Shulou(Shulou.com)06/03 Report--

Hadoop itself does not have security authentication, so it is necessary to introduce a third-party security authentication mechanism. Kerberos is a popular authentication method for hadoop. Kerberos configuration is relatively simple. But in practice, if you don't strictly abide by the rules of the game. You will often encounter "strange" problems.

1. Install the package for kerberos

Yum install krb5*vi / etc/krb5.conf

two。 Modify the configuration file of kerberos

# more / etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = LIANG.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24 h renew_lifetime = 2d forwardable = false [realms] LIANG.COM = {kdc = c6701 admin_server = c6701 default_domain = liang.com key_stash_file = / var/kerberos / krb5kdc/.k5.LIANG.COM dict_file = / usr/share/dict/words} [domain_realm] .liang.com = LIANG.COM liang.com = LIANG.COM

3. Modify kdc configuration file

Cat / var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] LIANG.COM = {kadmind_port = 749 master_key_type = aes256-cts-hmac-sha1-96 acl_file = / var/kerberos/krb5kdc/kadm5.acl dict_file = / usr/share/dict/words supported_enctypes = des3-cbc-sha1:normal max_life = 24 h 0s max_renewable_life = 7d 0 h 0s dict_file = / usr/share/dict/ Words key_stash_file = / var/kerberos/krb5kdc/.k5.LIANG.COM database_name = / var/kerberos/krb5kdc/principal}

Execute the command to create the kdc database

Kdb5_util create-s-r HADOOP.LIANG.COM

4. Add ACL permissions to the database administrator, modify the kadm5.acl file, * represents full permissions

# cat / var/kerberos/krb5kdc/kadm5.acl*/admin@ESGYN.COM *

5. Start the service

# service krb5kdc start# service kadmin start# service krb5kdc status# service kadmin status# chkconfig krb5kdc on# chkconfig kadmin on

6. Add: in the system parameter / etc/profile of each client, add the following parameters to ensure that each su-user can use the same tgt instead of creating a new one that cannot be found, resulting in the failure of the su user kinit

# workaround for kerberos logingexport KRB5CCNAME=FILE:/tmp/krb5cc_ `id-u`

7. Create principal

Kadmin.local-Q "addprinc-pw"

For hadoop users, add the hostname and create principal together to increase security.

Note: hadoop can only be registered with lowercase hostnames. If the host name has uppercase letters, manually change it to lowercase. Lowercase is also used for subsequent kinit. Hadoop automatically changes uppercase hostnames to lowercase.

Kadmin.local-Q "addprinc-pw hdfs/"

8. Create keytab

Kadmin.local-Q "ktadd-norandkey-k / root/keytab/.keytab"

9. Register

Kinit-kt / root/keytab/hdfs.keytab

For hadoop users, add the hostname and create principal together to increase security.

Kinit-kt / root/keytab/hdfs.keytab hdfs/ `hostname`

10. Query the kinit of the current user

KlistTicket cache: FILE:/tmp/krb5cc_1098Default principal: hdfs/hdfs1.liang.com@LIANG.COMValid starting Expires Service principal03/26/18 17:19:04 03 27 hdfs/hdfs1.liang.com@LIANG.COMValid starting Expires Service principal03/26/18 18 17:19:04 krbtgt/LIANG.COM@LIANG.COM renew until 04 Grease 02 18 17:19:04

11. Query the contents of keytab files

$klist-kt / etc/security/keytab/hdfs.keytab Keytab name: FILE:/root/keytab/hdfs.keytabKVNO Timestamp Principal---- 1 04swap 07max 17 16 : 16:04 hdfs/hdfs1.liang.com@LIANG.COM 1 04/07/17 16:16:04 hdfs/hdfs2.liang.com@LIANG.COM 1 04/07/17 16:16:05 hdfs/hdfs3.liang.com@LIANG.COM

twelve。 Query KDC, user list

Kadmin.local-Q "listprincs"

13. Delete user

Kadmin.local-Q "delprinc-force HTTP/hdfs3.liang.com@LIANG.COM"

14. Modify the password

Kpasswd user name

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.