注:在配置kerberos認證之前,必須先確定成功安裝kerberos叢集
一、環境說明
環境說明
二、生成HDFS/Zookeeper/Hbase的keytab證書
1.生成Zookeeper的keytab證書
這裡需要說明的是,我使用的是自己搭建的基于原生Apache大資料元件的叢集,啟動和使用叢集的普通使用者是hadoop,是以在生成keytab時需要添加hadoop使用者的憑據,還需要添加HTTP及Zookeeper的憑據,添加HTTP憑據是因為叢集網絡通訊所需的,而Zookeeper的憑據是因為Zookeeper配置kerberos認證時的jaas.conf中的server端必須指定的,那麼下面就來生成對應的憑據吧。保證在啟動了kerberos的krb5kdc和kadmin服務後,在安裝了kerberos伺服器端的節點上,我這裡安裝kerberos伺服器的節點是ha01,是以我在ha01節點上使用root使用者生成相應的keytab證書,指令如下:
#添加HTTP服務的憑據
kadmin.local -q "addprinc -randkey HTTP/[email protected]"
#添加zookeeper的憑據
kadmin.local -q "addprinc -randkey zookeeper/[email protected]"
#添加hadoop使用者的憑據
kadmin.local -q "addprinc -randkey hadoop/[email protected]"
#生成包含前三個憑據的keytab證書,hadoop.keytab為最終生成的證書的名稱
kadmin.local -q "xst -k hadoop.keytab hadoop/$host HTTP/$host zookeeper/$host" 執行上述指令後,生成的hadoop.keytab就在執行該指令的路徑下,我們需要在叢集每個節點提前準備一個存放keytab證書的目錄,我是将每個節點生成的keytab證書放在每個主機提前建立好的 /etc / security/keytab 目錄中,需要注意的是,叢集中有幾個節點就需要在kerberos伺服器節點ha01上執行上面的四條指令幾次,因為要生成叢集中每個主機對應的keytab證書,當要生成某個節點的keytab證書時,
需要将上面指令中的 $host 替換成對應節點的主機名 ,然後将每個節點生成的hadoop.keytab證書遠端發送到對應節點的 /etc / security/keytab 目錄,因為有了 keytab 相當于有了永久憑證,不需要提供密碼(如果修改 kdc 中的 principal 的密碼,則該 keytab 就會失效),是以其他使用者如果對該檔案有讀權限,就可以冒充 keytab 中指定的使用者身份通路叢集中的服務,是以 keytab 檔案需要確定隻對 owner(我這裡的owner是hadoop使用者) 有讀權限。
#修改keytab存放目錄的使用者組
chown -R hadoop:hadoop /etc/security/keytab
#修改hadoop.keytab證書的權限為400
chmod 400 /etc/security/keytab/hadoop.keytab 三、Zookeeper配置kerberos認證
注:以下的内容可以在一個節點配置好發送到其他節點相應路徑下,其他内容一緻但需要修改3.2中的jaas.conf中的host_name為目前節點的主機名!
