首先感谢前任总结的一些经验,尤其是开启kerberos方面,看了好几篇文章才最终搞定,当然还有好基友同事的一起帮忙,首先说一下按照CDH官方网站上提供的文档,我没有搞定,可能是英文水平太差的原因。
一、主机修改篇
1、下载地址:http://archive.cloudera.com/cm5/cm/5/ CDHmanager下载cloudera-manager-centos7-cm5.7.5_x86_64.tar.gz下载地址
下载安装包:CDH-5.7.6-1.cdh5.7.6.p0.6-el6.parcel、CDH-5.7.6-1.cdh5.7.6.p0.6-el6.parcel.sha、cloudera-manager-centos7-cm5.7.5_x86_64.tar.gz
2、修改各个主机/etc/hosts配置文件
192.27.2.10 plat-hdp00
192.27.2.12 plat-hdp02192.27.2.11 plat-hdp01
3、配置互信,使用代码产,我在篇博客中专门写过,非常方便,不用
4、设置环境变量:
export PATH=$PATH:/usr/local/java/bin
export JAVA_HOME=/usr/local/java
使环境变量生效:source /etc/profile
5、安装mariadb
yum install mariadb-server
systemctl start mariadb.serviceservic
/usr/bin/mysql_secure_installation (这里可以设置root密码)
授权root用户在主节点拥有所有数据库的访问权限
grant all privileges on *.* to 'root'@'plat-hdp00' identified by 'xxxx' with grant option;
flush privileges;
6、关闭防火墙
systemctl disable firewalld
systemctl stop firewalld
7、关闭selinux
set enforce 0 (临时生效)
修改 vi /etc/selinux/config 下的
SELINUX=disabled (重启后永久生效)
8、yum install ntpd
启动 ntp:
$ service ntpd start
设置开机启动:
$ chkconfig ntpd on
配置文件完成,保存退出,启动服务,执行如下命令:service ntpd start
检查是否成功,用ntpstat命令查看同步状态,出现以下状态代表启动成功:
synchronisedto NTP server () at stratum 2time correct towithin74 mspolling server every 128 s
如果出现异常请等待几分钟,一般等待5-10分钟才能同步。
在其他节点,直接运行
ntpdate -u plat-hdp00
二、CDH安装部署篇:1、解压安装包:tar -zxvf cloudera-manager-centos7-cm5.7.5_x86_64.tar.gz -C /opt/
2、
useradd --system --home=/opt/cm-5.7.5/run/cloudera-scm-server/ --no-create-home --shell=/bin/false --comment "Cloudera SCM User" cloudera-scm
3、 将CHD5相关的Parcel包放到主节点的/opt/cloudera/parcel-repo/目录中
mv CDH-5.7.6-1.cdh5.7.6.p0.6-el6.parcel /opt/cloudera/parcel-repo/
mv CDH-5.7.6-1.cdh5.7.6.p0.6-el6.parcel.sha /opt/cloudera/parcel-repo/
4、首先需要去MySql的官网下载JDBC驱动,http://dev.mysql.com/downloads/connector/j/,解压后,找到mysql-connector-java-5.1.35-bin.jar,放到
/opt/cm-5.7.5/share/cmf/lib中。
5、在所有节点创建cloudera-scm用户
/opt/cm-5.7.5/share/cmf/schema/scm_prepare_database.sh mysql cm -hlocalhost -uroot -p123456 --scm-host localhost scm 123456
6、相关启动脚本vim /opt/cm-5.7.5/etc/cloudera-scm-agent/config.ini
scp -r /opt/cm-5.7.5/ cdh01:/opt/
/opt/cm-5.7.5/etc/init.d/cloudera-scm-agent start
scp -r /opt/cm-5.7.5/ cdh02:/opt/
/opt/cm-5.7.5/etc/init.d/cloudera-scm-agent start
http://masterIP:7180/
[root@plat-hdp00 cm-5.7.5]# mysql -uroot -p123456
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 357
Server version: 5.5.52-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| cm |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.01 sec)
MariaDB [(none)]> create user amon_user;
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> grant all on activity_monitor.* TO 'amon_user'@'plat-hdp00' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database activity_monitor;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all on activity_monitor.* TO 'amon_user'@'plat-hdp00' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)
三、CDH的安装配置
这时可以通过浏览器访问主节点的7180端口测试一下了(由于CM Server的启动需要花点时间,这里可能要等待一会才能访问成果,可能需要3-5分钟),默认的用户名和密码均为admin:
安装过程只需要选择,然后下一步就可以,在当前管理的主机上如果发现缺少主机,请检查网络环境以及slave节点上的agent服务是否已经起来
安装成功后:
二、kerberos部署篇
1、Installing Kerberos Package
Installing Kerberos Server
yum install krb5-server krb5-libs krb5-auth-dialog
Installing Kerberos Clientyum install krb5-server krb5-libs krb5-auth-dialog
Installing Kerberos Client
yum install krb5-workstation krb5-libs krb5-auth-dialog
Configuring a Kerberos Server
在配置Kerberos时,首先配置好master KDC,然后安装任意的secondary KDC server。
Configuring the Master KDC Server
确保所有的clients与servers之间的时间同步以及DNS正确解析。
