CDH構建大數據平台-配置集群的Sentry授權安全
作者:尹正傑
版權聲明:原創作品,謝絕轉載!否則將追究法律責任。
雖然HDFS授權和使用ACL的服務級授權確實在Hadoop用戶授權方面起着至關重要的作用,但是在Hadoop中確實沒有總體授權系統。之前我分享了使用Kerberos配置大數據集群的認證安全。本篇博客用來講解大數據集群的授權安全。認證安全是解決誰可以訪問集群,而授權安全是用來解決可以訪問集群的人(即經過安全認證的人)能做什么樣的事情。
Apache Sentry力圖為Hadoop環境提供統一的授權方式,從而Hadoop管理員可以准確指定用戶在Hadoop系統中可以執行的操作。Sentry基於角色的訪問系統使管理員能夠在細粒度級別控制用戶訪問。為了在集群中設置細粒度授權,必須對數據進行分類,並指定需要訪問特定數據集的用戶及所需的訪問級別。可以綜合使用Hive和Sentry來指定細粒度的授權。
一.Sentry基礎
1>.什么是Sentry
Apache Sentry為存儲在HDFS中的數據提供了細粒度的基於角色的授權。
Sentry為HDFS數據提供基於角色授權控制(RBAC)。
Sentry目前可以與Apache Hive、Hive Metastore/ HCatalog、Apache Solr、Impala和HDFS良好結合。 Sentry被設計作為Hadoop組件的可插拔授權引擎。它允許用戶定義授權 規則,來驗證用戶或應用對Hadoop資源的訪問請求。Sentry是高度模塊 化的,可以支持Hadoop中各種數據模型的授權。
2>.Sentry相關概念
Authentication
驗證憑證以可靠地鑒別一個用戶
Authorization
限制一個用戶對給定資源的存取權限
User
通過底層認證系統來識別的個體
Group
一組User,由認證系統管理
Privilege
一條指令或規則,以允許對某對象的存取
Role
一組Privilege,或一個包含多條存取規則的模版
Authorization models
定義了受授權規則約束的對象和允許操作的粒度 如在SQL模型中,對象可以是數據庫或表,操作 可以是SELECT、INSERT、CREATE。在Search模 型中,對象可以是索引、配置、集合、文檔,操 作可以是query和update。
3>.授權過程主要有三個部件參與
Sentry Server:
Sertry RPC Server管理授權元數據。它支持檢索和操作元數據的安全接口。在CDH5.13及以上,可以配置多個Sentry Server以獲得高可用性。
Data Engine:
是一個數據處理應用,例如Hive或Impala,其需要授權訪問數據或元數據資源。Data Engine加載Sentry Plugin,所有訪問資源的客戶端請求都被截獲並路由到Sentry Plugin進行驗證。
Sentry Plugin:
在Data Engine中運行。它供了處理Sentry Server 中存儲的授權元數據的接口,並且包括了使用從服務器檢索的授權元數據來評估訪問請求的授權策略引擎。
4>.Sentry的授權控制過程
Sentry依靠底層認證系統來鑒別用戶,如Kerberos或LDAP。它也使用Hadoop中配置的組映射機制,以保證Sentry和其他Hadoop組件看到相同的組映射。 Sentry使用基於角色的存取控制(RBAC),這是一種企業內管理大量用戶和數據對象的授權的有力機制。當建立一個新用戶時,只需將其加入一個指定的組,即可使該用戶具備該組所擁有的所有角色。 因此Sentry的授權控制過程為: 1>.建立用戶時,為其分配一個組(通過操作系統或LDAP); 2>.創建Sentry的角色; 3>.將一個或多個細粒度的權限賦給角色; 4>.將一個或多個角色賦給組。這樣,該組下的用戶就具備這些角色所對應的權限了;
二.Sentry的配置
1>.添加虛擬機主機對應的解析
2>.Hue中導入測試數據
詳情請參考:https://www.cnblogs.com/yinzhengjie/p/10940648.html
3>.添加Sentry服務
詳情請參考:https://www.cnblogs.com/yinzhengjie/p/11138776.html
三.配置Sentry授權實戰案例
1>.在集群的每個節點創建相應的用戶和組
[root@node101.yinzhengjie.org.cn ~]# ansible cdh --list-hosts hosts (3): node101.yinzhengjie.org.cn node102.yinzhengjie.org.cn node103.yinzhengjie.org.cn [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ansible cdh -m shell -a 'groupadd selector' node101.yinzhengjie.org.cn | SUCCESS | rc=0 >> node103.yinzhengjie.org.cn | SUCCESS | rc=0 >> node102.yinzhengjie.org.cn | SUCCESS | rc=0 >> [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ansible cdh -m shell -a 'groupadd inserter' node101.yinzhengjie.org.cn | SUCCESS | rc=0 >> node102.yinzhengjie.org.cn | SUCCESS | rc=0 >> node103.yinzhengjie.org.cn | SUCCESS | rc=0 >> [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ansible cdh -m shell -a 'useradd -u 1005 -g selector zhangsan' node101.yinzhengjie.org.cn | SUCCESS | rc=0 >> node102.yinzhengjie.org.cn | SUCCESS | rc=0 >> node103.yinzhengjie.org.cn | SUCCESS | rc=0 >> [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ansible cdh -m shell -a 'useradd -u 1006 -g inserter lisi' node101.yinzhengjie.org.cn | SUCCESS | rc=0 >> node102.yinzhengjie.org.cn | SUCCESS | rc=0 >> node103.yinzhengjie.org.cn | SUCCESS | rc=0 >> [root@node101.yinzhengjie.org.cn ~]#
2>.進行Kerberos認證
啟用Kerberos詳情請參考:https://www.cnblogs.com/yinzhengjie/articles/10483362.html
[root@node101.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# find / -name hive.keytab /opt/cloudera-manager/cm-5.15.1/run/cloudera-scm-agent/process/137-hive-HIVEMETASTORE/hive.keytab #需要注意的是,編號越大,代表是最近一次修改喲,我們這里是基於二進制方式安裝,因此key存在我們指定的目錄中,而基於yum方式安裝會直接存放在"/run/cloudera-scm-agent/process"目錄下。 /opt/cloudera-manager/cm-5.15.1/run/cloudera-scm-agent/process/136-hive-HIVESERVER2/hive.keytab /opt/cloudera-manager/cm-5.15.1/run/cloudera-scm-agent/process/109-hive-HIVEMETASTORE/hive.keytab /opt/cloudera-manager/cm-5.15.1/run/cloudera-scm-agent/process/108-hive-HIVESERVER2/hive.keytab [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# kinit -kt /opt/cloudera-manager/cm-5.15.1/run/cloudera-scm-agent/process/137-hive-HIVEMETASTORE/hive.keytab hive/node101.yinzhengjie.org.cn #使用keytab進行認證 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# klist #很顯然,這里是認證成功的 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hive/node101.yinzhengjie.org.cn@YINZHENGJIE.ORG.CN # Valid starting Expires Service principal 07/05/2019 18:37:46 07/06/2019 18:37:46 krbtgt/YINZHENGJIE.ORG.CN@YINZHENGJIE.ORG.CN renew until 07/12/2019 18:37:46 [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
3>.進行Kerberos認證后,使用Beeline工具登陸hive
[root@node101.yinzhengjie.org.cn ~]# ss -ntl | grep 10000 LISTEN 0 50 *:10000 *:* [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# beeline Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0 Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0 Beeline version 1.1.0-cdh5.15.1 by Apache Hive beeline> beeline> beeline> !connect jdbc:hive2://node101.yinzhengjie.org.cn:10000/default;principal=hive/node101.yinzhengjie.org.cn@YINZHENGJIE.ORG.CN scan complete in 1ms Connecting to jdbc:hive2://node101.yinzhengjie.org.cn:10000/default;principal=hive/node101.yinzhengjie.org.cn@YINZHENGJIE.ORG.CN Connected to: Apache Hive (version 1.1.0-cdh5.15.1) Driver: Hive JDBC (version 1.1.0-cdh5.15.1) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> USE default; INFO : Compiling command(queryId=hive_20190705185959_acddcade-b843-4155-86f2-cc61bd47c481): USE default INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20190705185959_acddcade-b843-4155-86f2-cc61bd47c481); Time taken: 0.07 seconds INFO : Executing command(queryId=hive_20190705185959_acddcade-b843-4155-86f2-cc61bd47c481): USE default INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705185959_acddcade-b843-4155-86f2-cc61bd47c481); Time taken: 0.006 seconds INFO : OK No rows affected (0.086 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> SHOW TABLES; INFO : Compiling command(queryId=hive_20190705185959_0d82de06-bdd7-45b6-a268-1b987d97c150): SHOW TABLES INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:tab_name, type:string, comment:from deserializer)], properties:null) INFO : Completed compiling command(queryId=hive_20190705185959_0d82de06-bdd7-45b6-a268-1b987d97c150); Time taken: 0.045 seconds INFO : Executing command(queryId=hive_20190705185959_0d82de06-bdd7-45b6-a268-1b987d97c150): SHOW TABLES INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705185959_0d82de06-bdd7-45b6-a268-1b987d97c150); Time taken: 0.067 seconds INFO : OK +------------+--+ | tab_name | +------------+--+ | customers | | sample_07 | | sample_08 | | web_logs | +------------+--+ 4 rows selected (0.134 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10>
4>.創建admin角色並將其權限賦值給hive組(這樣hive組里的用戶都是hive的管理員)
0: jdbc:hive2://node101.yinzhengjie.org.cn:10> CREATE ROLE admin; INFO : Compiling command(queryId=hive_20190705184646_637a7aa6-6ecb-4928-8a0f-7f382799ba55): CREATE ROLE admin INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20190705184646_637a7aa6-6ecb-4928-8a0f-7f382799ba55); Time taken: 0.076 seconds INFO : Executing command(queryId=hive_20190705184646_637a7aa6-6ecb-4928-8a0f-7f382799ba55): CREATE ROLE admin INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705184646_637a7aa6-6ecb-4928-8a0f-7f382799ba55); Time taken: 0.077 seconds INFO : OK No rows affected (1.325 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> GRANT ALL ON SERVER server1 TO ROLE admin; INFO : Compiling command(queryId=hive_20190705184949_e61e8fb9-bb59-4398-8371-05c48a7784c5): GRANT ALL ON SERVER server1 TO ROLE admin INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20190705184949_e61e8fb9-bb59-4398-8371-05c48a7784c5); Time