注:在配置kerberos认证之前,必须先确保成功安装kerberos集群
一、环境说明
环境说明
二、生成HDFS/Zookeeper/Hbase的keytab证书
1.生成Zookeeper的keytab证书
这里需要说明的是,我使用的是自己搭建的基于原生Apache大数据组件的集群,启动和使用集群的普通用户是hadoop,所以在生成keytab时需要添加hadoop用户的凭据,还需要添加HTTP及Zookeeper的凭据,添加HTTP凭据是因为集群网络通讯所需的,而Zookeeper的凭据是因为Zookeeper配置kerberos认证时的jaas.conf中的server端必须指定的,那么下面就来生成对应的凭据吧。保证在启动了kerberos的krb5kdc和kadmin服务后,在安装了kerberos服务器端的节点上,我这里安装kerberos服务器的节点是ha01,所以我在ha01节点上使用root用户生成相应的keytab证书,命令如下:
#添加HTTP服务的凭据
kadmin.local -q "addprinc -randkey HTTP/$host@HADOOP.COM"
#添加zookeeper的凭据
kadmin.local -q "addprinc -randkey zookeeper/$host@HADOOP.COM"
#添加hadoop用户的凭据
kadmin.local -q "addprinc -randkey hadoop/$host@HADOOP.COM"
#生成包含前三个凭据的keytab证书,hadoop.keytab为最终生成的证书的名称
kadmin.local -q "xst -k hadoop.keytab hadoop/$host HTTP/$host zookeeper/$host"执行上述命令后,生成的hadoop.keytab就在执行该命令的路径下,我们需要在集群每个节点提前准备一个存放keytab证书的目录,我是将每个节点生成的keytab证书放在每个主机提前创建好的 /etc / security/keytab 目录中,需要注意的是,集群中有几个节点就需要在kerberos服务器节点ha01上执行上面的四条命令几次,因为要生成集群中每个主机对应的keytab证书,当要生成某个节点的keytab证书时,
需要将上面命令中的 $host 替换成对应节点的主机名 ,然后将每个节点生成的hadoop.keytab证书远程发送到对应节点的 /etc / security/keytab 目录,因为有了 keytab 相当于有了永久凭证,不需要提供密码(如果修改 kdc 中的 principal 的密码,则该 keytab 就会失效),所以其他用户如果对该文件有读权限,就可以冒充 keytab 中指定的用户身份访问集群中的服务,所以 keytab 文件需要确保只对 owner(我这里的owner是hadoop用户) 有读权限。
#修改keytab存放目录的用户组
chown -R hadoop:hadoop /etc/security/keytab
#修改hadoop.keytab证书的权限为
chmod /etc/security/keytab/hadoop.keytab三、Zookeeper配置kerberos认证
注:以下的内容可以在一个节点配置好发送到其他节点相应路径下,其他内容一致但需要修改中的jaas.conf中的host_name为当前节点的主机名!
修改$ZOOKEEPER_HOME/conf/目录下创建zoo.cfg配置文件,在原有配置文件的末尾添加如下内容:
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=在$ZOOKEEPER_HOME/conf/目录下创建jaas.conf配置文件,其内容如下:
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytab/hadoop.keytab" #keytab证书的位置
storeKey=true
useTicketCache=false
principal="zookeeper/host_name@HADOOP.COM"; #这里必须是zookeeper,否则zk的客户端后面启动报错
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytab/hadoop.keytab"
storeKey=true
useTicketCache=false
principal="hadoop/host_name@HADOOP.COM";
};在$ZOOKEEPER_HOME/conf/目录下创建java.env配置文件,添加如下内容:
export JVMFLAGS="-Djava.security.auth.login.config=$ZOOKEEPER_HOME/conf/jaas.conf"重启zookeeper服务即可
zookeeper客户端连接
./zkCli.sh -server 主机名:四、HDFS配置Kerberos认证
配置$HADOOP_HOME/etc/hadoop/core-site.xml文件,在原来文件基础上添加如下内容:
hadoop.security.authentication
kerberos
hadoop.security.authorization
true
hadoop.rpc.protection
authentication
hadoop.http.authentication.type
kerberos
配置$HADOOP_HOME/etc/hadoop/hdfs-site.xml文件,在原来文件基础上添加如下内容:
dfs.block.access.token.enable
true
dfs.namenode.keytab.file
/etc/security/keytab/hadoop.keytab
dfs.namenode.kerberos.principal
hadoop/_HOST@HADOOP.COM
dfs.web.authentication.kerberos.principal
HTTP/_HOST@HADOOP.COM
dfs.web.authentication.kerberos.keytab
/etc/security/keytab/hadoop.keytab
dfs.webhdfs.enabled
true
dfs.http.policy
HTTPS_ONLY
dfs.namenode.https-address
:
dfs.permissions.supergroup
hadoop
The name of the group of super-users.
