部署Kerberos實戰案例
作者:尹正傑
版權聲明:原創作品,謝絕轉載!否則將追究法律責任。
要配置Kerberos身份驗證,必須先安裝和配置Kerberos軟件。先安裝Kerberos軟件,這意味着在一個集群節點上安裝KDC。然后,在所有集群節點上安裝Kerberos客戶端;配置Kerberos意味着配置KDC管理的各個方面,如ticket的生命周期等。
一.yum安裝Kerberos(推薦,必經安裝起來很簡單)
1>.yum安裝Kerberos
[root@kdc.yinzhengjie.com ~]# yum -y install krb5-server Loaded plugins: fastestmirror Determining fastest mirrors * base: mirrors.huaweicloud.com * extras: mirrors.bfsu.edu.cn * updates: mirrors.bfsu.edu.cn base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/4): base/7/x86_64/group_gz | 153 kB 00:00:00 (2/4): extras/7/x86_64/primary_db | 206 kB 00:00:00 (3/4): updates/7/x86_64/primary_db | 4.5 MB 00:00:01 (4/4): base/7/x86_64/primary_db | 6.1 MB 00:00:01 Resolving Dependencies --> Running transaction check ---> Package krb5-server.x86_64 0:1.15.1-46.el7 will be installed base/7/x86_64/filelists_db | 7.1 MB 00:00:01 --> Processing Dependency: libkadm5(x86-64) = 1.15.1-46.el7 for package: krb5-server-1.15.1-46.el7.x86_64 --> Processing Dependency: krb5-libs(x86-64) = 1.15.1-46.el7 for package: krb5-server-1.15.1-46.el7.x86_64 --> Processing Dependency: libverto-module-base for package: krb5-server-1.15.1-46.el7.x86_64 --> Processing Dependency: /usr/share/dict/words for package: krb5-server-1.15.1-46.el7.x86_64 extras/7/x86_64/filelists_db | 217 kB 00:00:00 updates/7/x86_64/filelists_db | 2.4 MB 00:00:00 --> Running transaction check ---> Package krb5-libs.x86_64 0:1.15.1-37.el7_7.2 will be updated --> Processing Dependency: krb5-libs(x86-64) = 1.15.1-37.el7_7.2 for package: krb5-devel-1.15.1-37.el7_7.2.x86_64 ---> Package krb5-libs.x86_64 0:1.15.1-46.el7 will be an update ---> Package libkadm5.x86_64 0:1.15.1-37.el7_7.2 will be updated ---> Package libkadm5.x86_64 0:1.15.1-46.el7 will be an update ---> Package libverto-libevent.x86_64 0:0.2.5-4.el7 will be installed ---> Package words.noarch 0:3.0-22.el7 will be installed --> Running transaction check ---> Package krb5-devel.x86_64 0:1.15.1-37.el7_7.2 will be updated ---> Package krb5-devel.x86_64 0:1.15.1-46.el7 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================= Installing: krb5-server x86_64 1.15.1-46.el7 base 1.0 M Installing for dependencies: libverto-libevent x86_64 0.2.5-4.el7 base 8.9 k words noarch 3.0-22.el7 base 1.4 M Updating for dependencies: krb5-devel x86_64 1.15.1-46.el7 base 272 k krb5-libs x86_64 1.15.1-46.el7 base 809 k libkadm5 x86_64 1.15.1-46.el7 base 179 k Transaction Summary ============================================================================================================================================================================================= Install 1 Package (+2 Dependent packages) Upgrade ( 3 Dependent packages) Total download size: 3.6 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/6): krb5-devel-1.15.1-46.el7.x86_64.rpm | 272 kB 00:00:00 (2/6): krb5-libs-1.15.1-46.el7.x86_64.rpm | 809 kB 00:00:00 (3/6): libkadm5-1.15.1-46.el7.x86_64.rpm | 179 kB 00:00:00 (4/6): krb5-server-1.15.1-46.el7.x86_64.rpm | 1.0 MB 00:00:00 (5/6): libverto-libevent-0.2.5-4.el7.x86_64.rpm | 8.9 kB 00:00:00 (6/6): words-3.0-22.el7.noarch.rpm | 1.4 MB 00:00:00 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 5.0 MB/s | 3.6 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : krb5-libs-1.15.1-46.el7.x86_64 1/9 Updating : libkadm5-1.15.1-46.el7.x86_64 2/9 Installing : words-3.0-22.el7.noarch 3/9 Installing : libverto-libevent-0.2.5-4.el7.x86_64 4/9 Installing : krb5-server-1.15.1-46.el7.x86_64 5/9 Updating : krb5-devel-1.15.1-46.el7.x86_64 6/9 Cleanup : krb5-devel-1.15.1-37.el7_7.2.x86_64 7/9 Cleanup : libkadm5-1.15.1-37.el7_7.2.x86_64 8/9 Cleanup : krb5-libs-1.15.1-37.el7_7.2.x86_64 9/9 Verifying : krb5-devel-1.15.1-46.el7.x86_64 1/9 Verifying : libverto-libevent-0.2.5-4.el7.x86_64 2/9 Verifying : krb5-server-1.15.1-46.el7.x86_64 3/9 Verifying : words-3.0-22.el7.noarch 4/9 Verifying : libkadm5-1.15.1-46.el7.x86_64 5/9 Verifying : krb5-libs-1.15.1-46.el7.x86_64 6/9 Verifying : krb5-devel-1.15.1-37.el7_7.2.x86_64 7/9 Verifying : krb5-libs-1.15.1-37.el7_7.2.x86_64 8/9 Verifying : libkadm5-1.15.1-37.el7_7.2.x86_64 9/9 Installed: krb5-server.x86_64 0:1.15.1-46.el7 Dependency Installed: libverto-libevent.x86_64 0:0.2.5-4.el7 words.noarch 0:3.0-22.el7 Dependency Updated: krb5-devel.x86_64 0:1.15.1-46.el7 krb5-libs.x86_64 0:1.15.1-46.el7 libkadm5.x86_64 0:1.15.1-46.el7 Complete! [root@kdc.yinzhengjie.com ~]#
