presto integration and access to integrated kerberos kerberos of hive clusters

1, create a body

Note:

192.168.0.230 is a single-node cluster

192.168.4.50 for the kdc server

192.168.0.9 for the client

1.1, Kdc server creates body

# kadmin.local -q ‘addprinc -randkey presto’

#kadmin.local -q ‘addprinc -randkey presto/yjt’

1.2, create a secret key file

# kadmin.local -q ‘xst -norandkey -k presto.keytab presto presto/yjt hive/yjt nn/yjt’

Above hive / yjt and nn / yjt two user authentication secret key needs to be added to the table, hive / yjt for presto connected hive use cluster, nn / yjt user operation hdfs use

1.3 distribute keys file

# scp presto.keytab 192.168.0.230:/data1/hadoop/presto

The following operation in a cluster

# chmod 444 /data1/hadoop/presto/presto.keytab

1.4, generate keystore files

In presto generates a master node keystore

# keytool -genkeypair -alias localhost -keyalg RSA -keystore keystore.jks

Enter keystore password :  

Enter the new password again :

What is your first name and last name ?

  [Unknown]:  yjt

What is the name of your organizational unit ?

  [Unknown]:  

What is the name of your organization ?

  [Unknown]:  

What is your city or region name ?

  [Unknown]:  

Province You are here / City / What is the name of the autonomous region ?

  [Unknown]:  

The unit's two-letter country / what area code ?

  [Unknown]:  

CN = slave1, OU = Unknown, O = Unknown, L = Unknown, ST = Unknown, C = Unknown correct ?

  [ N ]: y

 

Input <localhost> key password

    ( If the same password and key store , press Enter ):  

Enter the new password again :

Note: The above alias alias for the current host name, you can also use localhost

 

2, modify presto profile

2.1, modify hive.properties

Add the following attributes:

# Configure Presto access HiveMetastore services Kerberos information, the segment configuration can only exist Presto 's Coordinator node

hive.metastore.authentication.type=KERBEROS

hive.metastore.service.principal=hive/[email protected]

hive.metastore.client.principal=presto/[email protected]

hive.metastore.client.keytab=/data1/hadoop/presto/presto.keytab

 

# Configure Presto access HDFS the Kerberos information, there may be only changed segments configure Presto of Worker node

hive.hdfs.authentication.type=KERBEROS

hive.hdfs.impersonation.enabled=true

hive.hdfs.presto.principal=nn/[email protected]

hive.hdfs.presto.keytab=/data1/hadoop/presto/presto.keytab

2.1 , modify jvm.properties

Add the following attributes:

-Dsun.security.krb5.debug = true

-Dlog.enable-console = true

-Djava.security.krb5.conf=/etc/krb5.conf

2.2, modify the config.properties

Add the following attributes:

http-server.authentication.type=KERBEROS

 

http.server.authentication.krb5.service-name=presto

http.server.authentication.krb5.keytab=/data1/hadoop/presto/presto.keytab

http.authentication.krb5.config=/etc/krb5.conf

 

http-server.https.enabled=true

http-server.https.port=7778

 

http-server.https.keystore.path=/data1/hadoop/presto/keystore.jks

#http-server.https.keystore.path=/data1/hadoop/keystore/keystore

http-server.https.keystore.key=123456

 

Note: The above is http-server.https.keystore.key is created keystore password entered when.

2.3, restart presto

# launcher restart

3, test

$ presto --server https://yjt:7778 --krb5-config-path /etc/krb5.conf --krb5-principal presto/yjt --krb5-keytab-path /data1/hadoop/presto/presto.keytab --krb5-remote-service-name presto --keystore-path /data1/hadoop/keystore/keystore --keystore-password 123456 --catalog hive --schema default