3

Kerberos

Kerberos搭建(基于Ambari环境)

搭建KDC

  1. 安装
    yum install krb5-server krb5-libs krb5-workstation
  2. 修改配置文件
    vi /etc/krb5.conf

    [libdefaults]
    renew_lifetime = 7d
    forwardable = true
    default_realm = EXAMPLE.COM
    ticket_lifetime = 24h
    dns_lookup_realm = false
    dns_lookup_kdc = false
    default_ccache_name = /tmp/krb5cc_%{uid}
    #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
    #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
    
    [logging]
    default = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    kdc = FILE:/var/log/krb5kdc.log
    
    
    [realms]
    EXAMPLE.COM = {
    admin_server = master.hadoop//此处是你的主机名
    kdc = master.hadoop//此处是你的主机名
    }
  3. 创建Kerberos数据库
    kdb5_util create -s

终端会提示您输入密码,该密码管理Kerberos数据库必须

  1. 启动KDC
    systemctl start krb5kdc
    systemctl start kadmin
  2. 启动自动开机服务
    systemctl enable krb5kdc
    systemctl enable kadmin
  3. 创建Kerberos管理员
    kadmin.local -q "addprinc admin/admin"
  4. 重启kadmin进程
    systemctl restart kadmin

安装JCE

  1. 获取适用于集群中JDK版本的JCE策略文件

    • 对于Oracle JDK 1.8:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
- 对于Oracle JDK 1.7:
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
  1. 解压到安装的jdk中(此步骤每台集群都要安装!谨记!切记!)
    unzip -o -j -q jce_policy-8.zip -d /opt/jdk1.8.0_111/jre/lib/security/
  2. 重启ambari服务器
    ambari-server restart

进入Ambari向导启用Kerbores

clipboard.png

我是做完了才截图的,Kadmin少了两个配置选项,从网上补截一张补进来吧!

clipboard.png

一路next即可。

Kerbores使用

  1. kadmin.local与kadmin

    kadmin.local和kadmin至于用哪个,取决于账户和访问权限:
    kadmin.local(on the KDC machine)or kadmin (on others machine)
    如果有访问kdc服务器的root权限,但是没有kerberos admin账户,使用kadmin.local
    如果没有访问kdc服务器的root权限,但是有kerberos admin账户,使用kadmin

  2. 添加票据

    $ kadmin.local
    addprinc -randkey test/server.bigdata@EXAMPLE.COM
    
    xst -norandkey -k /etc/security/keytabs/test.service.keytab test/server.bigdata@EXAMPLE.COM
  3. 获取票据信息

    kadmin.local:  getprinc test/server.bigdata@EXAMPLE.COM
    Principal: test/server.bigdata@EXAMPLE.COM
    Expiration date: [never]
    Last password change: Wed Apr 03 16:05:50 CST 2019
    Password expiration date: [none]
    Maximum ticket life: 1 day 00:00:00
    Maximum renewable life: 0 days 00:00:00
    Last modified: Wed Apr 03 16:05:50 CST 2019 (ljk/admin@EXAMPLE.COM)
    Last successful authentication: [never]
    Last failed authentication: [never]
    Failed password attempts: 0
    Number of keys: 8
    Key: vno 1, aes256-cts-hmac-sha1-96
    Key: vno 1, aes128-cts-hmac-sha1-96
    Key: vno 1, des3-cbc-sha1
    Key: vno 1, arcfour-hmac
    Key: vno 1, camellia256-cts-cmac
    Key: vno 1, camellia128-cts-cmac
    Key: vno 1, des-hmac-sha1
    Key: vno 1, des-cbc-md5
    MKey: vno 1
    Attributes:
    Policy: [none]
  4. 列出KDC所有票据

    listprincs

  5. 删除票据

    delprinc test/server.bigdata@EXAMPLE.COM

  6. 修改属性

    modprinc -maxlife 30days test/server.bigdata@EXAMPLE.COM

  7. 缓存票据

    
     klist -k -t /etc/security/keytabs/test.service.keytab
     kinit -k -t /etc/security/keytabs/test.service.keytab test/server.bigdata@EXAMPLE.COM
     kinit -k -t /etc/security/keytabs/test.service.keytab  -c /tmp/testkeytab test/server.bigdata@EXAMPLE.COM
  8. 更新票据

    kinit -R

  9. 查看或者删除用户缓存的票据

    klist
    kdestroy

  10. 合并票据

    ktutil
    ktutil: rkt test.service.keytab
    ktutil: rkt test1.service.keytab
    ktutil: wkt test-test1.service.keytab

