部署Kerberos实战案例
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
要配置Kerberos身份验证,必须先安装和配置Kerberos软件。先安装Kerberos软件,这意味着在一个集群节点上安装KDC。然后,在所有集群节点上安装Kerberos客户端;配置Kerberos意味着配置KDC管理的各个方面,如ticket的生命周期等。
一.yum安装Kerberos(推荐,必经安装起来很简单)
1>.yum安装Kerberos
[root@kdc.yinzhengjie.com ~]# yum -y install krb5-server Loaded plugins: fastestmirror Determining fastest mirrors * base: mirrors.huaweicloud.com * extras: mirrors.bfsu.edu.cn * updates: mirrors.bfsu.edu.cn base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/4): base/7/x86_64/group_gz | 153 kB 00:00:00 (2/4): extras/7/x86_64/primary_db | 206 kB 00:00:00 (3/4): updates/7/x86_64/primary_db | 4.5 MB 00:00:01 (4/4): base/7/x86_64/primary_db | 6.1 MB 00:00:01 Resolving Dependencies --> Running transaction check ---> Package krb5-server.x86_64 0:1.15.1-46.el7 will be installed base/7/x86_64/filelists_db | 7.1 MB 00:00:01 --> Processing Dependency: libkadm5(x86-64) = 1.15.1-46.el7 for package: krb5-server-1.15.1-46.el7.x86_64 --> Processing Dependency: krb5-libs(x86-64) = 1.15.1-46.el7 for package: krb5-server-1.15.1-46.el7.x86_64 --> Processing Dependency: libverto-module-base for package: krb5-server-1.15.1-46.el7.x86_64 --> Processing Dependency: /usr/share/dict/words for package: krb5-server-1.15.1-46.el7.x86_64 extras/7/x86_64/filelists_db | 217 kB 00:00:00 updates/7/x86_64/filelists_db | 2.4 MB 00:00:00 --> Running transaction check ---> Package krb5-libs.x86_64 0:1.15.1-37.el7_7.2 will be updated --> Processing Dependency: krb5-libs(x86-64) = 1.15.1-37.el7_7.2 for package: krb5-devel-1.15.1-37.el7_7.2.x86_64 ---> Package krb5-libs.x86_64 0:1.15.1-46.el7 will be an update ---> Package libkadm5.x86_64 0:1.15.1-37.el7_7.2 will be updated ---> Package libkadm5.x86_64 0:1.15.1-46.el7 will be an update ---> Package libverto-libevent.x86_64 0:0.2.5-4.el7 will be installed ---> Package words.noarch 0:3.0-22.el7 will be installed --> Running transaction check ---> Package krb5-devel.x86_64 0:1.15.1-37.el7_7.2 will be updated ---> Package krb5-devel.x86_64 0:1.15.1-46.el7 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================= Installing: krb5-server x86_64 1.15.1-46.el7 base 1.0 M Installing for dependencies: libverto-libevent x86_64 0.2.5-4.el7 base 8.9 k words noarch 3.0-22.el7 base 1.4 M Updating for dependencies: krb5-devel x86_64 1.15.1-46.el7 base 272 k krb5-libs x86_64 1.15.1-46.el7 base 809 k libkadm5 x86_64 1.15.1-46.el7 base 179 k Transaction Summary ============================================================================================================================================================================================= Install 1 Package (+2 Dependent packages) Upgrade ( 3 Dependent packages) Total download size: 3.6 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/6): krb5-devel-1.15.1-46.el7.x86_64.rpm | 272 kB 00:00:00 (2/6): krb5-libs-1.15.1-46.el7.x86_64.rpm | 809 kB 00:00:00 (3/6): libkadm5-1.15.1-46.el7.x86_64.rpm | 179 kB 00:00:00 (4/6): krb5-server-1.15.1-46.el7.x86_64.rpm | 1.0 MB 00:00:00 (5/6): libverto-libevent-0.2.5-4.el7.x86_64.rpm | 8.9 kB 00:00:00 (6/6): words-3.0-22.el7.noarch.rpm | 1.4 MB 00:00:00 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 5.0 MB/s | 3.6 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : krb5-libs-1.15.1-46.el7.x86_64 1/9 Updating : libkadm5-1.15.1-46.el7.x86_64 2/9 Installing : words-3.0-22.el7.noarch 3/9 Installing : libverto-libevent-0.2.5-4.el7.x86_64 4/9 Installing : krb5-server-1.15.1-46.el7.x86_64 5/9 Updating : krb5-devel-1.15.1-46.el7.x86_64 6/9 Cleanup : krb5-devel-1.15.1-37.el7_7.2.x86_64 7/9 Cleanup : libkadm5-1.15.1-37.el7_7.2.x86_64 8/9 Cleanup : krb5-libs-1.15.1-37.el7_7.2.x86_64 9/9 Verifying : krb5-devel-1.15.1-46.el7.x86_64 1/9 Verifying : libverto-libevent-0.2.5-4.el7.x86_64 