本文介绍在E-MapReduce集群中HDFS服务集成Kerberos。
前置:
- 创建E-MapReduce集群,本文以
非HA集群的HDFS为例 - HDFS服务在hdfs账号下启动
- HDFS软件包路径
/usr/lib/hadoop-current,配置在/etc/emr/hadoop-conf/
一、 安装 配置Kerberos
1. 安装Kerberos
master节点执行:
sudo yum install krb5-server krb5-devel krb5-workstation -yslave节点执行:
sudo yum install krb5-devel krb5-workstation -y2. 配置Kerberos
- master节点上面修改配置:
a) /etc/krb5.conf
备注: 配置中emr-header-1.cluster-xxxx替换成自己集群的hostname
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EMR.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EMR.COM = {
kdc = emr-header-1.cluster-xxxx
admin_server = emr-header-1.cluster-xxxx
}
[domain_realm]
.emr.com = EMR.COM
emr.com = EMR.COMb) /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EMR.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}c) /var/kerberos/krb5kdc/kadm5.acl
*/admin@EMR.COM *- slave节点修改配置
只需将上面master节点修改过的/etc/krb5.conf文件拷贝到slave节点对应文件夹即可。
3. 创建数据库
在master节点上面执行:
sudo kdb5_util create -r EMR.COM -s备注:
若出现Loading random data卡住(需要等一会),可以另外开一个终端执行一些耗费cpu的操作,增加随机数采集
4. 启动Kerberos
在master节点执行:
sudo service krb5kdc start
sudo service kadmin start5. 创建kadmin管理员账号
在master节点root账号上面执行
$kadmin.local
#进入kadmin后继续执行:
$addprinc root/admin
#输入密码,记住后面执行kadmin时需要输入
后续可以在所有集群所有节点上使用kadmin命令来管理Kerberos的一些数据库操作(如添加principal等)
备注:kadmin.local只能在kadmin server所在的机器(即master节点)且拥有root权限情况下才能执行,其它情况使用kadmin
二、HDFS服务集成Kerberos
1. 创建keytab文件
在集群的每个节点上面创建对应的keytab文件,用于HDFS服务各个Daemon(如NameNode/DataNode等)之间的身份认证,防止非法的节点加入集群。
E-MapReduce集群中的HDFS的所有Daemon都是在hdfs账号下启动,所以各个Daemon使用共用相同的keytab配置。
接下来分别在集群的每台机器上面分别执行下面命令:以master节点为例,其它节点按照同样的方式操作
$sudo su hdfs
$hostname
emr-header-1.cluster-xxxx
#后面需要使用hostname
$sudo kadmin
#输入密码,进入kadmin后执行
# principal使用了上面的hostname即emr-header-1.cluster-xxxx
$kadmin: addprinc -randkey hdfs/emr-header-1.cluster-xxxx@EMR.COM
$kadmin: addprinc -randkey HTTP/emr-header-1.cluster-xxxx@EMR.COM
$kadmin: xst -k hdfs-unmerged.keytab hdfs/emr-header-1.cluster-xxxx@EMR.COM
$kadmin: xst -k http.keytab HTTP/emr-header-1.cluster-xxxx@EMR.COM
$kadmin: exit
#合并http.keytab和hdfs-unmerged.keytab
$sudo ktutil
#进入ktutil后执行:
$ktutil: rkt hdfs-unmerged.keytab
$ktutil: rkt http.keytab
$ktutil: wkt hdfs.keytab
$ktutil: exit
#将hdfs.keytab拷贝到/etc/emr/hadoop-conf
$sudo cp hdfs.keytab /etc/emr/hadoop-conf
$sudo chown hdfs:hadoop /etc/emr/hadoop-conf/hdfs.keytab
$sudo chmod 400 /etc/emr/hadoop-conf/hdfs.keytab2. 修改HDFS服务配置
HDFS服务集成Kerberos需要修改core-site.xml和hdfs-site.xml,如下:
备注: 集群所有节点都需要修改
a) core-site.xml
路径: /etc/emr/hadoop-conf/core-site.xml
使用hadoop账号来操作sudo su hadoop
添加如下配置项:
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value> <!-- A value of "simple" would disable security. -->
</property>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