3.1 修改$ZOOKEEPER_HOME/conf/目錄下建立zoo.cfg配置檔案,在原有配置檔案的末尾添加如下内容:
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000 3.2 在$ZOOKEEPER_HOME/conf/目錄下建立jaas.conf配置檔案,其内容如下:
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytab/hadoop.keytab" #keytab證書的位置
storeKey=true
useTicketCache=false
principal="zookeeper/[email protected]"; #這裡必須是zookeeper,否則zk的用戶端後面啟動報錯
};
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytab/hadoop.keytab"
storeKey=true
useTicketCache=false
principal="hadoop/[email protected]";
}; 3.3 在$ZOOKEEPER_HOME/conf/目錄下建立java.env配置檔案,添加如下内容:
export JVMFLAGS="-Djava.security.auth.login.config=$ZOOKEEPER_HOME/conf/jaas.conf" 3.4 重新開機zookeeper服務即可
3.5 zookeeper用戶端連接配接
./zkCli.sh -server 主機名:2181 四、HDFS配置Kerberos認證
4.1 配置$HADOOP_HOME/etc/hadoop/core-site.xml檔案,在原來檔案基礎上添加如下内容:
<!-- 配置kerberos認證 -->
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hadoop.rpc.protection</name>
<value>authentication</value>
</property>
<property>
<name>hadoop.http.authentication.type</name>
<value>kerberos</value>
</property> 4.2 配置$HADOOP_HOME/etc/hadoop/hdfs-site.xml檔案,在原來檔案基礎上添加如下内容:
<!-- 配置叢集namenode的kerberos認證 -->
<property>
<name>dfs.block.access.token.enable</name>
<value>true</value>
</property>
<property>
<name>dfs.namenode.keytab.file</name>
<value>/etc/security/keytab/hadoop.keytab</value>
</property>
<property>
<name>dfs.namenode.kerberos.principal</name>
<value>hadoop/[email protected]</value>
</property>
<property>
<name>dfs.web.authentication.kerberos.principal</name>
<value>HTTP/[email protected]</value>
</property>
<property>
<name>dfs.web.authentication.kerberos.keytab</name>
<value>/etc/security/keytab/hadoop.keytab</value>
</property>
<!-- 配置對NameNode Web UI的SSL通路 -->
<property>
<name>dfs.webhdfs.enabled</name>
<value>true</value>
</property>
<property>
<name>dfs.http.policy</name>
<value>HTTPS_ONLY</value>
</property>
<property>
<name>dfs.namenode.https-address</name>
<value>0.0.0.0:50070</value>
</property>
<property>
<name>dfs.permissions.supergroup</name>
<value>hadoop</value>
<description>The name of the group of super-users.</description>
</property>
<!-- 配置叢集datanode的kerberos認證 -->
<property>
<name>dfs.datanode.keytab.file</name>
<value>/etc/security/keytab/hadoop.keytab</value>
</property>
<property>
<name>dfs.datanode.kerberos.principal</name>
<value>hadoop/[email protected]</value>
</property>
<!-- 配置datanode SASL配置 -->
<property>
<name>dfs.datanode.data.dir.perm</name>
<value>700</value>
</property>
<property>
<name>dfs.datanode.address</name>
<value>0.0.0.0:50010</value>
</property>
<property>
<name>dfs.datanode.http.address</name>
<value>0.0.0.0:50075</value>
</property>
<property>
<name>dfs.data.transfer.protection</name>
<value>integrity</value>
</property>
<!-- 配置叢集journalnode的kerberos認證 -->
<property>
<name>dfs.journalnode.keytab.file</name>
<value>/etc/security/keytab/hadoop.keytab</value>
</property>
<property>
<name>dfs.journalnode.kerberos.principal</name>
<value>hadoop/[email protected]</value>
</property>
<property>
<name>dfs.journalnode.kerberos.internal.spnego.principal</name>
<value>${
dfs.web.authentication.kerberos.principal}</value>
</property>
<property>
<name>dfs.journalnode.http-address</name>
<value>0.0.0.0:8480</value>
</property> 4.3.Hadoop叢集安裝HTTPS服務
安裝說明:生成CA憑證hdfs_ca_key和hdfs_ca_cert隻需要在任意一台節點上完成即可,其他每個節點包括生成證書的節點都需要執行第四步以後的操作,且必須使用root使用者執行以下操作
1).在ha01節點生成CA憑證,需要輸入兩次密碼,其中CN:中國簡稱;ST:省份;L:城市;O和OU:公司或個人域名;ha01是生成CA憑證主機名
openssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days 9999 -subj /C=CN/ST=shanxi/L=xian/O=hlk/OU=hlk/CN=ha01 2).将ha01節點上生成的CA憑證hdfs_ca_key、hdfs_ca_cert分發到每個節點上的/tmp目錄下
