Hadoop相關的Kerberos設置
作者:尹正傑
版權聲明:原創作品,謝絕轉載!否則將追究法律責任。
一.創建Kerberos數據庫
1>.Kerberos數據庫概述
Kerberos數據庫包含領域的所有Kerberos主體,它們的密碼以及有關每個主體的其他管理信息。在大多數情況下,您將使用kdb5_util 程序來整體操作Kerberos數據庫,並使用 kadmin程序來更改數據庫中的條目。(一個顯着的例外是用戶將使用 kpasswd程序來更改其自己的密碼。)kadmin程序具有其自己的命令行界面,您可以在其中鍵入數據庫管理命令。
kdb5_util提供了一種創建,刪除,加載或轉儲Kerberos數據庫的方法。它還包含用於滾動數據庫主密鑰並存儲密鑰副本的命令,以便 kadmind和krb5kdc守護程序可以使用數據庫而無需手動輸入。
kadmin提供了Kerberos主體,密碼策略和服務密鑰表(keytabs)的維護。通常,它作為網絡客戶端使用Kerberos身份驗證與kadmind進行通信,但是還有一個名為kadmin.local的變體,可以直接(或通過LDAP)訪問本地文件系統上的Kerberos數據庫。必須設置kadmin.local才能設置足夠的數據庫才能使用遠程版本。
博主推薦閱讀:
https://web.mit.edu/kerberos/krb5-latest/doc/admin/database.html
2>.Kerberos支持的數據庫類型
我們知道Kerberos由三個組件組成:數據庫,AS和TGS。在默認情況下必須創建一個數據庫,而Kerberos官方支持三種數據,默認使用的是DB2。 Berkeley database module(簡稱:"db2") 默認的KDB模塊是db2,它使用Berkeley DB庫的版本。它基於數據庫路徑名創建四個文件。如果路徑名以結尾,principal則四個文件為: principal: 其中包含主要條目數據 principal.ok: 主體數據庫的鎖定文件 principal.kadm5: 包含策略對象數據 principal.kadm5.lock: 策略數據庫的鎖定文件 溫馨提示: 對於大型數據庫,kdb5_util dump命令(可能由kprop或kadmind調用以進行增量傳播)可能會導致krb5kdc在遍歷數據庫時停止明顯的時間。 可以通過禁用帳戶鎖定功能來避免此延遲,以使KDC不執行數據庫寫操作。或者可以通過將unlockiter變量設置為來啟用(true)以較慢形式的迭代。 Lightning Memory-Mapped Database module(簡稱"klmdb") 在版本1.17中添加了klmdb模塊。它使用LMDB庫,並且可以提供比db2模塊更好的性能和可靠性。它基於數據庫路徑名創建四個文件。如果路徑名以結尾principal,則四個文件為: principal.mdb: 其中包含策略對象數據和大多數主要條目數據 principal.mdb-lock: 主數據庫的鎖定文件 principal.lockout.mdb: 其中包含每個主體條目的帳戶鎖定屬性(上次成功通過身份驗證的時間,上次失敗通過身份驗證的時間以及嘗試失敗的次數) principal.lockout.mdb-lock: 鎖定數據庫的鎖定文件 溫馨提示: 分離鎖定屬性可確保KDC永遠不會在管理操作(如數據庫轉儲或裝入)上阻塞。它還允許KDC運行,而無需對主數據庫進行寫訪問。如果兩個帳戶鎖定功能都被禁用,則將創建鎖定數據庫文件,但隨后將不會打開該數據庫文件,並且帳戶鎖定屬性將始終為零值。 因為LMDB創建到數據庫文件的內存映射,所以它需要配置的內存映射大小,這也決定了數據庫的最大大小。該大小將同等地應用於兩個數據庫,因此將在進程地址空間中使用兩倍的配置大小。這主要是對32位平台的限制。128兆字節的默認值應足以容納數十萬個主體條目。 如果達到限制,則kadmin操作將失敗,並且錯誤消息“已達到環境mapsize限制”將出現在kadmind日志文件中。在這種情況下, 可以使用mapsize變量來增加地圖大小。 LDAP module(簡稱:"kldap") kldap模塊使用LDAP服務器存儲主體和策略數據。要使用它,必須配置LDAP服務器以使用Kerberos模式。
溫馨提示: 由於krb5kdc是單線程的,因此LDAP數據庫訪問中的延遲可能會限制KDC操作吞吐量。 如果LDAP服務器與KDC位於同一服務器主機上並通過ldapi://URL訪問 ,則延遲應盡可能短。如果無法做到這一點,請考慮使用krb5kdc -w選項啟動多個KDC工作進程, 以啟用KDC請求的並發處理。 kldap模塊不支持使用kadmin lock命令進行顯式鎖定 。 博主推薦閱讀: https://web.mit.edu/kerberos/krb5-latest/doc/admin/dbtypes.html#berkeley-database-module-db2 https://web.mit.edu/kerberos/krb5-latest/doc/admin/dbtypes.html#lightning-memory-mapped-database-module-klmdb https://web.mit.edu/kerberos/krb5-latest/doc/admin/dbtypes.html#ldap-module-kldap https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html#conf-ldap
3>.初始化Kerberos數據庫
如下圖所示,初始化Kerberos數據庫時需要指定一個管理員密碼(記住該密碼,稍后會使用),初始化數據庫通常只需要用兩個選項即可,如下所示:
-r: 指定數據庫的Kerberos領域。 create [-s]: 創建一個新的數據庫。如果指定了-s選項,則還將創建存儲文件。如果數據庫已經存在,此命令將失敗。如果命令成功執行,則將打開數據庫,就像第一次運行程序時已經存在一樣。 博主推薦閱讀: https://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/kdb5_util.html
