参考链接:
https://www.cloudera.com/documentation/enterprise/5-8-x/topics/security.html
一、前置准备
1、基础环境说明
操作系统:CentOS 6.8 minimal
CDM版本: 5.12.1
CDH版本:5.12.1
MySQL版本: 5.1.73
JDK: 1.8.0_131
浏览器版本: ChromeStandalone_56以上、IE10
内存:32G以上
CPU :8core
网络:千兆以上
集群未启用Kerberos
2、CDH安装
参考《CDH5.12.0集群安装》
二、KDC服务安装及配置
1、安装KDC服务
# yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
2、配置KDC服务
1). 修改/etc/krb5.conf
# vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BOE01.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
BOE01.COM = {
kdc = boe01.localdomain
admin_server = boe01.localdomain
}
[domain_realm]
.boe01.localdomain = BOE01.COM
boe01.localdomain = BOE01.COM
2). 修改/var/kerberos/krb5kdc/kadm5.acl
# vi /var/kerberos/krb5kdc/kadm5.acl
*/admin\@BOE01.COM *
3). 修改/var/kerberos/krb5kdc/kdc.conf
# vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
BOE01.COM = {
#master_key_type = aes256-cts
max_renewable_life= 7d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal
arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
4). 创建Kerberos数据库
# kdb5_util create –r BOE01.COM -s
Loading random data
Initializing database ‘/var/kerberos/krb5kdc/principal’ for realm ‘BOE01.COM’,
master key name ‘K/M\@BOE01.COM’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:设置密码
Re-enter KDC database master key to verify:确认密码
5). 创建Kerberos的管理账号
# kadmin.local
Authenticating as principal root/admin\@BOE01.COM with password.
kadmin.local: add (可以按tab补全命令)
add_policy add_principal addpol addprinc
kadmin.local: addprinc admin/admin\@BOE01.COM
WARNING: no policy specified for admin/admin\@BOE01.COM; defaulting to no policy
Enter password for principal “admin/admin\@BOE01.COM”: 设置密码
Re-enter password for principal “admin/admin\@BOE01.COM”: 确认密码
Principal “admin/admin\@BOE01.COM” created.
kadmin.local: exit
6). 添加自启动服务并启动服务
# chkconfig –level 35 krb5kdc on
# chkconfig –level 35 kadmin on
# /etc/init.d/krb5kdc start
# /etc/init.d/kadmin start
7). 测试Kerberos管理员账号
# kinit admin/admin\@BOE01.COM
Password for admin/admin\@BOE01.COM:
# klist
# klist -e
3、集群所有节点安装Kerberos客户端(包括CM)
# yum -y install krb5-libs krb5-workstation
CM节点安装额外组件
# yum -y install openldap-clients
4、拷贝配置文件
将KDC Server上的krb5.conf文件拷贝到所有Kerberos客户端(即集群所有节点)
# scp /etc/krb5.conf boe02:/etc/
# scp /etc/krb5.conf boe03:/etc/
三、CDH集群启用Kerberos
1、配置集群JDK(如未安装JDK参考install_java.sh)
下载jce_policy-8.zip
链接: http://www.oracle.com/technetwork/java/javase/downloads/index.html
# 7za x jce_policy-8.zip
# cp UnlimitedJCEPolicyJDK8/*.jar /usr/jdk64/jdk1.8.0_131/jre/lib/security/
登陆CM:
主页搜索java_home:
设置java_home:
2、KDC添加Cloudera Manager管理员账号
# kadmin.local
Authenticating as principal admin/admin\@BOE01.COM with password.
kadmin.local: addprinc cloudera-scm/admin\@BOE01.COM
WARNING: no policy specified for cloudera-scm/admin\@BOE01.COM; defaulting to no
policy
Enter password for principal “cloudera-scm/admin\@BOE01.COM”:
Re-enter password for principal “cloudera-scm/admin\@BOE01.COM”:
Principal “cloudera-scm/admin\@BOE01.COM” created.
kadmin.local: exit
3、配置启用kerberos
1). 启用Kerberos
进入Cloudera Manager的“管理”-> “安全”界面->启用Kerberos
2).检查信息
确保如下列出的所有检查项都已完成
3).配置KDC信息
配置KDC类型、KDC服务器、KDC Realm、加密类型以及待创建的Service
Principal(hdfs,yarn,,hbase,hive等)的更新生命期等,点击“继续”
4).KRB5配置
不建议让Cloudera Manager来管理krb5.conf,点击“继续”
5).输入CM的Kerbers管理员账号
必须和之前创建的账号一致,点击“继续”,等待启用Kerberos完成,点击“继续”
6).Kerberos主体
7).重启集群
重启成功:
至此已成功启用Kerberos。