2>.查看安裝版本
[root@kdc.yinzhengjie.com ~]# yum list krb5-server Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.huaweicloud.com * extras: mirrors.bfsu.edu.cn * updates: mirrors.bfsu.edu.cn Installed Packages krb5-server.x86_64 1.15.1-46.el7 @base [root@kdc.yinzhengjie.com ~]#
3>.驗證kdc是否安裝成功
[root@kdc.yinzhengjie.com ~]# kdb5_util Usage: kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname] [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options] create [-s] destroy [-f] stash [-f keyfile] dump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-mkey_convert] [-new_mkey_file mkey_file] [-rev] [-recurse] [filename [princs...]] load [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] filename ark [-e etype_list] principal add_mkey [-e etype] [-s] use_mkey kvno [time] list_mkeys update_princ_encryption [-f] [-n] [-v] [princ-pattern] purge_mkeys [-f] [-n] [-v] tabdump [-H] [-c] [-e] [-n] [-o outfile] dumptype where, [-x db_args]* - any number of database specific arguments. Look at each database documentation for supported arguments [root@kdc.yinzhengjie.com ~]#
二.編譯安裝kerberos KDC
1>.訪問Kerberos官網
官方地址: https://web.mit.edu/kerberos/
2>.下載Kerberos軟件
[root@kdc.yinzhengjie.com ~]# wget https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-1.18.2.tar.gz --2020-10-02 16:05:32-- https://web.mit.edu/kerberos/dist/krb5/1.18/krb5-1.18.2.tar.gz Resolving web.mit.edu (web.mit.edu)... 223.119.137.117, 2600:1417:7800:2a0::255e, 2600:1417:7800:2bb::255e Connecting to web.mit.edu (web.mit.edu)|223.119.137.117|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 8713927 (8.3M) [application/x-tar] Saving to: ‘krb5-1.18.2.tar.gz’ 100%[===================================================================================================================================================>] 8,713,927 7.60MB/s in 1.1s 2020-10-02 16:05:33 (7.60 MB/s) - ‘krb5-1.18.2.tar.gz’ saved [8713927/8713927] [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# ll total 8512 -rw-r--r-- 1 root root 8713927 May 22 09:05 krb5-1.18.2.tar.gz [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]#
3>.解壓TAR包
[root@kdc.yinzhengjie.com ~]# ll total 8512 -rw-r--r-- 1 root root 8713927 May 22 09:05 krb5-1.18.2.tar.gz [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# tar xf krb5-1.18.2.tar.gz [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# ll total 8512 drwxr-xr-x 4 3622 systemd-journal 116 May 22 08:21 krb5-1.18.2 -rw-r--r-- 1 root root 8713927 May 22 09:05 krb5-1.18.2.tar.gz [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# ll krb5-1.18.2 total 92 -rw-r--r-- 1 3622 systemd-journal 657 May 22 08:21 appveyor.yml drwxr-xr-x 17 3622 systemd-journal 4096 May 22 08:29 doc -rw-r--r-- 1 3622 systemd-journal 62857 May 22 08:21 NOTICE -rw-r--r-- 1 3622 systemd-journal 16261 May 22 08:21 README drwxr-xr-x 21 3622 systemd-journal 4096 May 22 08:21 src [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]#
4>.進入到安裝目錄並編譯源代碼