</property>修改如下配置项:
将value值master_host_name换成自己集群的master的hostname(如emr-header-1.cluster-xxx)
<property>
<name>master_hostname</name>
<value>master_host_name</value>
</property>b) hdfs-site.xml
路径: /etc/emr/hadoop-conf/hdfs-site.xml
使用hadoop账号来操作sudo su hadoop
添加如下配置项:
<!-- General HDFS security config -->
<property>
<name>dfs.block.access.token.enable</name>
<value>true</value>
</property>
<!-- NameNode security config -->
<property>
<name>dfs.namenode.keytab.file</name>
<value>/etc/emr/hadoop-conf/hdfs.keytab</value> <!-- path to the HDFS keytab -->
</property>
<property>
<name>dfs.namenode.kerberos.principal</name>
<value>hdfs/_HOST@EMR.COM</value>
</property>
<property>
<name>dfs.namenode.kerberos.internal.spnego.principal</name>
<value>HTTP/_HOST@EMR.COM</value>
</property>
<!-- Secondary NameNode security config -->
<property>
<name>dfs.secondary.namenode.keytab.file</name>
<value>/etc/emr/hadoop-conf/hdfs.keytab</value> <!-- path to the HDFS keytab -->
</property>
<property>
<name>dfs.secondary.namenode.kerberos.principal</name>
<value>hdfs/_HOST@EMR.COM</value>
</property>
<property>
<name>dfs.secondary.namenode.kerberos.internal.spnego.principal</name>
<value>HTTP/_HOST@EMR.COM</value>
</property>
<!-- DataNode security config -->
<property>
<name>dfs.datanode.data.dir.perm</name>
<value>700</value>
</property>
<property>
<name>dfs.datanode.keytab.file</name>
<value>/etc/emr/hadoop-conf/hdfs.keytab</value> <!-- path to the HDFS keytab -->
</property>
<property>
<name>dfs.datanode.kerberos.principal</name>
<value>hdfs/_HOST@EMR.COM</value>
</property>
<!-- datanode SASL配置 -->
<property>
<name>dfs.http.policy</name>
<value>HTTPS_ONLY</value>
</property>
<property>
<name>dfs.data.transfer.protection</name>
<value>integrity</value>
</property>
<property>
<name>dfs.web.authentication.kerberos.principal</name>
<value>HTTP/_HOST@EMR.COM</value>
</property>
<property>
<name>dfs.web.authentication.kerberos.keytab</name>
<value>/etc/emr/hadoop-conf/hdfs.keytab</value> <!-- path to the HTTP keytab -->
</property>3. 生成keystore文件
HDFS中使用HTTPS来传输数据,需要有keystore相关配置。
在master节点上面执行:
$sudo su hadoop
#生成了ca相关文件
$openssl req -new -x509 -keyout ca-key -out ca-cert -days 1000继续在master节点上重复按照如下命令,分别为集群所有节点生成keystore/truststore文件
备注: 每次为新节点重复执行,需要更换命令中的一些文件名称(防止被覆盖),下面以尖括号(<>)标出
# 以为master节点生成keystore/truststore为例
$keytool -keystore <keystore> -alias localhost -validity 1000 -genkey
输入密钥库口令:
再次输入新口令:
您的名字与姓氏是什么?
[Unknown]: emr-header-1 #备注: 不同节点不一样,如emr-worker-1
您的组织单位名称是什么?
[Unknown]: EMR
您的组织名称是什么?
[Unknown]: EMR
您所在的城市或区域名称是什么?
[Unknown]: EMR
您所在的省/市/自治区名称是什么?
[Unknown]: EMR
该单位的双字母国家/地区代码是什么?
[Unknown]: EMR
CN=emr-worker-2, OU=EMR, O=EMR, L=EMR, ST=EMR, C=EMR是否正确?