scp hdfs_ca_key hdfs_ca_cert $host:/tmp 3).發送完成後删除ha01節點上CA憑證
rm -rf hdfs_ca_key hdfs_ca_cert 4).在每一台機器上生成keystore和trustores(注意:叢集中每個節點都需要執行以下指令)
4.1) 生成keystore,這裡的keytool需要java環境,否則command not found
name="CN=$HOSTNAME, OU=hlk, O=hlk, L=xian, ST=shanxi, C=CN"
#需要輸入第一步輸入的密碼四次
keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "$name" 4.2) 添加CA到truststore,同樣需要輸入密碼
keytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert 4.3) 從keystore中導出cert
keytool -certreq -alias localhost -keystore keystore -file cert 4.4) 用CA對cert簽名
openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial 4.5) 将CA的cert和用CA簽名之後的cert導入keystore
keytool -keystore keystore -alias CARoot -import -file hdfs_ca_cert
keytool -keystore keystore -alias localhost -import -file cert_signed 4.6) 将最終keystore,trustores放入合适的目錄,并加上字尾jks
mkdir -p /etc/security/https && chmod 755 /etc/security/https
cp keystore /etc/security/https/keystore.jks
cp truststore /etc/security/https/truststore.jks 4.7) 删除/tmp目錄下産生的垃圾資料檔案
rm -f keystore truststore hdfs_ca_key hdfs_ca_cert.srl hdfs_ca_cert cert_signed cert 5).配置$HADOOP_HOME/etc/hadoop/ssl-server.xml和ssl-client.xml檔案
注:這兩個配置檔案在一台節點配好,發送到其他節點對應位置下!
5.1) 配置$HADOOP_HOME/etc/hadoop/ssl-client.xml檔案
################################ ssl-client.xml #########################################
<configuration>
<property>
<name>ssl.client.truststore.location</name>
<value>/etc/security/https/truststore.jks</value>
<description>Truststore to be used by clients like distcp. Must be specified.</description>
</property>
<property>
<name>ssl.client.truststore.password</name>
<value>hadoop</value>
<description>Optional. Default value is "".</description>
</property>
<property>
<name>ssl.client.truststore.type</name>
<value>jks</value>
<description>Optional. The keystore file format, default value is "jks".</description>
</property>
<property>
<name>ssl.client.truststore.reload.interval</name>
<value>10000</value>
<description>Truststore reload check interval, in milliseconds.Default value is 10000 (10 seconds).</description>
</property>
<property>
<name>ssl.client.keystore.location</name>
<value>/etc/security/https/keystore.jks</value>
<description>Keystore to be used by clients like distcp. Must be specified.</description>
</property>
<property>
<name>ssl.client.keystore.password</name>
<value>hadoop</value>
<description>Optional. Default value is "".</description>
</property>
<property>
<name>ssl.client.keystore.keypassword</name>
<value>hadoop</value>
<description>Optional. Default value is "".</description>
</property>
<property>
<name>ssl.client.keystore.type</name>
<value>jks</value>
<description>Optional. The keystore file format, default value is "jks".</description>
</property>
</configuration> 5.2) 配置$HADOOP_HOME/etc/hadoop/ssl-server.xml檔案
################################ ssl-server.xml #########################################
<configuration>
<property>
<name>ssl.server.truststore.location</name>
<value>/etc/security/https/truststore.jks</value>
<description>Truststore to be used by NN and DN. Must be specified.
</description>
</property>
<property>
<name>ssl.server.truststore.password</name>
<value>hadoop</value>
<description>Optional. Default value is "".
</description>
</property>
<property>
<name>ssl.server.truststore.type</name>
<value>jks</value>
<description>Optional. The keystore file format, default value is "jks".
</description>
</property>
<property>
<name>ssl.server.truststore.reload.interval</name>
<value>10000</value>
<description>Truststore reload check interval, in milliseconds.
Default value is 10000 (10 seconds).
