一、Kerberos基础
1、为什么需要kerberos
Hadoop集群默认采用基于操作系统账号的Simple认证,基本没有安全保证,用户只需在客户端的操作系统上建立一个同名账号,即可伪装成任何用户访问群集。
2、什么是Kerberos
Kerberos是一个网络认证的框架协议,它的命名灵感来自于希腊神话中一只三头犬守护兽,寓意其拥有 强大的保护能力。Kerberos协议通过强大密钥系统为Server(服务端)和Client(客户端)应用程序之间提供强大的通信加密和认证服务。在使用Kerberos协议认证的集群中,Client不会直接和它的Server服务进行通信认证,而是通过KDC(key Distribution Center)这样的一个独立的服务来完成互相之间的认证。同时Kerberos还能将服务间的全部通信进行加密以保证其隐私与完整性。
Kerberos由麻省理工学院创建,作为解决这些网络安全问题的解决方案。Kerberos协议使用强加密技术,以便客户端可以通过不安全的网络连接向服务器(反之亦然)证明其身份。在客户端和服务器使用Kerberos证明其身份后,他们还可以加密所有通信,以确保在业务开展时的隐私和数据完整性。详情请参考:https://web.mit.edu/kerberos/。
3、Kerberos核心概念(相关术语)
Kerberos协议中有一些重要的概念,了解这些概念有助于我们理解Kerberos的认证过程。 1、KDC(Key Distribution Center): KDC用于验证各个模块,是统一认证服务。换句话说就是,可信任的认证来源,密钥分发中心。 除了以文件形式存储的数据之外,KDC还包含两个重要组件:认证服务(AS)和先前讨论过的TGS。AS和TGS一块处理受Kerberos保护的Hadoop集群的所有认证和访问请求。Kerberos数据库存储主体和领域信息。 2、Kerberos KDC Server: KDC所在的服务器,即KDC服务的提供者。存储与用户,主机和服务相关的所有主体信息,包括它们的领域信息。 3、Kerberos Client 任何一个需要通过KDC认证的机器(或模块)。比如客户端,需要做Kerberos认证的机器。
4、Principal
用于验证一个用户或一个Service的唯一标识,相当于一个账号,需要为其设置密码。
当用户想要对Kerberos支持的集群进行身份验证时,管理服务生成票据。该票据包含用户名(通常与用户主体相同),服务主体,客户端的IP地址和时间戳等信息。票据具有一个可配置的最长生命周期和一个会话密钥。
用户还可以在特定时间内对票据续期。
5、Keytab文件
包含一个或多个Principal以及其密码的文件,可用于用户登录。一个包含一个或多个principal及其密码的文件,可以代替输入密码进行验证。
Keytab文件是一个安全文件,其中包含领域所有服务主体的密码。每个Hadoop服务都要求在所有主机上放置一个Keytab文件。当Kerberos需要更新服务TGT时,它会查找Keytab文件。
6、Relam(域)
由KDC以及多个Kerberos Client组成的网络,即认证的域。
域是认证用户的基本管理域,用于建立管理服务器对用户,主机和服务进行身份验证的边界。每个hadoop用户被分配到一个特定的域。通常用大写字母指定一个域,例如CDH.COM。
可以有多个KDC,因此在单个网络中可以有多个域。
7、KDC Admin Account
KDC 中拥有管理权限的用户(例如添加,修改,删除principal)
8、Authentication Server(简称AS,即认证服务)
用于初始化认证,并生成Ticket Granting Ticket(TGT)
一旦用户成功地向AS进行了身份验证,则AS向安全集群中的其他服务认证和客户端授予TGT。这些票据是用于客户端向服务器进行省份验证,有一定时效的加密信息。然后,主体使用TGT来请求认证和访问Hadoop服务。
9、Ticket Granting Server(TGS)
在TGT的基础上生成Service Ticket。一般情况下AS和TGS都在KDC的Server上。
票据验证服务器验证客户端传递的TGT,然后客户端服务授予票据,以便它们可以访问Hadoop服务。服务票据使验证后的主体能够使用集群中的服务。
4、Kerberos的认证流程
Kerberos协议主要由Key分发中心(即KDC,全称“Key Distribution Centor”),服务提供者(Server)和用户(User)三部分组成,它的认证过程如下图所示:
第一步:
client(一个User或一个Service)会用Pricipal到Authentication Server(AS)认证,希望获取访问Server的权限。
第二步:
Kerberos得到了这个消息,首先得到判断client是否是可信赖的,也就是黑白名单的说法。这就是AS服务完成的工作。通过AD中存储黑名单和白名单来区别client。验证成功后,AS返回TGT给client。
第三步:
这时只有AS和这个principal的使用者可以识别该TGT。在拿到加密的TGT后,client(user或service)会使用principal的key来解密TGT。并使用解密后的TGT继续向kerberos请求,希望获取访问Server的权限。
第四步:
kerberos又一次得到了这个消息,这时通过client(user或service)消息中的TGT(此时的TGT是第三步中解密后的TGT,并非第二步加密后的TGT),判断出了client拥有这个权限,
给client访问server权限的Server Ticket.
