1, create a body
Note:
192.168.0.230 is a single-node cluster
192.168.4.50 for the kdc server
192.168.0.9 for the client
1.1, Kdc server creates body
# kadmin.local -q ‘addprinc -randkey presto’
#kadmin.local -q ‘addprinc -randkey presto/yjt’
1.2, create a secret key file
# kadmin.local -q ‘xst -norandkey -k presto.keytab presto presto/yjt hive/yjt nn/yjt’
Above hive / yjt and nn / yjt two user authentication secret key needs to be added to the table, hive / yjt for presto connected hive use cluster, nn / yjt user operation hdfs use
1.3 distribute keys file
# scp presto.keytab 192.168.0.230:/data1/hadoop/presto
The following operation in a cluster
# chmod 444 /data1/hadoop/presto/presto.keytab
1.4, generate keystore files
In presto generates a master node keystore
# keytool -genkeypair -alias localhost -keyalg RSA -keystore keystore.jks
Enter keystore password :
Enter the new password again :
What is your first name and last name ?
[Unknown]: yjt
What is the name of your organizational unit ?
[Unknown]:
What is the name of your organization ?
[Unknown]:
What is your city or region name ?
[Unknown]:
Province You are here / City / What is the name of the autonomous region ?
[Unknown]:
The unit's two-letter country / what area code ?
[Unknown]:
CN = slave1, OU = Unknown, O = Unknown, L = Unknown, ST = Unknown, C = Unknown correct ?
[ N ]: y
Input <localhost> key password
( If the same password and key store , press Enter ):
Enter the new password again :
Note: The above alias alias for the current host name, you can also use localhost
2, modify presto profile
2.1, modify hive.properties
Add the following attributes:
# Configure Presto access HiveMetastore services Kerberos information, the segment configuration can only exist Presto 's Coordinator node
hive.metastore.authentication.type=KERBEROS
hive.metastore.service.principal=hive/[email protected]
hive.metastore.client.principal=presto/[email protected]
hive.metastore.client.keytab=/data1/hadoop/presto/presto.keytab
# Configure Presto access HDFS the Kerberos information, there may be only changed segments configure Presto of Worker node
hive.hdfs.authentication.type=KERBEROS
hive.hdfs.impersonation.enabled=true
hive.hdfs.presto.principal=nn/[email protected]
hive.hdfs.presto.keytab=/data1/hadoop/presto/presto.keytab
2.1 , modify jvm.properties
Add the following attributes:
-Dsun.security.krb5.debug = true
-Dlog.enable-console = true
-Djava.security.krb5.conf=/etc/krb5.conf
2.2, modify the config.properties
Add the following attributes:
http-server.authentication.type=KERBEROS
http.server.authentication.krb5.service-name=presto
http.server.authentication.krb5.keytab=/data1/hadoop/presto/presto.keytab
http.authentication.krb5.config=/etc/krb5.conf
http-server.https.enabled=true
http-server.https.port=7778
http-server.https.keystore.path=/data1/hadoop/presto/keystore.jks
#http-server.https.keystore.path=/data1/hadoop/keystore/keystore
http-server.https.keystore.key=123456
Note: The above is http-server.https.keystore.key is created keystore password entered when.
2.3, restart presto
# launcher restart
3, test
$ presto --server https://yjt:7778 --krb5-config-path /etc/krb5.conf --krb5-principal presto/yjt --krb5-keytab-path /data1/hadoop/presto/presto.keytab --krb5-remote-service-name presto --keystore-path /data1/hadoop/keystore/keystore --keystore-password 123456 --catalog hive --schema default