[root@kdc.yinzhengjie.com ~]# yum -y install flex bison Loaded plugins: fastestmirror Determining fastest mirrors * base: mirror.bit.edu.cn * extras: mirror.bit.edu.cn * updates: mirror.bit.edu.cn base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/4): base/7/x86_64/primary_db | 6.1 MB 00:00:01 (2/4): extras/7/x86_64/primary_db | 206 kB 00:00:00 (3/4): updates/7/x86_64/primary_db | 4.5 MB 00:00:01 (4/4): base/7/x86_64/group_gz | 153 kB 00:00:03 Resolving Dependencies --> Running transaction check ---> Package bison.x86_64 0:3.0.4-2.el7 will be installed --> Processing Dependency: m4 >= 1.4 for package: bison-3.0.4-2.el7.x86_64 ---> Package flex.x86_64 0:2.5.37-6.el7 will be installed --> Running transaction check ---> Package m4.x86_64 0:1.4.16-10.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================================================= Package Arch Version Repository Size ============================================================================================================================================================================================= Installing: bison x86_64 3.0.4-2.el7 base 674 k flex x86_64 2.5.37-6.el7 base 293 k Installing for dependencies: m4 x86_64 1.4.16-10.el7 base 256 k Transaction Summary ============================================================================================================================================================================================= Install 2 Packages (+1 Dependent package) Total download size: 1.2 M Installed size: 3.3 M Downloading packages: (1/3): flex-2.5.37-6.el7.x86_64.rpm | 293 kB 00:00:00 (2/3): bison-3.0.4-2.el7.x86_64.rpm | 674 kB 00:00:00 (3/3): m4-1.4.16-10.el7.x86_64.rpm | 256 kB 00:00:00 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 3.1 MB/s | 1.2 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : m4-1.4.16-10.el7.x86_64 1/3 Installing : flex-2.5.37-6.el7.x86_64 2/3 Installing : bison-3.0.4-2.el7.x86_64 3/3 Verifying : m4-1.4.16-10.el7.x86_64 1/3 Verifying : flex-2.5.37-6.el7.x86_64 2/3 Verifying : bison-3.0.4-2.el7.x86_64 3/3 Installed: bison.x86_64 0:3.0.4-2.el7 flex.x86_64 0:2.5.37-6.el7 Dependency Installed: m4.x86_64 0:1.4.16-10.el7 Complete! [root@kdc.yinzhengjie.com ~]#
[root@kdc.yinzhengjie.com ~]# cd krb5-1.18.2/src/ [root@kdc.yinzhengjie.com ~/krb5-1.18.2/src]# [root@kdc.yinzhengjie.com ~/krb5-1.18.2/src]# ./configure --prefix=/yinzhengjie/softwares/kerberos
5>.創建可執行的命令
[root@kdc.yinzhengjie.com ~/krb5-1.18.2/src]# make -j 2
6>.開始安裝Kerberos
[root@kdc.yinzhengjie.com ~/krb5-1.18.2/src]# make install #執行上一步"make -j 2"沒有報錯的話,我們就可以正式開始安裝Kerberos啦~
7>.Kerberos的KDC安裝成功
如下圖所示,安裝成功后,可以看到我們制定的安裝路徑會生成相應的目錄喲~
溫馨提示:
如果在編譯安裝出錯時,需要根據報錯解決問題,使用"make clean"來清空之前的編譯,而后重新執行上述操作即可。
8>.配置環境變量
[root@kdc.yinzhengjie.com ~]# vim /etc/profile.d/kerberos.sh #由於我們使用源碼方式安裝kerberos KDC的,因此需要咱們手動配置環境變量便於咱們調用命令! [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# cat /etc/profile.d/kerberos.sh #Add ${KERBEROS_HOME} by yinzhengjie KERBEROS_HOME=/yinzhengjie/softwares/kerberos PATH=$PATH:$KERBEROS_HOME/bin:$KERBEROS_HOME/sbin [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# source /etc/profile.d/kerberos.sh [root@kdc.yinzhengjie.com ~]#
三.安裝Kerberos客戶端
1>.使用ansible批量安裝kerberos客戶端
[root@hadoop101.yinzhengjie.com ~]# ansible all -m shell -a 'jps' hadoop103.yinzhengjie.com | CHANGED | rc=0 >> 5289 DataNode 10794 Jps hadoop102.yinzhengjie.com | CHANGED | rc=0 >> 10769 Jps 5301 DataNode hadoop104.yinzhengjie.com | CHANGED | rc=0 >> 5301 DataNode 10863 Jps hadoop105.yinzhengjie.com | CHANGED | rc=0 >> 12745 Jps 5294 SecondaryNameNode hadoop101.yinzhengjie.com | CHANGED | rc=0 >> 7821 Jps 5326 NameNode [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# ansible all -m shell -a 'yum -y install lkrb5-libs krb5-workstation' #在HDFS集群的所有節點安裝Kerberos客戶端
2>.驗證kerberos客戶單是否安裝完成
[root@hadoop101.yinzhengjie.com ~]# klist #注意哈,剛剛開始安裝並未修改配置文件時,出現下面的提示信息屬於正常現象,若出現此提示信息說明咱們的kerberos客戶端算是安裝成功啦,接下來就是配置kerberos! klist: Credentials cache keyring 'persistent:0:0' not found [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# kdestroy #該命令我們后面會用到,表示清空當前的配置信息 [root@hadoop101.yinzhengjie.com ~]#
3>.Windows操作系統部署安裝Kerberos客戶端
博主推薦閱讀: https://www.cnblogs.com/yinzhengjie/p/13417534.html