</description>
</property>
<property>
<name>ssl.server.keystore.location</name>
<value>/etc/security/https/keystore.jks</value>
<description>Keystore to be used by NN and DN. Must be specified.
</description>
</property>
<property>
<name>ssl.server.keystore.password</name>
<value>hadoop</value>
<description>Must be specified.
</description>
</property>
<property>
<name>ssl.server.keystore.keypassword</name>
<value>hadoop</value>
<description>Must be specified.</description>
</property>
<property>
<name>ssl.server.keystore.type</name>
<value>jks</value>
<description>Optional. The keystore file format, default value is "jks".</description>
</property>
</configuration> 4.4.驗證
首先分發各配置檔案,
我們需要先使用第一步生成的/etc/security/keytab/hadoop.keytab 證書對hadoop使用者的每個節點進行 kinit 票據初始化,票據初始化的指令如下所示:
kinit -kt /etc/security/keytab/hadoop.keytab $USER/$HOSTNAME (每個節點都執行) 然後使用 klist 指令檢視目前是否生成票據,出現有效及過期時間即表示生成票據成功
再次執行hadoop fs -ls / 指令檢視hdfs資源正常
五、YARN配置kerberos認證
5.1 配置$HADOOP_HOME/etc/hadoop/yarn-site.xml檔案,在原來檔案基礎上添加如下内容:
<!-- 配置yarn的web ui 通路https -->
<property>
<name>yarn.http.policy</name>
<value>HTTPS_ONLY</value>
</property>
<!-- 指定RM1的Web端通路位址 -->
<property>
<name>yarn.resourcemanager.webapp.address.rm1</name>
<value>ha01:23188</value>
</property>
<!-- RM1 HTTP通路位址,檢視叢集資訊 -->
<property>
<name>yarn.resourcemanager.webapp.https.address.rm1</name>
<value>ha01:23188</value>
</property>
<!-- 指定RM2的Web端通路位址 -->
<property>
<name>yarn.resourcemanager.webapp.address.rm2</name>
<value>ha02:23188</value>
</property>
<!-- RM2 HTTP通路位址,檢視叢集資訊 -->
<property>
<name>yarn.resourcemanager.webapp.https.address.rm2</name>
<value>ha02:23188</value>
</property>
<!-- 開啟 YARN 叢集的日志聚合功能 -->
<property>
<name>yarn.log-aggregation-enable</name>
<value>true</value>
</property>
<!-- YARN 叢集的聚合日志最長保留時長 -->
<property>
<name>yarn.log-aggregation.retain-seconds</name>
<!--7days:604800-->
<value>86400</value>
</property>
<!-- 配置yarn送出的app程式在hdfs上的日志存儲路徑 -->
<property>
<description>Where to aggregate logs to.</description>
<name>yarn.nodemanager.remote-app-log-dir</name>
<value>/tmp/logs/yarn-nodemanager</value>
</property>
<!--YARN kerberos security-->
<property>
<name>yarn.resourcemanager.keytab</name>
<value>/etc/security/keytab/hadoop.keytab</value>
</property>
<property>
<name>yarn.resourcemanager.principal</name>
<value>hadoop/[email protected]</value>
</property>
<property>
<name>yarn.nodemanager.keytab</name>
<value>/etc/security/keytab/hadoop.keytab</value>
</property>
<property>
<name>yarn.nodemanager.principal</name>
<value>hadoop/[email protected]</value>
</property>
<property>
<name>yarn.nodemanager.container-executor.class</name>
<value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>
</property>
<!--此處的group為nodemanager使用者所屬組-->
<property>
<name>yarn.nodemanager.linux-container-executor.group</name>
<value>hadoop</value>
</property> 5.2 配置$HADOOP_HOME/etc/hadoop/mapred-site.xml檔案,在原來檔案基礎上添加如下内容:
<!--mapred kerberos security-->
<property>
<name>mapreduce.jobhistory.keytab</name>
<value>/etc/security/keytab/hadoop.keytab</value>
</property>
<property>
<name>mapreduce.jobhistory.principal</name>
<value>hadoop/[email protected]</value>
</property> 5.2.1 分發修改的配置檔案至各節點
5.3 配置$HADOOP_HOME/etc/hadoop/container-executor.cfg,将以下内容覆寫掉預設的内容:
#configured value of yarn.nodemanager.linux-container-executor.group
yarn.nodemanager.linux-container-executor.group=hadoop
#comma separated list of users who can not run applications
banned.users=root
#Prevent other super-users
min.user.id=500
#comma separated list of system users who CAN run applications
allowed.system.users=hadoop ps:注意:該container-executor.cfg檔案内不允許有空格或空行,否則會報錯!
