文章目录- Kerberos简介
- Kerberos认证原理
- Kerberos部署
- Cloudera Manager平台上Kerberos的配置(在做此操作之前,请检查服务器时期是否正常)
- Kerberos安全环境使用
Kerberos简介
Kerberos是一种计算机网络授权协议,用来在非安全网络中,对个人通信以安全的手段进行身份认证。这个词又指麻省理工学院为这个协议开发的一套计算机软件。软件设计上采用客户端/服务器结构,并且能够进行相互认证,即客户端和服务器端均可对对方进行身份认证。可以用于防止窃听、防止重放攻击、保护数据完整性等场合,是一种应用对称密钥体制进行密钥管理的系统。
本篇就介绍如何在CDH集群中开启Kerberos安全认证,让Kerberos为集群数据安全保驾护航。
Kerberos认证原理
1.基本概概念
KDC:Key Distribute Center,密钥分发中心,其中包含认证服务器,票证授权服务器,和数据库 AS:AuthenticationServer,认证服务器 TGS:TicketGranting Server,票证授权服务器 TGT:Ticket Granting Ticket1票证授予票证 Principal:主体,用于在kerberos加密系统中标记一个唯一的身份。主体可以是用户(如zhangsan)或服务(如namenode或hive)。
2.认证流程
(1)客户端执行kinit命令,输入Principal及Password,向AS证明身份,并请求获取TGT。 (2)AS检查Database中是否存有客户端输入的Principal,如有则向客户端返回TGT。 (3)客户端获取TGT后,向TGS请求ServerTicket。 (4)TGS收到请求,检查Database中是否存有客户端所请求服务的Principal,如有则向客户端返回ServerTicket。 (5)客户端收到ServerTicket,则向目标服务发起请求。 (6)目标服务收到请求,响应客户端。
Kerberos部署
1、安装Kerberos相关服务
选择集群中的一台主机(hadoop102.example.com)作为Kerberos服务端,安装KDC,所有主机都需要部署Kerberos客户端。
服务端主机执行以下安装命令
代码语言:javascript复制yum install -y krb5-server krb5-workstation krb5-libs客户端主机执行以下安装命令
代码语言:javascript复制yum install -y krb5-workstation krb5-libs2、修改配置文件
(1)服务端主机(hadoop102.example.com)
修改/var/kerberos/krb5kdc/kdc.conf文件,内容如下
[root@node105 ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
YINZHENGJIE.ORG.CN = {
master_key_type = aes256-cts #我们可以启动aes256加密算法,需要JDK打上JCE补丁。我们之前已经打过补丁了,实际上是可以启动的。
max_renewable_life= 7d 0h 0m 0s #我们这里为租约持续约期的最长时间。以下几个参数大多数都是指定路径,我们默认即可,不需要修改!
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
[root@node105 ~]# (2)客户端主机(所有主机)
修改/etc/krb5.conf文件,内容如下
[root@node105 ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = YINZHENGJIE.ORG.CN
[realms]
YINZHENGJIE.ORG.CN = {
kdc = node105.yinzhengjie.org.cn
admin_server = node105.yinzhengjie.org.cn
}
[domain_realm]
.yinzhengjie.org.cn = YINZHENGJIE.ORG.CN
yinzhengjie.org.cn = YINZHENGJIE.ORG.CN
[root@node105 ~]#3、初始化KDC数据库
在服务端主机(hadoop102.example.com)执行以下命令
代码语言:javascript复制[root@node105 ~]# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.ORG.CN',
master key name 'K/M@YINZHENGJIE.ORG.CN'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: #这里需要给KDC设置一个初始密码,注意,该密码我们一定要记住,他是用来管理KDC服务器的哟!
Re-enter KDC database master key to verify:
[root@node105 ~]# 4、创建管理员用户和普通用户
创建过程中都需要设置密码。然后为user用户生成keytab文件,便于后续免密登录,不指定路径的话默认放在当前工作目录,我们指定到“/etc/ security/”下。
代码语言:javascript复制[root@node105 ~]#
[root@node105 ~]# kadmin.local #本地登陆KDC服务器
Authenticating as principal root/admin@YINZHENGJIE.ORG.CN with password.
kadmin.local:
kadmin.local:
kadmin.local: addprinc admin/admin #咱们这里创建一个管理员用户
WARNING: no policy specified for admin/admin@YINZHENGJIE.ORG.CN; defaulting to no policy
Enter password for principal "admin/admin@YINZHENGJIE.ORG.CN":
Re-enter password for principal "admin/admin@YINZHENGJIE.ORG.CN":
Principal "admin/admin@YINZHENGJIE.ORG.CN" created.
