选择worker1节点作为kerberos服务端
#安装kerberos软件
yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
#安装sasl工具,impala启用kerberos时需要sasl工具
yum -y install cyrus-sasl-plain cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5修改/etc/krb5.conf文件
#注释掉如下行,打开会引起错误:[Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
# default_ccache_name = KEYRING:persistent:%{uid}
cp -n /etc/krb5.conf /etc/krb5.conf.bak && \
cp -f /etc/krb5.conf.bak /etc/krb5.conf && \
sed -i 's/#//g' /etc/krb5.conf && \
sed -i 's/EXAMPLE.COM/HAINIU.COM/g' /etc/krb5.conf && \
sed -i 's/kerberos.example.com/worker-1/g' /etc/krb5.conf && \
sed -i 's/example.com/worker-1/g' /etc/krb5.conf && \
sed -i 's/ default_ccache_name/# default_ccache_name/g' /etc/krb5.conf && \
sed -i 's/ Configuration/# Configuration/g' /etc/krb5.conf
diff /etc/krb5.conf.bak /etc/krb5.conf修改/var/kerberos/krb5kdc/kdc.conf文件
cp -n /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf.bak && \
cp -f /var/kerberos/krb5kdc/kdc.conf.bak /var/kerberos/krb5kdc/kdc.conf && \
sed -i 's/EXAMPLE.COM/HAINIU.COM/g' /var/kerberos/krb5kdc/kdc.conf
diff /var/kerberos/krb5kdc/kdc.conf.bak /var/kerberos/krb5kdc/kdc.conf修改/var/kerberos/krb5kdc/kadm5.acl文件
cp -n /var/kerberos/krb5kdc/kadm5.acl /var/kerberos/krb5kdc/kadm5.acl.bak && \
cp -f /var/kerberos/krb5kdc/kadm5.acl.bak /var/kerberos/krb5kdc/kadm5.acl && \
sed -i 's/EXAMPLE.COM/HAINIU.COM/g' /var/kerberos/krb5kdc/kadm5.acl
diff /var/kerberos/krb5kdc/kadm5.acl.bak /var/kerberos/krb5kdc/kadm5.acl配置kerberos服务
生成kerberos数据库,设置密码为:hainiu1688
/usr/sbin/kdb5_util create -s为cdh创建cloudera-scm/admin用户,设置密码为:hainiu1688
kadmin.local
addprinc cloudera-scm/admin
hainiu1688
hainiu1688
exit修改krbtgt/HAINIU.COM@HAINIU.COM的Maximum renewable life参数为90天(其默认值为0天),解决在CDH启用kerberos时,Hue角色Kerberos Ticket Renewer启动异常问题
kadmin.local
modprinc -maxrenewlife 90day krbtgt/HAINIU.COM@HAINIU.COM
getprinc krbtgt/HAINIU.COM@HAINIU.COM
exit启动kerberos服务
#启动kerberos服务并添加为开机启动
systemctl enable krb5kdc
systemctl enable kadmin
systemctl start krb5kdc
systemctl start kadmin
systemctl status krb5kdc
systemctl status kadminkerberos客户端安装
#从节点安装kerberos客户端软件
yum -y install krb5-libs krb5-workstation
#从主节点复制配置文件到从节点
scp /etc/krb5.conf root@worker-1:/etc/krb5.conf
scp /etc/krb5.conf root@worker-2:/etc/krb5.conf
scp /etc/krb5.conf root@worker-3:/etc/krb5.conf
ssh root@worker-1 cat /etc/krb5.conf
ssh root@worker-2 cat /etc/krb5.conf
ssh root@worker-3 cat /etc/krb5.confkerberos认证测试
#客户端执行
#获取票据
kinit cloudera-scm/admin
hainiu1688
#查看票据
klist
#销毁票据
kdestroyCDH集成kerberos
集群启用kerberos
Administration -> Security -> Enable Kerberos
- 页面1,检查提示
Yes, I have set up a working KDC.
Yes, I have checked that the KDC allows renewable tickets.
Yes, I have installed the client libraries.
Yes, I have created a proper account for Cloudera Manager.
- 页面2,配置kerberos服务端信息
KDC Type: MIT KDC
Kerberos Security Realm: http://HAINIU.COM
KDC Server Host: worker-1
KDC Admin Server Host: worker-1
Kerberos Encryption Types: rc4-hmac
Maximum Renewable Life for Principals: 5
- 页面3,不要勾选该项(Manage krb5.conf through Cloudera Manager),直接继续
- 页面4,cloudera-scm/admin账号、密码
cloudera-scm/admin
hainiu1688
- 页面5,页面6 Continue
- 页面7,确认HDFS特权端口,并选择重启集群
Yes, I am ready to restart the cluster now.
- 其余页面按提示操作
海汼部落原创文章