client如何访问Kerbores的HDP集群

网上大量方法都是自己去生成一张票据,使用这张票据作为client验证基础的。

但是事实上HDP已经为集群生成了大量票据和keytab,可以直接使用的。

接下来就来验证一下。

  1. 先查看下HDP生成的Principal

    可以看到HDP生成的Principal非常规范,以 $服务/$主机名的方式。

    kadmin.local:  listprincs 
    HTTP/nn1.ambari@EXAMPLE.COM
    HTTP/nn2.ambari@EXAMPLE.COM
    HTTP/rm.ambari@EXAMPLE.COM
    K/M@EXAMPLE.COM
    admin/admin@EXAMPLE.COM
    ambari-qa-bigdata@EXAMPLE.COM
    ambari-server-bigdata@EXAMPLE.COM
    amshbase/nn1.ambari@EXAMPLE.COM
    amshbase/rm.ambari@EXAMPLE.COM
    amszk/rm.ambari@EXAMPLE.COM
    dn/nn1.ambari@EXAMPLE.COM
    dn/nn2.ambari@EXAMPLE.COM
    hbase-bigdata@EXAMPLE.COM
    hbase/nn1.ambari@EXAMPLE.COM
    hbase/nn2.ambari@EXAMPLE.COM
    hdfs-bigdata@EXAMPLE.COM
    hive/nn1.ambari@EXAMPLE.COM
    hive/nn2.ambari@EXAMPLE.COM
    hive/rm.ambari@EXAMPLE.COM
    jhs/rm.ambari@EXAMPLE.COM
    jj@EXAMPLE.COM
    jn/nn1.ambari@EXAMPLE.COM
    jn/nn2.ambari@EXAMPLE.COM
    jn/rm.ambari@EXAMPLE.COM
    kadmin/admin@EXAMPLE.COM
    kadmin/changepw@EXAMPLE.COM
    kadmin/rm.ambari@EXAMPLE.COM
    kiprop/rm.ambari@EXAMPLE.COM
    krbtgt/EXAMPLE.COM@EXAMPLE.COM
    nm/nn1.ambari@EXAMPLE.COM
    nm/nn2.ambari@EXAMPLE.COM
    nn/nn1.ambari@EXAMPLE.COM
    nn/nn2.ambari@EXAMPLE.COM
    rm/rm.ambari@EXAMPLE.COM
    yarn/rm.ambari@EXAMPLE.COM
    zookeeper/nn1.ambari@EXAMPLE.COM
    zookeeper/nn2.ambari@EXAMPLE.COM
    zookeeper/rm.ambari@EXAMPLE.COM
  2. 下载Active NN的keytab
    在配置信息可以找到它的位置,位于/etc/security/keytabs下,找到nn.service.keytab,并下载到本地。
  3. java写第三方Client访问
    现在hadoop集群有了Kerbores的保护,你按照往常访问,是会报错的。

    Caused by: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException): SIMPLE authentication is not enabled.  Available:[TOKEN, KERBEROS]

    在往常基础上加上验证就可以了。

    代码如下:

    public static void main(String[] args) throws IOException {
    
            final String USER_KEY = "nn/nn2.ambari";
            final String KEY_TAB_PATH = "/Users/LJK/Downloads/nn.service.keytab";
    
            Configuration conf = new Configuration();
            System.setProperty("java.security.krb5.conf", "/Users/LJK/Downloads/krb5.conf");
            // System.setProperty("sun.security.krb5.debug", "true");
            conf.set("fs.defaultFS", "hdfs://mycluster:8020");
            conf.set("hadoop.security.authentication", "KERBEROS");
            conf.set("dfs.client.block.write.replace-datanode-on-failure.policy", "NEVER");
            UserGroupInformation.setConfiguration(conf);
            UserGroupInformation.loginUserFromKeytab(USER_KEY, KEY_TAB_PATH);
            FileSystem fileSystem = FileSystem.get(conf);
            FileStatus[] fileStatuses = fileSystem.listStatus(new Path("/LJKTEST"));
            for (FileStatus fileStatus : fileStatuses) {
    
                Path path = fileStatus.getPath();
                System.out.println(path.toString());
            }
        }

    这里有个坑,我一直以为keytab文件放到resource目录下,就可以直接访问。会一直报错,这个和你把这个路径地址赋值空是一样的道理,报错也比较恶心,不说文件找不到,一直让我以为是权限的问题。有点坑~

    Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

访问Kerberos HBase集群

@Before
    public void init() throws IOException {

        BasicConfigurator.configure();
        final String USER_KEY = "hbase/nn1.ambari@EXAMPLE.COM";
        String keyTabPath = Objects.requireNonNull(
            HBaseSoulTest.class.getClassLoader().getResource("hbase.service.keytab")).getPath();
        String krb5Path = Objects.requireNonNull(
            HBaseSoulTest.class.getClassLoader().getResource("krb5.conf")).getPath();
        System.setProperty("java.security.krb5.conf", krb5Path);
        Configuration conf = HBaseConfiguration.create();
        conf.set("hbase.master.kerberos.principal", "hbase/nn1.ambari@EXAMPLE.COM");
        conf.set("hbase.regionserver.kerberos.principal", "hbase/nn1.ambari@EXAMPLE.COM");
        conf.set("hbase.zookeeper.quorum", "nn1.ambari");
        conf.set("hbase.zookeeper.property.clientPort", "2181");
        conf.set("zookeeper.znode.parent", "/hbase-secure");
        conf.set("hadoop.security.authentication", "Kerberos");
        conf.set("hbase.security.authentication", "Kerberos");

        UserGroupInformation.setConfiguration(conf);
        UserGroupInformation.loginUserFromKeytab(USER_KEY, keyTabPath);

        connection = ConnectionFactory.createConnection(conf);
    }

如果是自己建立的keytab,还要去hbase shell做一步授权的动作。否则你的账户权限是不够的。

hbase shell授权动作语句

permissions is either zero or more letters from the set "RWXCA".
READ('R'), WRITE('W'), EXEC('X'), CREATE('C'), ADMIN('A')

grant 'test', 'RWXCA'

附录


小鸡
214 声望24 粉丝

1.01的365次方=37.8


引用和评论

0 条评论