安装Kerberos服务端和客户端

时间 2021-08-12

标签 java node vim 安全 bash markdown dom tcp ide oop 栏目 Java 繁體版

原文原文链接

简介

Kerberos认证流程

环境准备

安装Kerberos服务端

yum安装

yum install krb5-server krb5-libs krb5-workstation -y

vim /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = HADOOP.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 clockskew = 120
 udp_preference_limit = 1
 
[realms]
 HADOOP.COM = {
  kdc = node1
  admin_server = node1
 }

[domain_realm]
 .hadoop.com = HADOOP.COM
 hadoop.com = HADOOP.COM
 node1 = HADOOP.COM
 node2 = HADOOP.COM
 node3 = HADOOP.COM
 node4 = HADOOP.COM
 node5 = HADOOP.COM

说明：
[logging]：表示server端的日志的打印位置
udp_preference_limit = 1 禁止使用udp能够防止一个Hadoop中的错误
ticket_lifetime：代表凭证生效的时限，通常为24小时。
renew_lifetime：代表凭证最长能够被延期的时限，通常为一个礼拜。当凭证过时以后，对安全认证的服务的后续访问则会失败。
clockskew：时钟误差是不彻底符合主机系统时钟的票据时戳的容差，超过此容差将不接受此票据，单位是秒java

vim /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 HADOOP.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  max_renewable_life = 7d
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

vim /var/kerberos/krb5kdc/kadm5.acl

#修改以下
*/admin@HADOOP.COM  *
#kadm5.acl 文件更多内容可参考：kadm5.acl

只要名称知足上述规则就能够拥有最高权限。node

初始化kerberos database

cd /var/kerberos/krb5kdc/
kdb5_util create -s -r HADOOP.COM
# hust@4400

图示有误，是会建立4个文件。vim

建立帐户

kadmin.local
addprinc root/admin@HADOOP.COM
listprincs

设置开机自启

[root@node1 krb5kdc]# systemctl restart krb5kdc.service
[root@node1 krb5kdc]# systemctl restart kadmin
[root@node1 krb5kdc]# systemctl enable krb5kdc.service
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@node1 krb5kdc]# systemctl enable kadmin.service
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@node1 krb5kdc]#

安装Kerberos客户端

每个node节点都须要安装客户端及其配置。安全

yum安装

yum install krb5-libs krb5-workstation -y

vim /etc/krb5.conf

或者直接将server节点的该配置文件拷贝到各个节点便可：bash

[root@node1 krb5kdc]# scp /etc/krb5.conf node2:/etc/krb5.conf
krb5.conf                                                                                                          100%  557   544.7KB/s   00:00
[root@node1 krb5kdc]# scp /etc/krb5.conf node3:/etc/krb5.conf
krb5.conf                                                                                                          100%  557   561.7KB/s   00:00
[root@node1 krb5kdc]# scp /etc/krb5.conf node4:/etc/krb5.conf
krb5.conf                                                                                                          100%  557   490.3KB/s   00:00
[root@node1 krb5kdc]# scp /etc/krb5.conf node5:/etc/krb5.conf
krb5.conf                                                                                                          100%  557   472.8KB/s   00:00
[root@node1 krb5kdc]#

客户端登陆服务端

kinit root/admin@HADOOP.COM
#输入密码后没任何输出表示正确
klist
#登陆 输入密码后进入
kadmin
listprincs

规划Hadoop中各个服务分配kerberos的principal

nm和nodemanager可自定义，易于识别便可
markdown

配置HDFS

配置HDFS相关的kerberos帐户

keytab文件就至关于kerberos帐户的钥匙，有了它就能够免密使用该帐户。dom

mkdir /etc/security/keytabs
cd /etc/security/keytabs
kadmin

node1上的服务：

建一个就好了，其余的多余！！
addprinc -rankey hdfs/node1@HADOOP.COMtcp

kadmin
addprinc -rankey nn/node1@HADOOP.COM
addprinc -rankey rm/node1@HADOOP.COM
addprinc -rankey HTTP/node1@HADOOP.COM

ktadd -k /etc/security/keytabs/nn.service.keytab nn/node1@HADOOP.COM

ktadd -k /etc/security/keytabs/rm.service.keytab rm/node1@HADOOP.COM

ktadd -k /etc/security/keytabs/spnego.service.keytab HTTP/node1@HADOOP.COM

ll /etc/security/keytabs

cd /etc/security/keytabs
chmod 400 *

编译及拷贝程序

core-site.xml

hdfs-site.xml

本身配置

kerberos server上执行kadmin.local：ide

kadmin.local:  addprinc hdfs/node1@HADOOP.COM
kadmin.local:  addprinc hdfs/node2@HADOOP.COM
kadmin.local:  addprinc hdfs/node3@HADOOP.COM
kadmin.local:  addprinc hdfs/node4@HADOOP.COM
kadmin.local:  addprinc hdfs/node5@HADOOP.COM
kadmin.local:  addprinc http/node1@HADOOP.COM
kadmin.local:  addprinc http/node2@HADOOP.COM
kadmin.local:  addprinc http/node3@HADOOP.COM
kadmin.local:  addprinc http/node4@HADOOP.COM
kadmin.local:  addprinc http/node5@HADOOP.COM

 
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node1@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node2@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node3@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node4@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node5@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node1@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node2@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node3@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node4@HADOOP.COM
kadmin.local:  ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node5@HADOOP.COM