taken: 0.062 seconds INFO : Executing command(queryId=hive_20190705184949_e61e8fb9-bb59-4398-8371-05c48a7784c5): GRANT ALL ON SERVER server1 TO ROLE admin INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705184949_e61e8fb9-bb59-4398-8371-05c48a7784c5); Time taken: 0.048 seconds INFO : OK No rows affected (0.121 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> GRANT ROLE admin TO GROUP hive; INFO : Compiling command(queryId=hive_20190705185050_7a6d6080-2331-4037-8f8e-c60035c9bf17): GRANT ROLE admin TO GROUP hive INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20190705185050_7a6d6080-2331-4037-8f8e-c60035c9bf17); Time taken: 0.053 seconds INFO : Executing command(queryId=hive_20190705185050_7a6d6080-2331-4037-8f8e-c60035c9bf17): GRANT ROLE admin TO GROUP hive INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705185050_7a6d6080-2331-4037-8f8e-c60035c9bf17); Time taken: 0.046 seconds INFO : OK No rows affected (0.11 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10>
5>.創建reads角色(讀取我們之前使用hue生成default庫的測試數據)並賦值給selector組
0: jdbc:hive2://node101.yinzhengjie.org.cn:10> CREATE ROLE reads; INFO : Compiling command(queryId=hive_20190705190000_a8f3ebf0-93fa-4984-baf2-af0149f8cb92): CREATE ROLE reads INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20190705190000_a8f3ebf0-93fa-4984-baf2-af0149f8cb92); Time taken: 0.045 seconds INFO : Executing command(queryId=hive_20190705190000_a8f3ebf0-93fa-4984-baf2-af0149f8cb92): CREATE ROLE reads INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705190000_a8f3ebf0-93fa-4984-baf2-af0149f8cb92); Time taken: 0.025 seconds INFO : OK No rows affected (0.081 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> REVOKE ALL ON DATABASE default FROM ROLE reads; INFO : Compiling command(queryId=hive_20190705190101_ab80261e-a4b0-459c-9818-40b780fb19b3): REVOKE ALL ON DATABASE default FROM ROLE reads INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20190705190101_ab80261e-a4b0-459c-9818-40b780fb19b3); Time taken: 0.058 seconds INFO : Executing command(queryId=hive_20190705190101_ab80261e-a4b0-459c-9818-40b780fb19b3): REVOKE ALL ON DATABASE default FROM ROLE reads INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705190101_ab80261e-a4b0-459c-9818-40b780fb19b3); Time taken: 0.047 seconds INFO : OK No rows affected (0.115 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> GRANT SELECT ON DATABASE defalut TO ROLE reads; INFO : Compiling command(queryId=hive_20190705190202_6abacb86-4922-49e9-a619-22fbdf88c32a): GRANT SELECT ON DATABASE defalut TO ROLE reads INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20190705190202_6abacb86-4922-49e9-a619-22fbdf88c32a); Time taken: 0.044 seconds INFO : Executing command(queryId=hive_20190705190202_6abacb86-4922-49e9-a619-22fbdf88c32a): GRANT SELECT ON DATABASE defalut TO ROLE reads INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705190202_6abacb86-4922-49e9-a619-22fbdf88c32a); Time taken: 0.02 seconds INFO : OK No rows affected (0.073 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> GRANT ROLE reads TO GROUP selector; INFO : Compiling command(queryId=hive_20190705190303_c07118d5-3c09-4249-8b12-8237d6c8f513): GRANT ROLE reads TO GROUP selector INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20190705190303_c07118d5-3c09-4249-8b12-8237d6c8f513); Time taken: 0.051 seconds INFO : Executing command(queryId=hive_20190705190303_c07118d5-3c09-4249-8b12-8237d6c8f513): GRANT ROLE reads TO GROUP selector INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705190303_c07118d5-3c09-4249-8b12-8237d6c8f513); Time taken: 0.018 seconds INFO : OK No rows affected (0.081 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10>