[root@kdc.yinzhengjie.com ~]# ll /yinzhengjie/softwares/kerberos/data/ total 4 -rw-r--r-- 1 root root 29 Oct 3 18:49 kadm5.acl [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# kdb5_util create -r YINZHENGJIE.COM -s Loading random data Initializing database '/yinzhengjie/softwares/kerberos/data/principal' for realm 'YINZHENGJIE.COM', master key name 'K/M@YINZHENGJIE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: kdb5_util: Required parameters in kdc.conf missing while initializing the Kerberos admin interface [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# ll /yinzhengjie/softwares/kerberos/data/ total 20 -rw-r--r-- 1 root root 29 Oct 3 18:49 kadm5.acl -rw------- 1 root root 8192 Oct 4 14:42 principal -rw------- 1 root root 8192 Oct 4 14:42 principal.kadm5 -rw------- 1 root root 0 Oct 4 14:42 principal.kadm5.lock -rw------- 1 root root 0 Oct 4 14:42 principal.ok [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]#
二.創建第一個用戶主體(UPN),用於管理Kerberos數據庫
1>.kadmin工具概述
kadmin和kadmin.local是Kerberos V5管理系統的命令行界面。它們提供幾乎相同的功能。區別在於kadmin.local直接訪問KDC數據庫,而kadmin使用kadmind執行操作。 博主推薦閱讀: https://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/kadmin_local.html
2>.為KDC創建管理員主體
[root@kdc.yinzhengjie.com ~]# cat /yinzhengjie/softwares/kerberos/data/kadm5.acl */admin@YINZHENGJIE.COM * [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# kadmin.local #該命令可以直接讓我們進入到一個交互式界面,便於我們配置主體相關信息。 Authenticating as principal root/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: list_principals K/M@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/kdc.yinzhengjie.com@YINZHENGJIE.COM kiprop/kdc.yinzhengjie.com@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM kadmin.local: kadmin.local: kadmin.local: addprinc root/admin No policy specified for root/admin@YINZHENGJIE.COM; defaulting to no policy Enter password for principal "root/admin@YINZHENGJIE.COM": Re-enter password for principal "root/admin@YINZHENGJIE.COM": Principal "root/admin@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: list_principals K/M@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/kdc.yinzhengjie.com@YINZHENGJIE.COM kiprop/kdc.yinzhengjie.com@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM root/admin@YINZHENGJIE.COM kadmin.local: kadmin.local: quit [root@kdc.yinzhengjie.com ~]#
三.啟動Kerberos服務
1>.啟動Kerberos服務概述
完成Kerberos配置后,就可以啟動Kerberos守護程序了。使用kadmind和krb5kdc程序啟動Kerberos服務。 kadmind概述:
kadmind啟動Kerberos管理服務器。kadmind通常在主Kerberos服務器上運行,該服務器存儲KDC數據庫。 如果KDC數據庫使用LDAP模塊,則管理服務器和KDC服務器無需在同一台計算機上運行。kadmind接受來自諸如kadmin和kpasswd之類的程序的遠程請求,以管理這些數據庫中的信息。
krb5kdc概述:
Kerberos 的KDC服務器。
博主推薦閱讀: https://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/kadmind.html
2>.配置環境變量
[root@kdc.yinzhengjie.com ~]# cat /etc/profile.d/kerberos.sh # Add ${KERBEROS_HOME} by yinzhengjie KERBEROS_HOME=/yinzhengjie/softwares/kerberos # 指定krb5.conf的配置文件路徑 export KRB5_CONFIG=${KERBEROS_HOME}/etc/krb5.conf # 指定kdc.conf的配置文件路徑 export KRB5_KDC_PROFILE=${KERBEROS_HOME}/etc/kdc.conf [root@kdc.yinzhengjie.com ~]#
3>.創建符號鏈接