2/9 Verifying : krb5-server-1.15.1-46.el7.x86_64 3/9 Verifying : words-3.0-22.el7.noarch 4/9 Verifying : libkadm5-1.15.1-46.el7.x86_64 5/9 Verifying : krb5-libs-1.15.1-46.el7.x86_64 6/9 Verifying : krb5-devel-1.15.1-37.el7_7.2.x86_64 7/9 Verifying : krb5-libs-1.15.1-37.el7_7.2.x86_64 8/9 Verifying : libkadm5-1.15.1-37.el7_7.2.x86_64 9/9 Installed: krb5-server.x86_64 0:1.15.1-46.el7 Dependency Installed: libverto-libevent.x86_64 0:0.2.5-4.el7 words.noarch 0:3.0-22.el7 Dependency Updated: krb5-devel.x86_64 0:1.15.1-46.el7 krb5-libs.x86_64 0:1.15.1-46.el7 libkadm5.x86_64 0:1.15.1-46.el7 Complete! [root@kdc.yinzhengjie.com ~]#
2>.查看安装版本
[root@kdc.yinzhengjie.com ~]# yum list krb5-server Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.huaweicloud.com * extras: mirrors.bfsu.edu.cn * updates: mirrors.bfsu.edu.cn Installed Packages krb5-server.x86_64 1.15.1-46.el7 @base [root@kdc.yinzhengjie.com ~]#
3>.验证kdc是否安装成功
[root@kdc.yinzhengjie.com ~]# kdb5_util Usage: kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname] [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options] create [-s] destroy [-f] stash [-f keyfile] dump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-mkey_convert] [-new_mkey_file mkey_file] [-rev] [-recurse] [filename [princs...]] load [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] filename ark [-e etype_list] principal add_mkey [-e etype] [-s] use_mkey kvno [time] list_mkeys update_princ_encryption [-f] [-n] [-v] [princ-pattern] purge_mkeys [-f] [-n] [-v] tabdump [-H] [-c] [-e] [-n] [-o outfile] dumptype where, [-x db_args]* - any number of database specific arguments. Look at each database documentation for supported arguments [root@kdc.yinzhengjie.com ~]#
二.编译安装kerberos KDC
1>.访问Kerberos官网
官方地址: https://web.mit.edu/kerberos/
2>.下载Kerberos软件
[root@kdc.yinzhengjie.com ~]# wget https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-1.18.2.tar.gz --2020-10-02 16:05:32-- https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-1.18.2.tar.gz Resolving web.mit.edu (web.mit.edu)... 223.119.137.117, 2600:1417:7800:2a0::255e, 2600:1417:7800:2bb::255e Connecting to web.mit.edu (web.mit.edu)|223.119.137.117|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 8713927 (8.3M) [application/x-tar] Saving to: ‘krb5-1.18.2.tar.gz’ 100%[===================================================================================================================================================>] 8,713,927 7.60MB/s in 1.1s 2020-10-02 16:05:33 (7.60 MB/s) - ‘krb5-1.18.2.tar.gz’ saved [8713927/8713927] [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# ll total 8512 -rw-r--r-- 1 root root 8713927 May 22 09:05 krb5-1.18.2.tar.gz [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]#
3>.解压TAR包
[root@kdc.yinzhengjie.com ~]# ll total 8512 -rw-r--r-- 1 root root 8713927 May 22 09:05 krb5-1.18.2.tar.gz [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# tar xf krb5-1.18.2.tar.gz [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# ll total 8512 drwxr-xr-x 4 3622 systemd-journal 116 May 22 08:21 krb5-1.18.2 -rw-r--r-- 1 root root 8713927 May 22 09:05 krb5-1.18.2.tar.gz [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# ll krb5-1.18.2 total 92 -rw-r--r-- 1 3622 systemd-journal 657 May 22 08:21 appveyor.yml drwxr-xr-x 17 3622 systemd-journal 4096 May 22 08:29 doc -rw-r--r-- 1 3622 systemd-journal 62857 May 22 08:21 NOTICE -rw-r--r-- 1 3622 systemd-journal 16261 May 22 08:21 README drwxr-xr-x 21 3622 systemd-journal 4096 May 22 08:21 src [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]#
4>.进入到安装目录并编译源代码