第五、六步:
client得到希望访问的Service Ticket后,终于可以成功访问该Server.需要注意的是,得到的这个Service Ticket只是针对这台Server,其他server需要继续向TGS申请(因为每台服务器都有自己的Server Ticket)。
在Kerberos认证的集群中,只有拿着获取的Service Ticket才可以访问真正的Server从而实现自己的业务逻辑。
5、Kerberos的优点
分析整个Kerberos的认证过程之后,我们来总结一下Kerberos都有哪些优点: 1、较高的Performance 虽然我们一直说kerberos是一个涉及到三方的认证过程:client,server,KDC。但是一旦Client获得用过访问某个Server的Ticket,该Server就能根据这个Ticket实现对Client的验证,而无须KDC再次参与。
和传统的基于Windows NT 4.0的每个完全依赖Trusted Third Party的NTLM比较,具有较大的性能提升。 2、实现了双身验证(Mutual Authenticatoin) 传统的NTLM认证基于这样一个前提:Client访问远程的Service是可信的。无需进行验证,所以NTLM不曾提供双向验证的功能。这显示有点理想主义,为此Kerberos弥补了这个不足:Client在访问Server的资源之前,
可以要求对Server的身份执行认证。 3、对Delegation的支持 Impersonation对Delegation是一个分布式环境中两个重要的功能。Impersonation允许Server在本地使用Logon的Account执行某些操作,Delegation需用Server将logon的Account带入到
另过一个Context执行相应的操作。NTLM仅对Impersonation提供支持,而Kerberos通过一种双向的、可传递的(Mutual 、Transitive)信任模式实现了对Delegation的支持。 4、互操作性(Interoperability) erberos最初由MIT首创,现在已经成为一行被广泛接受的标准。所以对于不同的平台可以进行广泛的互操作。
二、基于Yum的方式搭建Kerberos服务器
1、规划KDC服务器
172.20.102.124 hexindai-c12-124 Kerberos Client 172.20.102.125 hexindai-c12-125 Kerberos Client 172.20.102.126 hexindai-c12-126 Kerberos Client 172.20.102.127 hexindai-c12-127 DKC主服务器
2、安装Kerberos服务端
[root@hexindai-c12-127 ~]# yum -y install krb5-server krb5-libs krb5-workstation Loaded plugins: fastestmirror Determining fastest mirrors epel/x86_64/metalink | 7.8 kB 00:00:00 * base: mirrors.aliyun.com * epel: mirrors.yun-idc.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com base | 3.6 kB 00:00:00 cloudera-manager | 2.9 kB 00:00:00 epel | 5.3 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 (1/3): epel/x86_64/updateinfo | 994 kB 00:00:00 (2/3): epel/x86_64/primary_db | 6.8 MB 00:00:00 (3/3): updates/7/x86_64/primary_db | 6.5 MB 00:00:01 Package krb5-libs-1.15.1-37.el7_6.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package krb5-server.x86_64 0:1.15.1-37.el7_6 will be installed updates/7/x86_64/filelists_db | 4.6 MB 00:00:00 --> Processing Dependency: libverto-module-base for package: krb5-server-1.15.1-37.el7_6.x86_64 --> Processing Dependency: /usr/share/dict/words for package: krb5-server-1.15.1-37.el7_6.x86_64 epel/x86_64/filelists_db | 11 MB 00:00:01 ---> Package krb5-workstation.x86_64 0:1.15.1-37.el7_6 will be installed --> Running transaction check ---> Package libverto-libevent.x86_64 0:0.2.5-4.el7 will be installed --> Processing Dependency: libevent-2.0.so.5()(64bit) for package: libverto-libevent-0.2.5-4.el7.x86_64 ---> Package words.noarch 0:3.0-22.el7 will be installed --> Running transaction check ---> Package libevent.x86_64 0:2.0.21-4.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================================================================================================== Package Arch Version Repository Size ===================================================================================================================================================================================================== Installing: krb5-server x86_64 1.15.1-37.el7_6 updates 1.0 M krb5-workstation x86_64 1.15.1-37.el7_6 updates 816 k Installing for dependencies: libevent x86_64 2.0.21-4.el7 base 214 k libverto-libevent x86_64 0.2.5-4.el7 base 8.9 k words noarch 3.0-22.el7 base 1.4 M Transaction Summary ===================================================================================================================================================================================================== Install 2 Packages (+3 Dependent packages) Total download size: 3.4 M Installed size: 9.3 M Downloading packages: (1/5): libverto-libevent-0.2.5-4.el7.x86_64.rpm | 8.9 kB 00:00:00 (2/5): libevent-2.0.21-4.el7.x86_64.rpm | 214 kB 00:00:00 (3/5): krb5-server-1.15.1-37.el7_6.x86_64.rpm | 1.0 MB 00:00:00 (4/5): krb5-workstation-1.15.1-37.el7_6.x86_64.rpm | 816 kB 00:00:00 (5/5): words-3.0-22.el7.noarch.rpm | 1.4 MB 00:00:00 ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 3.7 MB/s | 3.4 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : words-3.0-22.el7.noarch 1/5 Installing : libevent-2.0.21-4.el7.x86_64 2/5 Installing : libverto-libevent-0.2.5-4.el7.x86_64 3/5 Installing : krb5-server-1.15.1-37.el7_6.x86_64 4/5 Installing : krb5-workstation-1.15.1-37.el7_6.x86_64 5/5 Verifying : krb5-workstation-1.15.1-37.el7_6.x86_64 1/5 Verifying : libverto-libevent-0.2.5-4.el7.x86_64 2/5 Verifying : libevent-2.0.21-4.el7.x86_64 3/5 Verifying : krb5-server-1.15.1-37.el7_6.x86_64 4/5 Verifying : words-3.0-22.el7.noarch 5/5 Installed: krb5-server.x86_64 0:1.15.1-37.el7_6 krb5-workstation.x86_64 0:1.15.1-37.el7_6 Dependency Installed: libevent.x86_64 0:2.0.21-4.el7 libverto-libevent.x86_64 0:0.2.5-4.el7 words.noarch 0:3.0-22.el7 Complete! [root@hexindai-c12-127 ~]#
3、修改kdc.conf
[root@hexindai-c12-127 ~]# cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] HXD.COM = { master_key_type = aes256-cts max_renewable_file= 7d 0h 0m 0s acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal } [root@hexindai-c12-127 ~]#
4、修改krb5.conf
[root@hexindai-c12-127 ~]# cat /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt default_realm = HXD.COM # default_ccache_name = KEYRING:persistent:%{uid} [realms] HXD.COM = { kdc = hexindai-c12-127 admin_server = hexindai-c12-127 } [domain_realm] .hxd.com = HXD.COM hxd.com = HXD.COM [root@hexindai-c12-127 ~]#
5、初始化kerberos数据库
[root@hexindai-c12-127 ~]# kdb5_util create -s Loading random data Initializing database \'/var/kerberos/krb5kdc/principal\' for realm \'HXD.COM\', master key name \'K/M@HXD.COM\' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: #这里需要给KDC设置一个初始密码,注意,该密码一定要记住,他是用来管理KDC服务器的! Re-enter KDC database master key to verify: [root@hexindai-c12-127 ~]#
6、创建管理员用户和普通用户
创建过程中都需要设置密码。然后为User用户生成Keytab文件,便于后续免密登录,不指定路径的话默认放在当前工作目录,我们指定到“/etc/security/”下
[root@hexindai-c12-127 ~]# kadmin.local #本地登录KDC服务器 Authenticating as principal root/admin@HXD.COM with password. kadmin.local: kadmin.local: kadmin.local: addprinc admin/admin #创建一个管理员用户 WARNING: no policy specified for admin/admin@HXD.COM; defaulting to no policy Enter password for principal "admin/admin@HXD.COM": Re-enter password for principal "admin/admin@HXD.COM": Principal "admin/admin@HXD.COM" created. kadmin.local: addprinc rabin #创建一个普通用户rabin WARNING: no policy specified for rabin@HXD.COM; defaulting to no policy Enter password for principal "rabin@HXD.COM": Re-enter password for principal "rabin@HXD.COM": Principal "rabin@HXD.COM" created. kadmin.local: xst -k /etc/security/rabin.keytab rabin #为rabin用户生成keytab文件 Entry for principal rabin with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/rabin.keytab. Entry for principal rabin with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/rabin.keytab. Entry for principal rabin with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/rabin.keytab. Entry for principal rabin with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/rabin.keytab. Entry for principal rabin with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/rabin.keytab. Entry for principal rabin with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/rabin.keytab. Entry for principal rabin with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/rabin.keytab. Entry for principal rabin with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/rabin.keytab. kadmin.local: quit [root@hexindai-c12-127 ~]# ll /etc/security/*.keytab #查看生成的keytab文件 -rw-------. 1 root root 466 Jul 22 23:53 /etc/security/rabin.keytab [root@hexindai-c12-127 ~]#
