CDH6.3.2 enable Kerberos authentication

Tags (space separated): building big data platform

  • 1: How to install and configure KDC service

  • 2: How to enable Kerberos through CDH

  • 3: How to log in to Kerberos and access Hadoop related services

1: How to install and configure KDC service

1.1 system environment

1. Operating system: CentOS7.5x64

2.CDH6.3.2

3. Use root user for operation

1.2 KDC service installation and configuration

1.stay Cloudera Manager Install on server KDC service

 yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation

2.modify/etc/krb5.conf to configure

vim /etc/krb5.conf
----
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = LANXIN.COM
 #default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 LANXIN.COM = {
  kdc = 192.168.11.160
  admin_server = 192.168.11.160
 }

 [domain_realm]
 .lanxin.com = LANXIN.COM
 lanxin.com = LANXIN.COM

---

3.modify/var/kerberos/krb5kdc/kadm5.acl to configure

vim /var/kerberos/krb5kdc/kadm5.acl
----
*/admin@LANXIN.COM      *
----

4.modify/var/kerberos/krb5kdc/kdc.conf to configure

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 LANXIN.COM = {
  #master_key_type = aes256-cts
  max_renewable_life= 7d 0h 0m 0s
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

5.establish Kerberos database
kdb5_util create –r LANXIN.COM -s
  //password: LANXIN.COM
---
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'LANXIN.COM',
master key name 'K/M@LANXIN.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify:
---
//The password for the Kerberos database is required here.

6.establish Kerberos Management account number of
   admin/admin@LANXIN.COM

----
Authenticating as principal root/admin@LANXIN.COM with password.
kadmin.local:  
kadmin.local:  addprinc admin/admin@LANXIN.COM   
WARNING: no policy specified for admin/admin@LANXIN.COM; defaulting to no policy
Enter password for principal "admin/admin@LANXIN.COM":     [Enter password as admin]
Re-enter password for principal "admin/admin@LANXIN.COM": 
Principal "admin/admin@LANXIN.COM" created.
kadmin.local:  
kadmin.local:  
kadmin.local:  list_principals 
K/M@LANXIN.COM
admin/admin@LANXIN.COM
kadmin/admin@LANXIN.COM
kadmin/changepw@LANXIN.COM
kadmin/dev01.lanxintec.cn@LANXIN.COM
kiprop/dev01.lanxintec.cn@LANXIN.COM
krbtgt/LANXIN.COM@LANXIN.COM
----

7.take Kerberos Service added to self starting service and started krb5kdc and kadmin service

  systemctl enable krb5kdc
  systemctl enable kadmin
  systemctl start krb5kdc
  systemctl start kadmin

8.test Kerberos Administrator account of

  kinit admin/admin@LANXIN.COM
 ---
 Password for admin/admin@LANXIN.COM: 
[root@dev01 ~]# 
[root@dev01 ~]# klist 
Ticket cache: KEYRING:persistent:0:0
Default principal: admin/admin@LANXIN.COM

Valid starting       Expires              Service principal
05/26/2020 16:26:36  05/27/2020 16:26:36  krbtgt/LANXIN.COM@LANXIN.COM
    renew until 06/02/2020 16:26:36
 ---

Install all Kerberos clients for the cluster, including Cloudera Manager

yum -y install krb5-libs krb5-workstation

10.stay Cloudera Manager Server Install additional packages on the server

yum -y install openldap-clients

11.take KDC Server On krb5.conf File copy to all Kerberos client

scp /etc/krb5.conf root@192.168.11.161:/etc
scp /etc/krb5.conf root@192.168.11.162:/etc

2: Enable Kerberos for CDH cluster

1.stay KDC Middle feeding Cloudera Manager Add administrator account
    cloudera/admin@LANXIN.COM
----
[root@dev01 ~]# kadmin.local 
Authenticating as principal root/admin@LANXIN.COM with password.
kadmin.local:  addprinc cloudera/admin@LANXIN.COM
WARNING: no policy specified for cloudera/admin@LANXIN.COM; defaulting to no policy
Enter password for principal "cloudera/admin@LANXIN.COM":       [password: cloudera]
Re-enter password for principal "cloudera/admin@LANXIN.COM": 
Principal "cloudera/admin@LANXIN.COM" created.
kadmin.local:  list_principals 
K/M@LANXIN.COM
admin/admin@LANXIN.COM
cloudera/admin@LANXIN.COM
kadmin/admin@LANXIN.COM
kadmin/changepw@LANXIN.COM
kadmin/dev01.lanxintec.cn@LANXIN.COM
kiprop/dev01.lanxintec.cn@LANXIN.COM
krbtgt/LANXIN.COM@LANXIN.COM

----

2. Enter the "management" - > "security" interface of Cloudera Manager

use xst -k Command: turn all principal Import to a /etc/devcdh.keytab test

kadminl.local

xst -k /etc/devcdh.keytab admin/admin@LANXIN.COM 

xst -k /etc/devcdh.keytab cloudera/admin@LANXIN.COM

xst -k /etc/devcdh.keytab hdfs/dev01.lanxintec.cn@LANXIN.COM 
.......

Tags: Big Data Database yum vim SHA1

Posted on Sat, 30 May 2020 08:55:47 -0700 by radhoo