5.4 配置Yarn使用LinuxContainerExecutor(各節點都需要操作)
1)修改所有節點的container-executor所有者和權限,要求其所有者為root,所有組為hadoop,權限為6050。其預設路徑為$HADOOP_HOME/bin
chown root:hadoop /data/hadoop-3.1.3/bin/container-executor
chmod 6050 /data/hadoop-3.1.3/bin/container-executor 2)修改所有節點的container-executor.cfg檔案的所有者和權限,要求該檔案及其所有的上級目錄的所有者均為root,所有組為hadoop,權限為400。其預設路徑為$HADOOP_HOME/etc/hadoop
chown root:hadoop /data/hadoop-3.1.3/etc/hadoop/container-executor.cfg
chown root:hadoop /data/hadoop-3.1.3/etc/hadoop
chown root:hadoop /data/hadoop-3.1.3/etc
chown root:hadoop /data/hadoop-3.1.3
chown root:hadoop /data
chmod 400 /data/hadoop-3.1.3/etc/hadoop/container-executor.cfg 5.5 啟動start-yarn.sh
六、HBASE配置Kerberos認證
6.1 配置$HBASE_HOME/conf/hbase-site.xml檔案,在原檔案上添加如下内容:
<!-- hbase配置kerberos安全認證 -->
<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>
<!-- 配置hbase rpc安全通信 -->
<property>
<name>hbase.rpc.engine</name>
<value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.hadoop.hbase.security.token.TokenProvider</value>
</property>
<!-- hmaster配置kerberos安全憑據認證 -->
<property>
<name>hbase.master.kerberos.principal</name>
<value>hadoop/[email protected]</value>
</property>
<!-- hmaster配置kerberos安全證書keytab檔案位置 -->
<property>
<name>hbase.master.keytab.file</name>
<value>/etc/security/keytab/hadoop.keytab</value>
</property>
<!-- regionserver配置kerberos安全憑據認證 -->
<property>
<name>hbase.regionserver.kerberos.principal</name>
<value>hadoop/[email protected]</value>
</property>
<!-- regionserver配置kerberos安全證書keytab檔案位置 -->
<property>
<name>hbase.regionserver.keytab.file</name>
<value>/etc/security/keytab/hadoop.keytab</value>
</property> 6.2 在$HBASE_HOME/conf/下建立zk-jaas.conf檔案,添加如下内容:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/etc/security/keytab/hadoop.keytab"
useTicketCache=false
principal="hadoop/[email protected]";
}; ps:注意:這裡 principal=“hadoop/[email protected]”; 的 host_name 需要改為每個節點對應的主機名
6.3 在$HBASE_HOME/conf/hbase-env.sh檔案中添加如下内容:
#修改HBASE_OPTS屬性為該内容
export HBASE_OPTS="-XX:+UseConcMarkSweepGC -Djava.security.auth.login.config=$HBASE_HOME/conf/zk-jaas.conf"
#告訴HBASE使用自己安裝的zk叢集
export HBASE_MANAGES_ZK=false ![Windows下Cygwin環境的Hadoop安裝(3)- 運作hadoop中的wordcount執行個體遇到的問題和解決方法[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)