[root@kdc.yinzhengjie.com ~]# cd /var/kerberos/ [root@kdc.yinzhengjie.com /var/kerberos]# [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# ll total 8 -rw------- 1 root root 22 Nov 28 2019 kadm5.acl -rw------- 1 root root 451 Nov 28 2019 kdc.conf [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# mkdir bak [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# ll total 8 drwxr-xr-x 2 root root 6 Oct 5 15:25 bak -rw------- 1 root root 22 Nov 28 2019 kadm5.acl -rw------- 1 root root 451 Nov 28 2019 kdc.conf [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# mv k* bak/ #將默認的配置文件備份起來,使用咱們自己定義的配置文件 [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# ll total 0 drwxr-xr-x 2 root root 39 Oct 5 15:25 bak [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# ln -sv /yinzhengjie/softwares/kerberos/etc/kdc.conf kdc.conf ‘kdc.conf’ -> ‘/yinzhengjie/softwares/kerberos/etc/kdc.conf’ [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# ll total 0 drwxr-xr-x 2 root root 39 Oct 5 15:25 bak lrwxrwxrwx 1 root root 44 Oct 5 15:26 kdc.conf -> /yinzhengjie/softwares/kerberos/etc/kdc.conf [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# ln -sv /yinzhengjie/softwares/kerberos/etc/kadm5.acl kadm5.acl ‘kadm5.acl’ -> ‘/yinzhengjie/softwares/kerberos/etc/kadm5.acl’ [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]# ll total 0 drwxr-xr-x 2 root root 39 Oct 5 15:25 bak lrwxrwxrwx 1 root root 45 Oct 5 15:26 kadm5.acl -> /yinzhengjie/softwares/kerberos/etc/kadm5.acl lrwxrwxrwx 1 root root 44 Oct 5 15:26 kdc.conf -> /yinzhengjie/softwares/kerberos/etc/kdc.conf [root@kdc.yinzhengjie.com /var/kerberos/krb5kdc]#
4>.啟動kadmind
如果您使用源碼方式安裝Kerberos,想要設置開機自啟動可以自定義啟動腳本,並編輯"/etc/rc.local"或者"/etc/inittab"文件,使得啟動操作系統時自動加載您的自定義啟動腳本即可。 如果您使用yum方式安裝Kerberos,只需要使用Linux自帶的管理工具設置開機自啟動即可。如下圖所示,我是通過使用systemctl工具(對該工具不熟悉的小伙伴可以參考我之前的筆記)來管理kadmin服務的。 博主推薦閱讀: https://www.cnblogs.com/yinzhengjie/p/11986414.html
[root@kdc.yinzhengjie.com ~]# systemctl status kadmin ● kadmin.service - Kerberos 5 Password-changing and Administration Loaded: loaded (/usr/lib/systemd/system/kadmin.service; disabled; vendor preset: disabled) Active: inactive (dead) Oct 05 15:24:53 kdc.yinzhengjie.com systemd[1]: Starting Kerberos 5 Password-changing an..... Oct 05 15:24:53 kdc.yinzhengjie.com _kadmind[5910]: kadmind: kadmind: Cannot open DB2 da...ng Oct 05 15:24:53 kdc.yinzhengjie.com systemd[1]: kadmin.service: control process exited, ...=1 Oct 05 15:24:53 kdc.yinzhengjie.com systemd[1]: Failed to start Kerberos 5 Password-chan...n. Oct 05 15:24:53 kdc.yinzhengjie.com systemd[1]: Unit kadmin.service entered failed state. Oct 05 15:24:53 kdc.yinzhengjie.com systemd[1]: kadmin.service failed. Oct 05 15:27:01 kdc.yinzhengjie.com systemd[1]: Starting Kerberos 5 Password-changing an..... Oct 05 15:27:01 kdc.yinzhengjie.com systemd[1]: Started Kerberos 5 Password-changing and...n. Oct 05 15:32:04 kdc.yinzhengjie.com systemd[1]: Stopping Kerberos 5 Password-changing an..... Oct 05 15:32:04 kdc.yinzhengjie.com systemd[1]: Stopped Kerberos 5 Password-changing and...n. Hint: Some lines were ellipsized, use -l to show in full. [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# systemctl start kadmin [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# systemctl status kadmin ● kadmin.service - Kerberos 5 Password-changing and Administration Loaded: loaded (/usr/lib/systemd/system/kadmin.