dfs.datanode.keytab.file
/etc/security/keytab/hadoop.keytab
dfs.datanode.kerberos.principal
hadoop/_HOST@HADOOP.COM
dfs.datanode.data.dir.perm
dfs.datanode.address
:
dfs.datanode.http.address
:
dfs.data.transfer.protection
integrity
dfs.journalnode.keytab.file
/etc/security/keytab/hadoop.keytab
dfs.journalnode.kerberos.principal
hadoop/_HOST@HADOOP.COM
dfs.journalnode.kerberos.internal.spnego.principal
${
dfs.web.authentication.kerberos.principal}
dfs.journalnode.http-address
:
.Hadoop集群安装HTTPS服务
安装说明:生成CA证书hdfs_ca_key和hdfs_ca_cert只需要在任意一台节点上完成即可,其他每个节点包括生成证书的节点都需要执行第四步以后的操作,且必须使用root用户执行以下操作
1).在ha01节点生成CA证书,需要输入两次密码,其中CN:中国简称;ST:省份;L:城市;O和OU:公司或个人域名;ha01是生成CA证书主机名
openssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days -subj /C=CN/ST=shanxi/L=xian/O=hlk/OU=hlk/CN=ha012).将ha01节点上生成的CA证书hdfs_ca_key、hdfs_ca_cert分发到每个节点上的/tmp目录下
scp hdfs_ca_key hdfs_ca_cert $host:/tmp3).发送完成后删除ha01节点上CA证书
rm -rf hdfs_ca_key hdfs_ca_cert4).在每一台机器上生成keystore和trustores(注意:集群中每个节点都需要执行以下命令)
) 生成keystore,这里的keytool需要java环境,否则command not found
name="CN=$HOSTNAME, OU=hlk, O=hlk, L=xian, ST=shanxi, C=CN"
#需要输入第一步输入的密码四次
keytool -keystore keystore -alias localhost -validity -genkey -keyalg RSA -keysize -dname "$name") 添加CA到truststore,同样需要输入密码
keytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert) 从keystore中导出cert
keytool -certreq -alias localhost -keystore keystore -file cert) 用CA对cert签名
openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days -CAcreateserial) 将CA的cert和用CA签名之后的cert导入keystore
keytool -keystore keystore -alias CARoot -import -file hdfs_ca_cert
keytool -keystore keystore -alias localhost -import -file cert_signed) 将最终keystore,trustores放入合适的目录,并加上后缀jks
mkdir -p /etc/security/https && chmod /etc/security/https
cp keystore /etc/security/https/keystore.jks
cp truststore /etc/security/https/truststore.jks) 删除/tmp目录下产生的垃圾数据文件
rm -f keystore truststore hdfs_ca_key hdfs_ca_cert.srl hdfs_ca_cert cert_signed cert5).配置$
HADOOP_HOME/etc/hadoop/ssl-server.xml和ssl-client.xml文件
注:这两个配置文件在一台节点配好,发送到其他节点对应位置下!
) 配置$
HADOOP_HOME/etc/hadoop/ssl-client.xml文件
################################ ssl-client.xml #########################################
ssl.client.truststore.location
/etc/security/https/truststore.jks
Truststore to be used by clients like distcp. Must be specified.
ssl.client.truststore.password
hadoop
Optional. Default value is "".
ssl.client.truststore.type
jks
Optional. The keystore file format, default value is "jks".
ssl.client.truststore.reload.interval
Truststore reload check interval, in milliseconds.Default value is ( seconds).
ssl.client.keystore.location
/etc/security/https/keystore.jks
Keystore to be used by clients like distcp. Must be specified.
ssl.client.keystore.password
hadoop
Optional. Default value is "".
ssl.client.keystore.keypassword
hadoop
Optional. Default value is "".
ssl.client.keystore.type
jks
Optional. The keystore file format, default value is "jks".
) 配置$
HADOOP_HOME/etc/hadoop/ssl-server.xml文件
################################ ssl-server.xml #########################################
ssl.server.truststore.location
/etc/security/https/truststore.jks
Truststore to be used by NN and DN. Must be specified.
ssl.server.truststore.password
hadoop
Optional. Default value is "".
ssl.server.truststore.type
jks
Optional. The keystore file format, default value is "jks".
ssl.server.truststore.reload.interval
Truststore reload check interval, in milliseconds.
Default value is ( seconds).
ssl.server.keystore.location
/etc/security/https/keystore.jks
Keystore to be used by NN and DN. Must be specified.
ssl.server.keystore.password
hadoop
Must be specified.
ssl.server.keystore.keypassword
hadoop
Must be specified.
ssl.server.keystore.type
jks
Optional. The keystore file format, default value is "jks".