选择一个主机来运行KDC,并在该主机上安装krb5-libs, krb5-server以及krb5-workstation:
[root@hadoop1 ~]# yum install krb5-libs krb5-server krb5-workstation
KDC的主机必须非常自身安全,一般该主机只运行KDC程序。
本文中我们选择hadoop1.com作为运行KDC的主机。
在安装完上述的软件之后,会在KDC主机上生成配置文件/etc/krb5.conf和/var/kerberos/krb5kdc/kdc.conf,它们分别反映了realm name 以及 domain-to-realm mappings。
配置 krb5.conf 与 kdc.conf
我们对这两个模板文件稍加修改即可。如果想查询这两个文件的配置说明,可以参考man帮助文档,即man krb5.conf 和 man,还可以参考 Kerberos 配置
/etc/krb5.conf的配置
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = GUIZHOU.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
GUIZHOU.COM = {
kdc = hadoop1.com
admin_server = hadoop1.com
}
[domain_realm]
hadoop1.com = GUIZHOU.COM
hadoop2.com = GUIZHOU.COM
hadoop3.com = GUIZHOU.COM
hadoop4.com = GUIZHOU.COM
hadoop5.com = GUIZHOU.COM
/var/kerberos/krb5kdc/kdc.conf 的配置
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
GUIZHOU.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
修改配置文件:vi /var/kerberos/krb5kdc/kdc.conf
替换为GUIZHOU.COM
创建/初始化Kerberos database
[root@hadoop1 ~]# /usr/sbin/kdb5_util create -s
其中,-s 表示生成stash file,并在其中存储master server key(krb5kdc);还可以用-r 来指定一个realm name —— 当krb5.conf中定义了多个realm时才是必要的。
在此过程中,我们会输入database的管理密码。这里设置的密码一定要记住,如果忘记了,就无法管理Kerberos server。我们设置的密码是『KDC-DB-1234』。
当Kerberos database创建好后,可以看到目录 /var/kerberos/krb5kdc 下生成了几个文件:
kadm5.acl
kdc.conf
principal
principal.kadm5
principal.kadm5.lock
principal.ok
添加database administrator
我们需要为Kerberos database添加administrative principals (即能够管理database的principals) —— 至少要添加1个principal来使得Kerberos的管理进程kadmind能够在网络上与程序kadmin进行通讯。
在maste KDC上执行:
[root@hadoop1 ~]# /usr/sbin/kadmin.local -q "addprinc admin/admin"
这里我们为其设置的密码是123456。
kadmin.local可以直接运行在master KDC上,而不需要首先通过Kerberos的认证,实际上它只需要对本地文件的读写权限。
The kadmin utility communicates with the kadmind server over the network, and uses Kerberos to handle authentication. For this reason, the first principal must already exist before connecting to the server over the network to administer it. Create the first principal with the kadmin.local command, which is specifically designed to be used on the same host as the KDC and does not use Kerberos for authentication.
为database administrator 设置ACL权限
在KDC上我们需要编辑acl文件来设置权限,该acl文件的默认路径是 /var/kerberos/krb5kdc/kadm5.acl(也可以在文件kdc.conf中修改)。Kerberos的kadmind daemon会使用该文件来管理对Kerberos database的访问权限。对于那些可能会对pincipal产生影响的操作,acl文件也能控制哪些principal能操作哪些其他pricipals。
我们现在为administrator设置权限:将文件/var/kerberos/krb5kdc/kadm5.acl的内容编辑为
*/admin@GUIZHOU.COM *
这表示: Any principal in the GUIZHOU.COM realm with an admin instance has all administrative privileges.
在master KDC上启动Kerberos daemons
在KDC server上必须运行的daemons是krb5kdc 和kadmin,它们可以被设置为自动启动:
[root@hadoop1 ~]# /sbin/chkconfig krb5kdc on
[root@hadoop1 ~]# /sbin/chkconfig kadmin on
也可以手动地启动:
[root@hadoop1 ~]# /etc/rc.d/init.d/krb5kdc start
[root@hadoop1 ~]# /etc/rc.d/init.d/kamdin start
OK,现在KDC已经在工作了。这两个daemons将会在后台运行,可以查看它们的日志文件(/var/log/krb5kdc.log 和 /var/log/kadmind.log)。
可以通过命令kinit来检查这两个daemons是否正常工作。
Verify that the KDC is issuing tickets. First, run kinit to obtain a ticket and store it in a credential cache file. Next, use klist to view the list of credentials in the cache and use kdestroy to destroy the cache and the credentials it contains.
By default, kinit attempts to authenticate using the login user name of the account used when logging into the system (not the Kerberos server). If that user name does not correspond to a principal in the Kerberos database, kinit issues an error message. If that happens, supply kinit with the name of the correct principal as an argument on the command line (kinit).
