 2.4KB/s 00:00 [root@ws1nn1 security]# scp *.jar ws1dn1:/opt/java/jre/lib/security/The authenticity of host 'ws1dn1 (192.168.1.61)' can't be established.RSA key fingerprint is b4:59:18:46:76:2e:27:e2:2c:5b:36:9b:49:b8:72:7b.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'ws1dn1,192.168.1.61' (RSA) to the list of known hosts.local_policy.jar 100% 2500 2.4KB/s 00:00 US_export_policy.jar 100% 2487 2.4KB/s 00:00 [root@ws1nn1 security]# scp *.jar ws1dn2:/opt/java/jre/lib/security/The authenticity of host 'ws1dn2 (192.168.1.62)' can't be established.RSA key fingerprint is 45:47:8e:56:08:66:2b:23:a6:a6:f1:09:14:8a:64:91.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'ws1dn2,192.168.1.62' (RSA) to the list of known hosts.local_policy.jar 100% 2500 2.4KB/s 00:00 US_export_policy.jar 100% 2487 2.4KB/s 00:00 [root@ws1nn1 security]# scp *.jar ws1dn3:/opt/java/jre/lib/security/The authenticity of host 'ws1dn3 (192.168.1.63)' can't be established.RSA key fingerprint is 02:5c:3b:ce:20:f1:27:f9:6e:ca:f9:95:f6:66:84:6f.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'ws1dn3,192.168.1.63' (RSA) to the list of known hosts.local_policy.jar 100% 2500 2.4KB/s 00:00 US_export_policy.jar 100% 2487 2.4KB/s 00:00
13.Launching the Kerberos Wizard (Automated Setup)
①选第一个
②按之前配置的填好KDC和Kadmin,填好后一定要Test KDC Connection,通了之后再进行下一步
③等它自动安装和测试通过后点next即可
④之后的保持默认点next即可
14.安装成功后,添加服务会多出以下界面,创建该服务的key
15.安装成功后,查看它自动创建的principal和keytab
[root@ws1es ~]# kadmin.localAuthenticating as principal admin/admin@EXAMPLE.COM with password.kadmin.local: listprincs HTTP/ws1dn1.wondersoft.cn@EXAMPLE.COMHTTP/ws1dn2.wondersoft.cn@EXAMPLE.COMHTTP/ws1dn3.wondersoft.cn@EXAMPLE.COMHTTP/ws1nn1.wondersoft.cn@EXAMPLE.COMK/M@EXAMPLE.COMadmin/admin@EXAMPLE.COMambari-qa-HDP@EXAMPLE.COMdn/ws1dn1.wondersoft.cn@EXAMPLE.COMdn/ws1dn2.wondersoft.cn@EXAMPLE.COMdn/ws1dn3.wondersoft.cn@EXAMPLE.COMhdfs-HDP@EXAMPLE.COMhive/ws1dn3.wondersoft.cn@EXAMPLE.COMjhs/ws1dn1.wondersoft.cn@EXAMPLE.COMkadmin/admin@EXAMPLE.COMkadmin/changepw@EXAMPLE.COMkadmin/ws1es.wondersoft.cn@EXAMPLE.COMkrbtgt/EXAMPLE.COM@EXAMPLE.COMnfs/ws1dn1.wondersoft.cn@EXAMPLE.COMnfs/ws1nn1.wondersoft.cn@EXAMPLE.COMnm/ws1dn1.wondersoft.cn@EXAMPLE.COMnm/ws1dn2.wondersoft.cn@EXAMPLE.COMnm/ws1dn3.wondersoft.cn@EXAMPLE.COMnn/ws1dn1.wondersoft.cn@EXAMPLE.COMnn/ws1nn1.wondersoft.cn@EXAMPLE.COMrm/ws1nn1.wondersoft.cn@EXAMPLE.COMspark-HDP@EXAMPLE.COMyarn/ws1dn2.wondersoft.cn@EXAMPLE.COMzookeeper/ws1dn1.wondersoft.cn@EXAMPLE.COMzookeeper/ws1dn2.wondersoft.cn@EXAMPLE.COMzookeeper/ws1dn3.wondersoft.cn@EXAMPLE.COM[root@ws1dn1 keytabs]# ll总用量 40-r-------- 1 hdfs hadoop 388 12月 7 18:18 dn.service.keytab-r--r----- 1 hdfs hadoop 308 12月 7 18:18 hdfs.headless.keytab-r-------- 1 mapred hadoop 393 12月 7 18:18 jhs.service.keytab-r-------- 1 hdfs hadoop 393 12月 7 18:18 nfs.service.keytab-r-------- 1 yarn hadoop 388 12月 7 18:18 nm.service.keytab-r-------- 1 hdfs hadoop 388 12月 7 18:18 nn.service.keytab-r--r----- 1 ambari-qa hadoop 333 12月 7 18:18 smokeuser.headless.keytab-r-------- 1 spark hadoop 313 12月 7 18:18 spark.headless.keytab-r--r----- 1 root hadoop 398 12月 7 18:18 spnego.service.keytab-r-------- 1 zookeeper hadoop 423 12月 7 18:18 zk.service.keytab[root@ws1dn1 keytabs]# pwd/etc/security/keytabs
参考文档:
http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_Security_Guide/content/_launching_the_kerberos_wizard_automated_setup.html
0 0
- 使用Ambari给HDP集群安装Kerberos
- 使用ambari安装hdp
- HDP学习--Ambari安装Hadoop集群步骤
- 记录下使用Ambari部署HDP集群的过程
- Hortonworks HDP Ambari自动安装
- Hdp + Ambari 本地源安装
- AMBARI HDP 官方安装文档
- 使用 Ambari 安装 Hadoop 集群
- 使用Ambari安装Hadoop集群
- Ambari 与hdp 集群搭建教程
- Ambari下Hdp集群添加节点
- Ambari 2.1安装HDP2.3.2 之 六、安装部署HDP集群 详细步骤
- Ambari学习2_ Ambari 2.1安装HDP2.3.2 之 六、安装部署HDP集群 详细步骤
- Centos 7.2 安装 Ambari 2.2.2 + HDP 2.4.2 搭建Hadoop集群
- Centos 7.2 安装 Ambari 2.2.2 + HDP 2.4.2 搭建Hadoop集群
- Centos 7.2 安装 Ambari 2.2.2 + HDP 2.4.2 搭建Hadoop集群
- Centos 7.2 安装 Ambari 2.2.2 + HDP 2.4.2 搭建Hadoop集群
- Centos 7.2 安装 Ambari 2.2.2 + HDP 2.4.2 搭建Hadoop集群
- Android消息传递之EventBus 3.0使用与案例
- 定时器线程
- Windows和Ubuntu14.04双系统卸载Ubuntu的方法
- SqlServer 获取表结构
- 转:使用 python Matplotlib 库 绘图 及 相关问题
- 使用Ambari给HDP集群安装Kerberos
- 基于@Aspect的AOP配置
- SQLite的SQL语法
- 关于LayoutInflater.from(context).inflate()的使用的问题
- 使用Android Studio查看Android Lollipop源码
- iOS 升级Xcode8报missing file警告,没有使用svn啥的,在终端里使用git就搞定了
- 玩转 Nginx 之:使用 Lua 扩展 Nginx 功能
- 经典语录 -- 心情down或者hot的时候 来瞅瞅 有新的收获 同时也要留下足迹
- usaco2.3.1 Longest Prefix