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2020-10-05 15:32:28 CST; 16s ago Main PID: 6378 (kadmind) CGroup: /system.slice/kadmin.service └─6378 /usr/sbin/kadmind -P /var/run/kadmind.pid Oct 05 15:32:28 kdc.yinzhengjie.com systemd[1]: Starting Kerberos 5 Password-changing an..... Oct 05 15:32:28 kdc.yinzhengjie.com systemd[1]: Can't open PID file /var/run/kadmind.pid...ry Oct 05 15:32:28 kdc.yinzhengjie.com systemd[1]: Started Kerberos 5 Password-changing and...n. Hint: Some lines were ellipsized, use -l to show in full. [root@kdc.yinzhengjie.com ~]#
[root@kdc.yinzhengjie.com ~]# systemctl is-enabled kadmin disabled [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# systemctl enable kadmin Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service. [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# systemctl is-enabled kadmin enabled [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]#
5>.啟動krb5kdc
如果您使用源碼方式安裝Kerberos,想要設置開機自啟動可以自定義啟動腳本,並編輯"/etc/rc.local"或者"/etc/inittab"文件,使得啟動操作系統時自動加載您的自定義啟動腳本即可。 如果您使用yum方式安裝Kerberos,只需要使用Linux自帶的管理工具設置開機自啟動即可。如下圖所示,我是通過使用systemctl工具(對該工具不熟悉的小伙伴可以參考我之前的筆記)來管理krb5kdc服務的。 博主推薦閱讀: https://www.cnblogs.com/yinzhengjie/p/11986414.html
[root@kdc.yinzhengjie.com ~]# systemctl status krb5kdc ● krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled ) Active: inactive (dead) Oct 05 15:50:26 kdc.yinzhengjie.com systemd[1]: Starting Kerberos 5 KDC... Oct 05 15:50:26 kdc.yinzhengjie.com systemd[1]: Can't open PID file /var/run/krb5kdc.pid...ry Oct 05 15:50:26 kdc.yinzhengjie.com systemd[1]: Started Kerberos 5 KDC. Oct 05 15:51:03 kdc.yinzhengjie.com systemd[1]: Stopping Kerberos 5 KDC... Oct 05 15:51:03 kdc.yinzhengjie.com systemd[1]: Stopped Kerberos 5 KDC. Hint: Some lines were ellipsized, use -l to show in full. [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# systemctl start krb5kdc [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# systemctl status krb5kdc ● krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2020-10-05 15:51:20 CST; 13s ago Main PID: 7417 (krb5kdc) CGroup: /system.slice/krb5kdc.service └─7417 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid Oct 05 15:51:20 kdc.yinzhengjie.com systemd[1]: Starting Kerberos 5 KDC... Oct 05 15:51:20 kdc.yinzhengjie.com systemd[1]: Can't open PID file /var/run/krb5kdc.pid...ry Oct 05 15:51:20 kdc.yinzhengjie.com systemd[1]: Started Kerberos 5 KDC. Hint: Some lines were ellipsized, use -l to show in full. [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]#