Once kadmind is started on the server, any user can access its services by running kadmin on any of the clients or servers in the realm. However, only users listed in the kadm5.acl file can modify the database in any way, except for changing their own passwords.
[root@hadoop1 ~]# kinit admin/admin@GUIZHOU.COM
Password for admin/admin@GUIZHOU.COM:
[root@hadoop1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@GUIZHOU.COM
Valid starting Expires Service principal
09/18/15 10:14:33 09/19/15 10:14:33 krbtgt/GUIZHOU.COM@GUIZHOU.COM
renew until 09/18/15 10:14:33
[root@hadoop1 ~]# kdestroy
[root@hadoop1 ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
注:以上几个命令,kinit、klist和kdestroy是在安装Kerberos client packages(即krb5-workstation)之后才存在的的。
Principal Creation
创建一个user principal
[root@hadoop1 ~]# kadmin.local
Authenticating as principal root/admin@GUIZHOU.COM with password.
kadmin.local: addprinc xiaotao
WARNING: no policy specified for xiaotao@GUIZHOU.COM; defaulting to no policy
Enter password for principal "xiaotao@GUIZHOU.COM":
Re-enter password for principal "xiaotao@GUIZHOU.COM":
Principal "xiaotao@GUIZHOU.COM" created.
这里创建了一个名为『xiaotao』的user principal,其密码设置为『xiaotao-1234』。
通过命令listprincs可以看到当前已有的principals:
kadmin.local: listprincs
K/M@GUIZHOU.COM
admin/admin@GUIZHOU.COM
kadmin/admin@GUIZHOU.COM
kadmin/changepw@GUIZHOU.COM
kadmin/hadoop1.com@GUIZHOU.COM
krbtgt/GUIZHOU.COM@GUIZHOU.COM
xiaotao@GUIZHOU.COM
Client Configuration
在安装了Kerberos client package(krb5-workstation)之后,一个主机就可以向KDC发起Kerberos authentication。
我们在另外一台主机上(hadoop2.com)安装Keberos客户端。
[root@hadoop2 ~]# yum install krb5-workstation
客户端安装好后,需要配置该主机上的配置文件 /etc/krb5.conf,这个文件的内容与KDC上的文件保持一致即可。
现在,我们在hadoop2.com上试图以之前创建的principal身份(即xiaotao@GUIZHOU.COM)来向KDC发起authentication request,并希望获得KDC颁发的TGT。
[root@hadoop2 ~]# kinit xiaotao@GUIZHOU.COM
Password for xiaotao@GUIZHOU.COM:
[root@hadoop2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: xiaotao@GUIZHOU.COM
Valid starting Expires Service principal
09/18/15 10:30:42 09/19/15 10:30:42 krbtgt/GUIZHOU.COM@GUIZHOU.COM
renew until 09/18/15 10:30:42
成功了!
klist will tell you under which principal you are currently authenticated to Kerberos, and if applicable, which and when you asked for a specific TGS.
Since we did not set up any service to use kerberos yet, you should not see any entry, except the TGT.
我们再用一个并不存在的principal(假设为『xt』)来试一试:
[root@hadoop2 ~]# kinit xt
kinit: Client not found in Kerberos database while getting initial credentials
果然失败了。
常见问题
1. 查看ticket是否是renewable
通过klist命令来查看
[hdfs@hadoop2 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_496
Default principal: hdfs@GUIZHOU.COM
Valid starting Expires Service principal
09/18/15 22:56:28 09/19/15 22:56:28 krbtgt/GUIZHOU.COM@GUIZHOU.COM
renew until 09/18/15 22:56:28
如果Valid starting的值与renew until的值相同,则表示该principal的ticket 不是 renwable。
上面 hdfs principal 的ticket就不是renewable。
2. ticket无法更新
[hdfs@hadoop2 ~]$ kinit -R
kinit: Ticket expired while renewing credentials
这是因为krbtgt/GUIZHOU.COM@GUIZHOU.COM的『renewlife』被设置成了0,这一点可以通过『kadmin.local => getprinc krbtgt/GUIZHOU.COM@GUIZHOU.COM』看出来。
将krbtgt/GUIZHOU.COM@GUIZHOU.COM的『renewlife』修改为7days即可,方法:
kadmin.local: modprinc -maxrenewlife 1week krbtgt/GUIZHOU.COM@GUIZHOU.COM
现在通过klist可以看出该principal的ticket是renewable:
[hdfs@hadoop1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1100
Default principal: hdfs@GUIZHOU.COM
Valid starting Expires Service principal
09/21/15 10:52:40 09/22/15 10:52:40 krbtgt/GUIZHOU.COM@GUIZHOU.COM
renew until 09/28/15 10:52:34
参考: Re: Strange problem with ticket renewal
Kerberized Services
Host service
https://www.zybuluo.com/xtccc/note/177146
http://hadoop1989.com/2016/11/17/CDH-Enable-Kerberos/
https://www.zybuluo.com/xtccc/note/175999