[root@kdc.yinzhengjie.com ~]# yum -y install flex bison Loaded plugins: fastestmirror Determining fastest mirrors * base: mirror.bit.edu.cn * extras: mirror.bit.edu.cn * updates: mirror.bit.edu.cn base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/4): base/7/x86_64/primary_db | 6.1 MB 00:00:01 (2/4): extras/7/x86_64/primary_db | 206 kB 00:00:00 (3/4): updates/7/x86_64/primary_db | 4.5 MB 00:00:01 (4/4): base/7/x86_64/group_gz | 153 kB 00:00:03 Resolving Dependencies --> Running transaction check ---> Package bison.x86_64 0:3.0.4-2.el7 will be installed --> Processing Dependency: m4 >= 1.4 for package: bison-3.0.4-2.el7.x86_64 ---> Package flex.x86_64 0:2.5.37-6.el7 will be installed --> Running transaction check ---> Package m4.x86_64 0:1.4.16-10.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================= Installing: bison x86_64 3.0.4-2.el7 base 674 k flex x86_64 2.5.37-6.el7 base 293 k Installing for dependencies: m4 x86_64 1.4.16-10.el7 base 256 k Transaction Summary ============================================================================================================================================================================================= Install 2 Packages (+1 Dependent package) Total download size: 1.2 M Installed size: 3.3 M Downloading packages: (1/3): flex-2.5.37-6.el7.x86_64.rpm | 293 kB 00:00:00 (2/3): bison-3.0.4-2.el7.x86_64.rpm | 674 kB 00:00:00 (3/3): m4-1.4.16-10.el7.x86_64.rpm | 256 kB 00:00:00 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 3.1 MB/s | 1.2 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : m4-1.4.16-10.el7.x86_64 1/3 Installing : flex-2.5.37-6.el7.x86_64 2/3 Installing : bison-3.0.4-2.el7.x86_64 3/3 Verifying : m4-1.4.16-10.el7.x86_64 1/3 Verifying : flex-2.5.37-6.el7.x86_64 2/3 Verifying : bison-3.0.4-2.el7.x86_64 3/3 Installed: bison.x86_64 0:3.0.4-2.el7 flex.x86_64 0:2.5.37-6.el7 Dependency Installed: m4.x86_64 0:1.4.16-10.el7 Complete! [root@kdc.yinzhengjie.com ~]#
[root@kdc.yinzhengjie.com ~]# cd krb5-1.18.2/src/ [root@kdc.yinzhengjie.com ~/krb5-1.18.2/src]# [root@kdc.yinzhengjie.com ~/krb5-1.18.2/src]# ./configure --prefix=/yinzhengjie/softwares/kerberos
5>.创建可执行的命令
[root@kdc.yinzhengjie.com ~/krb5-1.18.2/src]# make -j 2
6>.开始安装Kerberos
[root@kdc.yinzhengjie.com ~/krb5-1.18.2/src]# make install #执行上一步"make -j 2"没有报错的话,我们就可以正式开始安装Kerberos啦~
7>.Kerberos的KDC安装成功
如下图所示,安装成功后,可以看到我们制定的安装路径会生成相应的目录哟~
温馨提示:
如果在编译安装出错时,需要根据报错解决问题,使用"make clean"来清空之前的编译,而后重新执行上述操作即可。
8>.配置环境变量
[root@kdc.yinzhengjie.com ~]# vim /etc/profile.d/kerberos.sh #由于我们使用源码方式安装kerberos KDC的,因此需要咱们手动配置环境变量便于咱们调用命令! [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# cat /etc/profile.d/kerberos.sh #Add ${KERBEROS_HOME} by yinzhengjie KERBEROS_HOME=/yinzhengjie/softwares/kerberos PATH=$PATH:$KERBEROS_HOME/bin:$KERBEROS_HOME/sbin [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# source /etc/profile.d/kerberos.sh [root@kdc.yinzhengjie.com ~]#
三.安装Kerberos客户端
1>.使用ansible批量安装kerberos客户端
[root@hadoop101.yinzhengjie.com ~]# ansible all -m shell -a 'jps' hadoop103.yinzhengjie.com | CHANGED | rc=0 >> 5289 DataNode 10794 Jps hadoop102.yinzhengjie.com | CHANGED | rc=0 >> 10769 Jps 5301 DataNode hadoop104.yinzhengjie.com | CHANGED | rc=0 >> 5301 DataNode 10863 Jps hadoop105.yinzhengjie.com | CHANGED | rc=0 >> 12745 Jps 5294 SecondaryNameNode hadoop101.yinzhengjie.com | CHANGED | rc=0 >> 7821 Jps 5326 NameNode [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# ansible all -m shell -a 'yum -y install lkrb5-libs krb5-workstation' #在HDFS集群的所有节点安装Kerberos客户端
2>.验证kerberos客户单是否安装完成
[root@hadoop101.yinzhengjie.com ~]# klist #注意哈,刚刚开始安装并未修改配置文件时,出现下面的提示信息属于正常现象,若出现此提示信息说明咱们的kerberos客户端算是安装成功啦,接下来就是配置kerberos! klist: Credentials cache keyring 'persistent:0:0' not found [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# kdestroy #该命令我们后面会用到,表示清空当前的配置信息 [root@hadoop101.yinzhengjie.com ~]#
3>.Windows操作系统部署安装Kerberos客户端
博主推荐阅读: https://www.cnblogs.com/yinzhengjie/p/13417534.html