[否]: 是
输入 <localhost> 的密钥口令
(如果和密钥库口令相同, 按回车):
$keytool -keystore <truststore> -alias CARoot -import -file ca-cert
$keytool -keystore <keystore> -alias localhost -certreq -file <cert-file>
#下面命令中your_pwd替换成自己的
$openssl x509 -req -CA ca-cert -CAkey ca-key -in <cert-file> -out <cert-signed> -days 1000 -CAcreateserial -passin pass:your_pwd
$keytool -keystore <keystore> -alias CARoot -import -file ca-cert
$keytool -keystore <keystore> -alias localhost -import -file <cert-signed>
执行完上述命令后,将在当前文件夹下会生成新文件<keystore>和<truststore>拷贝scp到对应机器的/etc/emr/hadoop-conf/目录下
#master节点不需要scp,直接cp过去
$cp keystore /etc/emr/hadoop-conf
$cp keystore /etc/emr/hadoop-conf4. 配置ssl
在master节点上面执行
$sudo su hadoop
$cp /etc/emr/hadoop-conf/ssl-server.xml.example /etc/emr/hadoop-conf/ssl-server.xml修改,不是覆盖ssl-server.xml文件中相关配置项对应的key
备注:
配置中密码需要替换成自己的上面生成keystore/truststore时的密码
<property>
<name>ssl.server.truststore.location</name>
<value>/etc/emr/hadoop-conf/truststore</value>
<description>Truststore to be used by NN and DN. Must be specified.
</description>
</property>
<property>
<name>ssl.server.truststore.password</name>
<value>YOUR_TRUSTSTORE_PASSWD</value>
<description>Optional. Default value is "".
</description>
</property>
<property>
<name>ssl.server.keystore.location</name>
<value>/etc/emr/hadoop-conf/keystore</value>
<description>Keystore to be used by NN and DN. Must be specified.
</description>
</property>
<property>
<name>ssl.server.keystore.password</name>
<value>YOUR_KEYSTORE_PASSWD</value>
<description>Must be specified.
</description>
</property>
<property>
<name>ssl.server.keystore.keypassword</name>
<value>YOUR_KEYSTORE_PASSWD</value>
<description>Must be specified.
</description>
</property>最后,将master节点的这个ssl-server.xml文件 scp 到其它所有节点/etc/emr/hadoop-conf目录下面。
5. 重启HDFS服务
在master节点上面执行:
$sudo su hdfs
#停止集群HDFS服务
$/usr/lib/hadoop-current/sbin/stop-dfs.sh
#停止SecondaryNameNode
$/usr/lib/hadoop-current/sbin/hadoop-daemon.sh stop secondarynamenode
#启动NameNode
$/usr/lib/hadoop-current/sbin/hadoop-daemon.sh start namenode
#启动SecondaryNameNode
$/usr/lib/hadoop-current/sbin/hadoop-daemon.sh start secondarynamenode
在slave节点上面执行:
#启动DataNode
$sudo su hdfs
$/usr/lib/hadoop-current/sbin/hadoop-daemon.sh start datanode6. 验证HDFS
在master节点上面执行:
$useradd testkb
$sudo su testkb
$hadoop fs -ls /
17/05/09 12:04:19 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "emr-header-1.cluster-xxxx/10.26.6.62"; destination host is: "emr-header-1.cluster-xxxx":9000;出现上面错误,说明HDFS服务的Kerberos认证生效了,接着执行:
#从testkb账号退出到root账号执行
# 添加testkb的principal
$kadmin.local
$kadmin.local: addprinc testkb重新进入testkb账号
$sudo su testkb
$hadoop fs -ls /
17/05/09 12:04:19 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "emr-header-1.cluster-xxxx/10.26.6.62"; destination host is: "emr-header-1.cluster-xxxx":9000;
#获取testkb的TGT
$kinit testkb
#验证成功
$hadoop fs -ls /
drwxr-xr-x - hadoop hadoop 0 2017-05-09 10:12 /apps
drwxr-xr-x - hadoop hadoop 0 2017-05-09 11:57 /spark-history
drwxrwxrwx - hadoop hadoop 0 2017-05-09 10:12 /tmp
drwxr-xr-x - hadoop hadoop 0 2017-05-09 10:14 /usr