[root@kdc.yinzhengjie.com ~]# systemctl is-enabled krb5kdc disabled [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# systemctl enable krb5kdc Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service. [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# systemctl is-enabled krb5kdc enabled [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]#
四.創建服務主體(SPN)
必須為每個Hadoop服務創建一個服務主體,如HDFS和YARN,使Hadoop守護進程能夠通過Kerberos認證hdfs(用於HDFS服務),mapred(用於MapReduce)和yarn(用於YARN)。 需要為集群中的每個服務/守護程序創建一個SPN。還必須為組件服務(如Hive,Oozie等)創建服務主體。為簡單起見,本篇博客只介紹hdfs主體的創建,但可以通過相同的方法創建其他主體喲。 除了HDFS之外,還創建了HTTP主體,這是使用Kerberos所需的Web通信協議(實際上hdfs,yarn,mapred這三個服務主體都使用HTTP服務)。通過為這些服務提供HTTP服務名稱,可以為我們日常工作中使用的Web界面啟用Kerberos身份驗證。
溫馨提示:
要在Hadoop集群中實現Kerberos安全性,必須在所有集群節點上配置所有集群用戶,這一點很重要。或者,可以配置Active Directory中的所有用戶,並讓Hadoop服務器訪問該目錄服務。可以限制配置用戶的權限,例如使用"nologin"類型的shell。
1>.創建hdfs服務主體
[root@kdc.yinzhengjie.com ~]# hostname kdc.yinzhengjie.com [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# kadmin.local Authenticating as principal root/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: addprinc -randkey hdfs/kdc.yinzhengjie.com WARNING: no policy specified for hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM; defaulting to no policy Principal "hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM" created. kadmin.local: kadmin.local: addprinc -randkey HTTP/kdc.yinzhengjie.com WARNING: no policy specified for HTTP/kdc.yinzhengjie.com@YINZHENGJIE.COM; defaulting to no policy Principal "HTTP/kdc.yinzhengjie.com@YINZHENGJIE.COM" created. kadmin.local: kadmin.local:
2>.查看創建的服務主體是否創建成功
[root@kdc.yinzhengjie.com ~]# kadmin.local Authenticating as principal root/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: kadmin.local: listprincs HTTP/kdc.yinzhengjie.com@YINZHENGJIE.COM K/M@YINZHENGJIE.COM hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM kadmin/admin@YINZHENGJIE.COM kadmin/changepw@YINZHENGJIE.COM kadmin/kdc.yinzhengjie.com@YINZHENGJIE.COM kiprop/kdc.yinzhengjie.com@YINZHENGJIE.COM krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM root/admin@YINZHENGJIE.COM kadmin.local: kadmin.local: getprinc hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM Principal: hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM Expiration date: [never] Last password change: Mon Oct 05 19:14:25 CST 2020 Password expiration date: [never] Maximum ticket life: 2 days 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Oct 05 19:14:25 CST 2020 (root/admin@YINZHENGJIE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 4 Key: vno 1, aes256-cts-hmac-sha1-96 Key: vno 1, aes128-cts-hmac-sha1-96 Key: vno 1, des3-cbc-sha1 Key: vno 1, arcfour-hmac MKey: vno 1 Attributes: Policy: [none] kadmin.local: kadmin.local:
3>.查看kadmin.local交互式界面的幫助信息
如下圖所示,當你對kadmin.local的子命令不太熟悉時,可以查看相應的幫助信息。當然,如果你想要看更詳細的文檔可參考官方文檔。這一方法無論對Kerberos使用者的新手或老手都很有用!