6>.創建writes橘色(讀寫defalut庫下的sample_08表)並賦值給inserter組
0: jdbc:hive2://node101.yinzhengjie.org.cn:10> CREATE ROLE writes; INFO : Compiling command(queryId=hive_20190705190404_28fad467-b059-4355-861c-9ab0885f9f74): CREATE ROLE writes INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20190705190404_28fad467-b059-4355-861c-9ab0885f9f74); Time taken: 0.051 seconds INFO : Executing command(queryId=hive_20190705190404_28fad467-b059-4355-861c-9ab0885f9f74): CREATE ROLE writes INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705190404_28fad467-b059-4355-861c-9ab0885f9f74); Time taken: 0.013 seconds INFO : OK No rows affected (0.074 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> REVOKE ALL ON DATABASE default FROM ROLE writes; INFO : Compiling command(queryId=hive_20190705190505_efbed76d-b986-4d9b-9510-7d35485bfd9a): REVOKE ALL ON DATABASE default FROM ROLE writes INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20190705190505_efbed76d-b986-4d9b-9510-7d35485bfd9a); Time taken: 0.052 seconds INFO : Executing command(queryId=hive_20190705190505_efbed76d-b986-4d9b-9510-7d35485bfd9a): REVOKE ALL ON DATABASE default FROM ROLE writes INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705190505_efbed76d-b986-4d9b-9510-7d35485bfd9a); Time taken: 0.013 seconds INFO : OK No rows affected (0.076 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> GRANT ALL ON default.sample_08 TO ROLE writes; INFO : Compiling command(queryId=hive_20190705190707_26a1cd08-ec9e-46b9-9368-f4401e349cfd): GRANT ALL ON defult.sample_08 TO ROLE writes INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20190705190707_26a1cd08-ec9e-46b9-9368-f4401e349cfd); Time taken: 0.055 seconds INFO : Executing command(queryId=hive_20190705190707_26a1cd08-ec9e-46b9-9368-f4401e349cfd): GRANT ALL ON defult.sample_08 TO ROLE writes INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705190707_26a1cd08-ec9e-46b9-9368-f4401e349cfd); Time taken: 0.021 seconds INFO : OK No rows affected (0.084 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> GRANT ROLE writes TO GROUP inserter; INFO : Compiling command(queryId=hive_20190705190707_ef1970b1-4c27-450b-8468-ecdf27e6ee33): GRANT ROLE writes TO GROUP inserter INFO : Semantic Analysis Completed INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20190705190707_ef1970b1-4c27-450b-8468-ecdf27e6ee33); Time taken: 0.043 seconds INFO : Executing command(queryId=hive_20190705190707_ef1970b1-4c27-450b-8468-ecdf27e6ee33): GRANT ROLE writes TO GROUP inserter INFO : Starting task [Stage-0:DDL] in serial mode INFO : Completed executing command(queryId=hive_20190705190707_ef1970b1-4c27-450b-8468-ecdf27e6ee33); Time taken: 0.014 seconds INFO : OK No rows affected (0.065 seconds) 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10>
7>.登陸KDC服務器,創建相應的測試用戶
[root@node104.yinzhengjie.org.cn ~]# kadmin.local Authenticating as principal root/admin@YINZHENGJIE.ORG.CN with password. kadmin.local: kadmin.local: addprinc zhangsan WARNING: no policy specified for zhangsan@YINZHENGJIE.ORG.CN; defaulting to no policy Enter password for principal "zhangsan@YINZHENGJIE.ORG.CN": Re-enter password for principal "zhangsan@YINZHENGJIE.ORG.CN": Principal "zhangsan@YINZHENGJIE.ORG.CN" created. kadmin.local: kadmin.local: addprinc lisi WARNING: no policy specified for lisi@YINZHENGJIE.ORG.CN; defaulting to no policy Enter password for principal "lisi@YINZHENGJIE.ORG.CN": Re-enter password for principal "lisi@YINZHENGJIE.ORG.CN": Principal "lisi@YINZHENGJIE.ORG.CN" created. kadmin.local: kadmin.local: xst -k /etc/security/zhangsan.keytab zhangsan Entry for principal zhangsan with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/zhangsan.keytab. Entry for principal zhangsan