Moving on to the Kerberos integration with Hadoop.
In fact, this topic is already very common on the Internet, nothing too new. By the way, the integration and management of Hadoop accounts.
KDC and kadmin have been installed before, so the next step is to create a hadoop-related account.
First, you need to use kadmin to enter the kerberos management prompt, where you need to enter the password of the previously created admin account.
Then you can create it, use ? to view the allowed commands. For example, we create the following account.
addprinc -randkey hdfs/[email protected] xst -k hdfs.keytab addprinc -randkey HTTP/[email protected] xst -k HTTP.keytab # Generate two accounts and their keytabs, then exit the prompt and return to the shell. enter ktutil rkt hdfs.keytab rkt HTTP.keytab wkt hdfs.keytab This merges the original hdfs.keytab and HTTP.keytab into a new hdfs.keytab
First, create accounts related to hdfs. Finally, we need to create these accounts as password-free keytab files. In Hadoop, it is best to create a keytab for the same type of service. For example, hdfs and HTTP belong to the HDFS of hadoop. service, so, we first create these two accounts and merge the information of these two accounts into one keytab.
And so on, you can create accounts such as yarn/[email protected], mapred/[email protected], oozie, hive...etc.
Then modify hdfs-site.xml and add
<property> <name>dfs.namenode.keytab.file</name> <value>hdfs.keytab</value> </property> <property> <name>dfs.namenode.kerberos.principal</name> <value>hdfs/[email protected]</value> </property> <property> <name>dfs.namenode.kerberos.internal.spnego.principal</name> <value>HTTP/[email protected]</value> </property> <property> <name>dfs.datanode.kerberos.principal</name> <value>hdfs/[email protected]</value> </property> <property> <name>dfs.journalnode.kerberos.principal</name> <value>hdfs/[email protected]</value> </property> <property> <name>dfs.journalnode.kerberos.internal.spnego.principal</name> <value>HTTP/[email protected]</value> </property> <property> <name>dfs.cluster.administrators</name> <value>hdfs</value> </property>
By analogy, you can also merge the keytab of yarn/[email protected] with the keytab of HTTP, and the mapred account can also be merged, of course, the premise is that you need to use the http login authentication service of spnego, if not spnego, you can not add an HTTP account. As for what spnego is, see the explanation .
Of course, you can write a shell script to automatically complete the commands for creating an account and merging keytab.