博主推薦閱讀: https://web.mit.edu/kerberos/krb5-latest/doc/admin/admin_commands/kadmin_local.html#commands
[root@kdc.yinzhengjie.com ~]# kadmin.local Authenticating as principal root/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: ? Available kadmin.local requests: add_principal, addprinc, ank Add principal delete_principal, delprinc Delete principal modify_principal, modprinc Modify principal rename_principal, renprinc Rename principal change_password, cpw Change password get_principal, getprinc Get principal list_principals, listprincs, get_principals, getprincs List principals add_policy, addpol Add policy modify_policy, modpol Modify policy delete_policy, delpol Delete policy get_policy, getpol Get policy list_policies, listpols, get_policies, getpols List policies get_privs, getprivs Get privileges ktadd, xst Add entry(s) to a keytab ktremove, ktrem Remove entry(s) from a keytab lock Lock database exclusively (use with extreme caution!) unlock Release exclusive database lock purgekeys Purge previously retained old keys from a principal get_strings, getstrs Show string attributes on a principal set_string, setstr Set a string attribute on a principal del_string, delstr Delete a string attribute on a principal list_requests, lr, ? List available requests. quit, exit, q Exit program. kadmin.local: kadmin.local:
五.創建keytab文件
1>.keytab文件功能概述
每個服務主體都需要一個keytab文件來存儲其密碼。keytab文件包含Kerberos主體和根據其Kerberos密碼派生的加密密鑰對。當服務正常運行時,其用於KDC身份驗證。
UPN需要使用kinit登錄到安全集群,然后提供驗證密碼。但是SPN無法進行交互式登錄嘗試。keytab文件存儲可用於特定SPN的加密密鑰,可以將多個SPN密鑰存儲在同一個keytab文件中。
如下圖所示,實際上,普通用戶(UPN)也可以使用keytab文件代替在登錄時提供的密碼。
溫馨提示:
必須小心保護keytab文件,因為它們掌管着大門的鑰匙,尤其是管理員主體的!
[root@hadoop101.yinzhengjie.com ~]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0) [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# ll total 4 -rw------- 1 root root 714 Oct 5 20:19 hdfs.keytab [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# kinit -kt hdfs.keytab hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM Valid starting Expires Service principal 10/05/2020 20:22:17 10/06/2020 20:35:38 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM renew until 10/12/2020 20:22:17 [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]#
2>.創建keytab文件
yarn,hdfs和mapred等用戶都運行后台Hadoop守護進程,因此需要為這些服務主體創建一個keytab文件。此外,需要為http主體創建一個keytab文件,從而Kerberos可以認證Hadoop的Web UI。
使用kadmin.local命令創建keytab文件。不需要從頭創建keytab文件。使用kadmin命令可以指定"xst -k"選項來提取每個服務主體的keytab文件,並將其放在該服務主體的keytab目錄中。
每個服務主體的keytab文件都是以主體唯一命名的,例如"hdfs.keytab","yarn.keytab","hue.keytab","hive.keytab"和"http.keytab"等等。必須為Hadoop節點上每個Hadoop守護程序導出單獨的keytab文件。
下面的案例是為HDFS服務創建keytab文件,可以執行以下操作。
[root@kdc.yinzhengjie.com ~]# ll total 0 [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# kadmin.local Authenticating as principal root/admin@YINZHENGJIE.COM with password. kadmin.local: kadmin.local: xst -k hdfs.keytab hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM HTTP/kdc.yinzhengjie.com@YINZHENGJIE.COM Entry for principal hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:hdfs.keytab. Entry for principal hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:hdfs.keytab. Entry for principal hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:hdfs.keytab. Entry for principal hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:hdfs.keytab. Entry for principal HTTP/kdc.yinzhengjie.com@YINZHENGJIE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:hdfs.keytab. Entry for principal HTTP/kdc.yinzhengjie.com@YINZHENGJIE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:hdfs.keytab. Entry for principal HTTP/kdc.yinzhengjie.com@YINZHENGJIE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:hdfs.keytab. Entry for principal HTTP/kdc.yinzhengjie.com@YINZHENGJIE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:hdfs.keytab. kadmin.local: kadmin.local: quit [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# ll total 4 -rw------- 1 root root 714 Oct 5 19:59 hdfs.keytab [root@kdc.yinzhengjie.com ~]#
3>.將服務主體的keytab文件移動到HDFS集群的每一個節點上
[root@kdc.yinzhengjie.com ~]# ll total 4 -rw------- 1 root root 714 Oct 5 19:59 hdfs.keytab [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# [root@kdc.yinzhengjie.com ~]# scp hdfs.keytab hadoop101.yinzhengjie.com:~ The authenticity of host 'hadoop101.yinzhengjie.com (172.200.6.101)' can't be established. ECDSA key fingerprint is SHA256:y6iS5ipSyWSGRmgcjivbWhd78pKfrcuQHeBPd5H9/U8. ECDSA key fingerprint is MD5:da:0f:2a:93:c0:d4:6e:7e:13:16:61:f1:93:a7:38:01. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'hadoop101.yinzhengjie.com,172.200.6.101' (ECDSA) to the list of known hosts. root@hadoop101.yinzhengjie.com's password: hdfs.keytab 100% 714 307.4KB/s 00:00 [root@kdc.yinzhengjie.com ~]#
[root@hadoop101.yinzhengjie.com ~]# ll total 4 -rw------- 1 root root 714 Oct 5 20:19 hdfs.keytab [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# kinit -kt hdfs.keytab hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs/kdc.yinzhengjie.com@YINZHENGJIE.COM Valid starting Expires Service principal 10/05/2020 20:19:31 10/06/2020 20:32:52 krbtgt/YINZHENGJIE.COM@YINZHENGJIE.COM renew until 10/12/2020 20:19:31 [root@hadoop101.yinzhengjie.com ~]#
[root@hadoop101.yinzhengjie.com ~]# ansible all -m shell -a 'mkdir /yinzhengjie/softwares/hadoop/etc/hadoop/conf' [WARNING]: Consider using the file module with state=directory rather than running 'mkdir'. If you need to use command because file is insufficient you can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message. hadoop101.yinzhengjie.com | FAILED | rc=1 >> mkdir: cannot create directory ‘/yinzhengjie/softwares/hadoop/etc/hadoop/conf’: File existsnon-zero return code hadoop102.yinzhengjie.com | CHANGED | rc=0 >> hadoop104.yinzhengjie.com | CHANGED | rc=0 >> hadoop105.yinzhengjie.com | CHANGED | rc=0 >> hadoop103.yinzhengjie.com | CHANGED | rc=0 >> [root@hadoop101.yinzhengjie.com ~]#
[root@hadoop101.yinzhengjie.com ~]# ansible all -m shell -a 'ls -l /yinzhengjie/softwares/hadoop/etc/hadoop/conf' hadoop102.yinzhengjie.com | CHANGED | rc=0 >> total 0 hadoop101.yinzhengjie.com | CHANGED | rc=0 >> total 8 -rw-r--r-- 1 root root 115 Aug 13 18:55 host-rack.txt -rwxr-xr-x 1 root root 463 Aug 13 18:54 toplogy.py hadoop104.yinzhengjie.com | CHANGED | rc=0 >> total 0 hadoop105.yinzhengjie.com | CHANGED | rc=0 >> total 0 hadoop103.yinzhengjie.com | CHANGED | rc=0 >> total 0 [root@hadoop101.yinzhengjie.com ~]#