with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/zhangsan.keytab. Entry for principal zhangsan with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/zhangsan.keytab. Entry for principal zhangsan with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/zhangsan.keytab. Entry for principal zhangsan with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/zhangsan.keytab. Entry for principal zhangsan with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/zhangsan.keytab. Entry for principal zhangsan with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/zhangsan.keytab. Entry for principal zhangsan with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/zhangsan.keytab. kadmin.local: kadmin.local: xst -k /etc/security/lisi.keytab lisi Entry for principal lisi with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/lisi.keytab. Entry for principal lisi with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/lisi.keytab. Entry for principal lisi with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/lisi.keytab. Entry for principal lisi with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/lisi.keytab. Entry for principal lisi with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/lisi.keytab. Entry for principal lisi with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/lisi.keytab. Entry for principal lisi with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/lisi.keytab. Entry for principal lisi with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/lisi.keytab. kadmin.local: kadmin.local: quit [root@node104.yinzhengjie.org.cn ~]# [root@node104.yinzhengjie.org.cn ~]# ll /etc/security/*.keytab -rw------- 1 root root 546 Jul 5 19:12 /etc/security/lisi.keytab -rw------- 1 root root 578 Jul 5 19:12 /etc/security/zhangsan.keytab [root@node104.yinzhengjie.org.cn ~]# [root@node104.yinzhengjie.org.cn ~]# scp /etc/security/*.keytab root@node102.yinzhengjie.org.cn:/etc/security/ root@node102.yinzhengjie.org.cn's password: lisi.keytab 100% 546 147.4KB/s 00:00 zhangsan.keytab 100% 578 387.9KB/s 00:00 [root@node104.yinzhengjie.org.cn ~]# [root@node104.yinzhengjie.org.cn ~]#
8>.使用zhangsan用戶測試
[root@node102.yinzhengjie.org.cn ~]# ll /etc/security/*.keytab -rw------- 1 root root 546 Jul 5 19:16 /etc/security/lisi.keytab -rw------- 1 root root 578 Jul 5 19:16 /etc/security/zhangsan.keytab [root@node102.yinzhengjie.org.cn ~]# [root@node102.yinzhengjie.org.cn ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@node102.yinzhengjie.org.cn ~]# [root@node102.yinzhengjie.org.cn ~]# kinit -kt /etc/security/zhangsan.keytab zhangsan [root@node102.yinzhengjie.org.cn ~]# [root@node102.yinzhengjie.org.cn ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: zhangsan@YINZHENGJIE.ORG.CN Valid starting Expires Service principal 07/05/2019 19:17:38 07/06/2019 19:17:38 krbtgt/YINZHENGJIE.ORG.CN@YINZHENGJIE.ORG.CN renew until 07/12/2019 19:17:38 [root@node102.yinzhengjie.org.cn ~]# [root@node102.yinzhengjie.org.cn ~]# [root@node102.yinzhengjie.org.cn ~]# beeline Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0 Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; support was removed in 8.0 Beeline version 1.1.0-cdh5.15.1 by Apache Hive beeline> !connect jdbc:hive2://node101.yinzhengjie.org.cn:10000/default;principal=hive/node101.yinzhengjie.org.cn@YINZHENGJIE.ORG.CN scan complete in 2ms Connecting to jdbc:hive2://node101.yinzhengjie.org.cn:10000/default;principal=hive/node101.yinzhengjie.org.cn@YINZHENGJIE.ORG.CN Connected to: Apache Hive (version 1.1.0-cdh5.15.1) Driver: Hive JDBC (version 1.1.0-cdh5.15.1) Transaction isolation: TRANSACTION_REPEATABLE_READ 0: jdbc:hive2://node101.yinzhengjie.org.cn:10> 0: jdbc:hive2://node101.yinzhengjie.org.cn:10>
9>.使用lisi用戶測試
10>.