.验证
首先分发各配置文件,
我们需要先使用第一步生成的
/etc/security/keytab/hadoop.keytab 证书对hadoop用户的每个节点进行 kinit 票据初始化,票据初始化的命令如下所示:
kinit -kt /etc/security/keytab/hadoop.keytab $USER/$HOSTNAME (每个节点都执行)然后使用 klist 命令查看当前是否生成票据,出现有效及过期时间即表示生成票据成功
再次执行hadoop fs -ls / 命令查看hdfs资源正常
五、YARN配置kerberos认证
配置$HADOOP_HOME/etc/hadoop/yarn-site.xml文件,在原来文件基础上添加如下内容:
yarn.http.policy
HTTPS_ONLY
yarn.resourcemanager.webapp.address.rm1
ha01:
yarn.resourcemanager.webapp.https.address.rm1
ha01:
yarn.resourcemanager.webapp.address.rm2
ha02:
yarn.resourcemanager.webapp.https.address.rm2
ha02:
yarn.log-aggregation-enable
true
yarn.log-aggregation.retain-seconds
Where to aggregate logs to.
yarn.nodemanager.remote-app-log-dir
/tmp/logs/yarn-nodemanager
yarn.resourcemanager.keytab
/etc/security/keytab/hadoop.keytab
yarn.resourcemanager.principal
hadoop/_HOST@HADOOP.COM
yarn.nodemanager.keytab
/etc/security/keytab/hadoop.keytab
yarn.nodemanager.principal
hadoop/_HOST@HADOOP.COM
yarn.nodemanager.container-executor.class
org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor
yarn.nodemanager.linux-container-executor.group
hadoop
配置$HADOOP_HOME/etc/hadoop/mapred-site.xml文件,在原来文件基础上添加如下内容:
mapreduce.jobhistory.keytab
/etc/security/keytab/hadoop.keytab
mapreduce.jobhistory.principal
hadoop/_HOST@HADOOP.COM
分发修改的配置文件至各节点
配置$HADOOP_HOME/etc/hadoop/container-executor.cfg,将以下内容覆盖掉默认的内容:
#configured value of yarn.nodemanager.linux-container-executor.group
yarn.nodemanager.linux-container-executor.group=hadoop
#comma separated list of users who can not run applications
banned.users=root
#Prevent other super-users
min.user.id=
#comma separated list of system users who CAN run applications
allowed.system.users=hadoopps:注意:该container-executor.cfg文件内不允许有空格或空行,否则会报错!
配置Yarn使用LinuxContainerExecutor(各节点都需要操作)
1)修改所有节点的container-executor所有者和权限,要求其所有者为root,所有组为hadoop,权限为。其默认路径为?$HADOOP_HOME/bin??
chown root:hadoop /data/hadoop-/bin/container-executor
chmod /data/hadoop-/bin/container-executor2)修改所有节点的container-executor.cfg文件的所有者和权限,要求该文件及其所有的上级目录的所有者均为root,所有组为hadoop,权限为。其默认路径为??$HADOOP_HOME/etc/hadoop??
chown root:hadoop /data/hadoop-/etc/hadoop/container-executor.cfg
chown root:hadoop /data/hadoop-/etc/hadoop
chown root:hadoop /data/hadoop-/etc
chown root:hadoop /data/hadoop-
chown root:hadoop /data
chmod /data/hadoop-/etc/hadoop/container-executor.cfg启动start-yarn.sh
六、HBASE配置Kerberos认证
配置$HBASE_HOME/conf/hbase-site.xml文件,在原文件上添加如下内容:
hbase.security.authentication
kerberos
hbase.rpc.engine
org.apache.hadoop.hbase.ipc.SecureRpcEngine
hbase.coprocessor.region.classes
org.apache.hadoop.hbase.security.token.TokenProvider
hbase.master.kerberos.principal
hadoop/_HOST@HADOOP.COM
hbase.master.keytab.file
/etc/security/keytab/hadoop.keytab
hbase.regionserver.kerberos.principal
hadoop/_HOST@HADOOP.COM
hbase.regionserver.keytab.file
/etc/security/keytab/hadoop.keytab
在$HBASE_HOME/conf/下新建zk-jaas.conf文件,添加如下内容:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytab/hadoop.keytab"
useTicketCache=false
principal="hadoop/host_name@HADOOP.COM";
};ps:注意:这里 principal=“hadoop/host_name@HADOOP.COM”; 的 host_name 需要改为每个节点对应的主机名
在$HBASE_HOME/conf/hbase-env.sh文件中添加如下内容:
#修改HBASE_OPTS属性为该内容
export HBASE_OPTS="-XX:+UseConcMarkSweepGC -Djava.security.auth.login.config=$HBASE_HOME/conf/zk-jaas.conf"
#告诉HBASE使用自己安装的zk集群
export HBASE_MANAGES_ZK=false