[root@hadoop101.yinzhengjie.com ~]# ll total 4 -rw------- 1 root root 714 Oct 5 20:19 hdfs.keytab [root@hadoop101.yinzhengjie.com ~]# [root@hadoop101.yinzhengjie.com ~]# ansible all -m copy -a 'src=~/hdfs.keytab dest=/yinzhengjie/softwares/hadoop/etc/hadoop/conf' hadoop102.yinzhengjie.com | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": true, "checksum": "4895c1853599cf70ad2cde9e3606c5b160591623", "dest": "/yinzhengjie/softwares/hadoop/etc/hadoop/conf/hdfs.keytab", "gid": 0, "group": "root", "md5sum": "3f997c0430da2208ccc1e617d3145d3e", "mode": "0644", "owner": "root", "size": 714, "src": "/root/.ansible/tmp/ansible-tmp-1601900886.29-6090-277128142165633/source", "state": "file", "uid": 0 } hadoop101.yinzhengjie.com | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": true, "checksum": "4895c1853599cf70ad2cde9e3606c5b160591623", "dest": "/yinzhengjie/softwares/hadoop/etc/hadoop/conf/hdfs.keytab", "gid": 0, "group": "root", "md5sum": "3f997c0430da2208ccc1e617d3145d3e", "mode": "0644", "owner": "root", "size": 714, "src": "/root/.ansible/tmp/ansible-tmp-1601900886.31-6094-151130876303606/source", "state": "file", "uid": 0 } hadoop104.yinzhengjie.com | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": true, "checksum": "4895c1853599cf70ad2cde9e3606c5b160591623", "dest": "/yinzhengjie/softwares/hadoop/etc/hadoop/conf/hdfs.keytab", "gid": 0, "group": "root", "md5sum": "3f997c0430da2208ccc1e617d3145d3e", "mode": "0644", "owner": "root", "size": 714, "src": "/root/.ansible/tmp/ansible-tmp-1601900886.3-6093-34011526978905/source", "state": "file", "uid": 0 } hadoop105.yinzhengjie.com | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": true, "checksum": "4895c1853599cf70ad2cde9e3606c5b160591623", "dest": "/yinzhengjie/softwares/hadoop/etc/hadoop/conf/hdfs.keytab", "gid": 0, "group": "root", "md5sum": "3f997c0430da2208ccc1e617d3145d3e", "mode": "0644", "owner": "root", "size": 714, "src": "/root/.ansible/tmp/ansible-tmp-1601900886.31-6096-110162310342304/source", "state": "file", "uid": 0 } hadoop103.yinzhengjie.com | CHANGED => { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "changed": true, "checksum": "4895c1853599cf70ad2cde9e3606c5b160591623", "dest": "/yinzhengjie/softwares/hadoop/etc/hadoop/conf/hdfs.keytab", "gid": 0, "group": "root", "md5sum": "3f997c0430da2208ccc1e617d3145d3e", "mode": "0644", "owner": "root", "size": 714, "src": "/root/.ansible/tmp/ansible-tmp-1601900886.32-6092-251321354687851/source", "state": "file", "uid": 0 } [root@hadoop101.yinzhengjie.com ~]#
[root@hadoop101.yinzhengjie.com ~]# ansible all -m shell -a 'ls -l /yinzhengjie/softwares/hadoop/etc/hadoop/conf' hadoop104.yinzhengjie.com | CHANGED | rc=0 >> total 4 -rw-r--r-- 1 root root 714 Oct 5 20:28 hdfs.keytab hadoop105.yinzhengjie.com | CHANGED | rc=0 >> total 4 -rw-r--r-- 1 root root 714 Oct 5 20:28 hdfs.keytab hadoop103.yinzhengjie.com | CHANGED | rc=0 >> total 4 -rw-r--r-- 1 root root 714 Oct 5 20:28 hdfs.keytab hadoop102.yinzhengjie.com | CHANGED | rc=0 >> total 4 -rw-r--r-- 1 root root 714 Oct 5 20:28 hdfs.keytab hadoop101.yinzhengjie.com | CHANGED | rc=0 >> total 12 -rw-r--r-- 1 root root 714 Oct 5 20:28 hdfs.keytab -rw-r--r-- 1 root root 115 Aug 13 18:55 host-rack.txt -rwxr-xr-x 1 root root 463 Aug 13 18:54 toplogy.py [root@hadoop101.yinzhengjie.com ~]#