7、设置ACL权限
为后缀为“/admin”的账号设置管理员权限,其他账号默认都是普通权限。
[root@hexindai-c12-127 ~]# cat /var/kerberos/krb5kdc/kadm5.acl */admin@HXD.COM * [root@hexindai-c12-127 ~]#
8、启动Kerberos服务,并设为开机启动
[root@hexindai-c12-127 ~]# systemctl start krb5kdc [root@hexindai-c12-127 ~]# systemctl start kadmin [root@hexindai-c12-127 ~]# systemctl enable krb5kdc Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service. [root@hexindai-c12-127 ~]# systemctl enable kadmin Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service. [root@hexindai-c12-127 ~]#
9、测试kerberos是否服务正常
[root@hexindai-c12-127 ~]# [root@hexindai-c12-127 ~]# [root@hexindai-c12-127 ~]# kinit -kt /etc/security/rabin.keytab rabin [root@hexindai-c12-127 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: rabin@HXD.COM Valid starting Expires Service principal 07/23/2019 00:01:28 07/24/2019 00:01:28 krbtgt/HXD.COM@HXD.COM [root@hexindai-c12-127 ~]# [root@hexindai-c12-127 ~]#
10、在其他节点上安装kerberos client
[root@hexindai-c12-124 ~]# yum -y install krb5-libs krb5-workstation Loaded plugins: fastestmirror, priorities Determining fastest mirrors epel/x86_64/metalink | 7.8 kB 00:00:00 * base: mirrors.aliyun.com * epel: mirrors.yun-idc.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com base | 3.6 kB 00:00:00 cloudera-manager | 2.9 kB 00:00:00 epel | 5.3 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 (1/3): epel/x86_64/updateinfo | 994 kB 00:00:00 (2/3): epel/x86_64/primary_db | 6.8 MB 00:00:01 (3/3): updates/7/x86_64/primary_db | 6.5 MB 00:00:01 Package krb5-libs-1.15.1-37.el7_6.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package krb5-workstation.x86_64 0:1.15.1-37.el7_6 will be installed --> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================================================================================================== Package Arch Version Repository Size ===================================================================================================================================================================================================== Installing: krb5-workstation x86_64 1.15.1-37.el7_6 updates 816 k Transaction Summary ===================================================================================================================================================================================================== Install 1 Package Total download size: 816 k Installed size: 2.5 M Downloading packages: krb5-workstation-1.15.1-37.el7_6.x86_64.rpm | 816 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : krb5-workstation-1.15.1-37.el7_6.x86_64 1/1 Verifying : krb5-workstation-1.15.1-37.el7_6.x86_64 1/1 Installed: krb5-workstation.x86_64 0:1.15.1-37.el7_6 Complete! [root@hexindai-c12-124 ~]#
[root@hexindai-c12-125 ~]# yum -y install krb5-libs krb5-workstation Loaded plugins: fastestmirror Determining fastest mirrors epel/x86_64/metalink | 7.8 kB 00:00:00 * base: mirrors.aliyun.com * epel: mirrors.tuna.tsinghua.edu.cn * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com base | 3.6 kB 00:00:00 cloudera-manager | 2.9 kB 00:00:00 epel | 5.3 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 (1/3): epel/x86_64/updateinfo | 994 kB 00:00:00 (2/3): epel/x86_64/primary_db | 6.8 MB 00:00:00 (3/3): updates/7/x86_64/primary_db | 6.5 MB 00:00:01 Package krb5-libs-1.15.1-37.el7_6.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package krb5-workstation.x86_64 0:1.15.1-37.el7_6 will be installed --> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================================================================================================== Package Arch Version Repository Size ===================================================================================================================================================================================================== Installing: krb5-workstation x86_64 1.15.1-37.el7_6 updates 816 k Transaction Summary ===================================================================================================================================================================================================== Install 1 Package Total download size: 816 k Installed size: 2.5 M Downloading packages: krb5-workstation-1.15.1-37.el7_6.x86_64.rpm | 816 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : krb5-workstation-1.15.1-37.el7_6.x86_64 1/1 Verifying : krb5-workstation-1.15.1-37.el7_6.x86_64 1/1 Installed: krb5-workstation.x86_64 0:1.15.1-37.el7_6 Complete! [root@hexindai-c12-125 ~]#
[root@hexindai-c12-126 ~]# yum -y install krb5-libs krb5-workstation Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile epel/x86_64/metalink | 7.8 kB 00:00:00 * base: mirrors.aliyun.com * epel: mirrors.yun-idc.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com base | 3.6 kB 00:00:00 cloudera-manager | 2.9 kB 00:00:00 epel | 5.3 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 (1/3): epel/x86_64/updateinfo | 994 kB 00:00:00 (2/3): updates/7/x86_64/primary_db | 6.5 MB 00:00:00 (3/3): epel/x86_64/primary_db | 6.8 MB 00:00:01 Package krb5-libs-1.15.1-37.el7_6.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package krb5-workstation.x86_64 0:1.15.1-37.el7_6 will be installed --> Finished Dependency Resolution Dependencies Resolved ===================================================================================================================================================================================================== Package Arch Version Repository Size ===================================================================================================================================================================================================== Installing: krb5-workstation x86_64 1.15.1-37.el7_6 updates 816 k Transaction Summary ===================================================================================================================================================================================================== Install 1 Package Total download size: 816 k Installed size: 2.5 M Downloading packages: krb5-workstation-1.15.1-37.el7_6.x86_64.rpm | 816 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : krb5-workstation-1.15.1-37.el7_6.x86_64 1/1 Verifying : krb5-workstation-1.15.1-37.el7_6.x86_64 1/1 Installed: krb5-workstation.x86_64 0:1.15.1-37.el7_6 Complete! [root@hexindai-c12-126 ~]#
11、将KDC服务器中krb5.conf配置文件拷贝到集群其他的节点中[124-126]
[root@hexindai-c12-127 ~]# scp /etc/krb5.conf 172.20.102.124:/etc/ [root@hexindai-c12-127 ~]# scp /etc/krb5.conf 172.20.102.125:/etc/ [root@hexindai-c12-127 ~]# scp /etc/krb5.conf 172.20.102.126:/etc/
三、Cloudera Manager平台上Kerberos的配置(在做此操作前,请检查服务器是否正常)
1、启用Kerberos
2、确认四个要求都满足,打上对勾并点击继续按钮
3、填写Kerberos的加密类型,RAELMS名称及服务地址
4、不启用CM管理krb5.conf配置文件,因为我们之前已经手动分发了合适的krb5.conf
5、设置admin的账号(默认在KDC服务器中的:/var/kerberos/krb5kdc/kadm5.acl中指定)
6、如图所示,等待启用Kerberos完成,点击继续
7、配置Principals
8、勾选重启集群的选项
9、如图所示,等集群重启生完成
10、Kerberos启动成功
11、Kerberos启动成功