kadmin.local:
kadmin.local:
kadmin.local: addprinc jason #创建一个普通用户jason
WARNING: no policy specified for jason@YINZHENGJIE.ORG.CN; defaulting to no policy
Enter password for principal "jason@YINZHENGJIE.ORG.CN":
Re-enter password for principal "jason@YINZHENGJIE.ORG.CN":
Principal "jason@YINZHENGJIE.ORG.CN" created.
kadmin.local:
kadmin.local:
kadmin.local: addprinc yinzhengjie #创建一个普通用户yinzhengjie
WARNING: no policy specified for yinzhengjie@YINZHENGJIE.ORG.CN; defaulting to no policy
Enter password for principal "yinzhengjie@YINZHENGJIE.ORG.CN":
Re-enter password for principal "yinzhengjie@YINZHENGJIE.ORG.CN":
Principal "yinzhengjie@YINZHENGJIE.ORG.CN" created.
kadmin.local:
kadmin.local:
kadmin.local: xst -k /etc/security/jason.keytab jason #为jason用户生成keytab文件
Entry for principal jason with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/jason.keytab.
kadmin.local:
kadmin.local: xst -k /etc/security/yinzhengjie.keytab yinzhengjie #为yinzhengjie用户生成keytab文件
Entry for principal yinzhengjie with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
kadmin.local:
kadmin.local: quit
[root@node105 ~]#
[root@node105 ~]#
[root@node105 ~]# ll /etc/security/*.keytab
-rw------- 1 root root 554 Mar 8 11:42 /etc/security/jason.keytab
-rw------- 1 root root 602 Mar 8 11:43 /etc/security/yinzhengjie.keytab
[root@node105 ~]# 方法2:为CM创建Kerberos管理员主体
代码语言:javascript复制kadmin.local -q "addprinc admin/admin"5、修改管理员权限配置文件
为后缀为"/admin"的账号设置管理员权限,其他账号默认都是普通权限。
在服务端主机(hadoop102.example.com)修改/var/kerberos/krb5kdc/kadm5.acl文件,内容如下
[root@node105 ~]# cat /var/kerberos/krb5kdc/kadm5.acl
*/admin@YINZHENGJIE.ORG.CN *
[root@node105 ~]# 6、启动Kerberos服务,并设为开机启动
代码语言:javascript复制[root@node105 ~]#
[root@node105 ~]# systemctl start krb5kdc #启动KDC
[root@node105 ~]#
[root@node105 ~]# systemctl start kadmin # 启动Kadmin,该服务为KDC数据库访问入口
[root@node105 ~]#
[root@node105 ~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@node105 ~]#
[root@node105 ~]# systemctl enable kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@node105 ~]#
[root@node105 ~]# 7、测试kerberos是否服务正常
代码语言:javascript复制[root@node105 ~]#
[root@node105 ~]# kinit -kt /etc/security/yinzhengjie.keytab yinzhengjie
[root@node105 ~]#
[root@node105 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: yinzhengjie@YINZHENGJIE.ORG.CN
Valid starting Expires Service principal
03/08/2019 11:55:20 03/09/2019 11:55:20 krbtgt/YINZHENGJIE.ORG.CN@YINZHENGJIE.ORG.CN
renew until 03/15/2019 11:55:20
[root@node105 ~]#
[root@node105 ~]# 8、将主节点的KDC服务器中krb5.conf配置文件拷贝到集群的其它节点
代码语言:javascript复制[root@node105 ~]# scp /etc/krb5.conf root@node101.yinzhengjie.org.cn:/etc/krb5.confCloudera Manager平台上Kerberos的配置(在做此操作之前,请检查服务器时期是否正常)
启用keberos
确认四个要求都满足,打上对勾并点击继续按钮
填写Kerberos的加密类型,RAELMS名称及服务地址
不启用CM管理krb5.conf配置文件,因为我们之前已经手动分发了合适的krb5.conf
设置admin的账号(默认在KDC服务器中的 :/var/kerberos/krb5kdc/kadm5.acl 中指定)
如下图所示,等待启用Kerberos完成
配置Principals
勾选重启集群的选项
如下图所示,等待集群重启完成
Kerberos启动成功
Kerberos启动成功
Kerberos安全环境使用
在集群启用Kerberos之后,用户访问各服务都需要先通过Kerberos认证。下面通过访问HFDS,Hive演示具体操作方式。
1.为用户向Kerberos注册账号(Principal)
在Kerberos服务端主机(hadoop102.example.com)执行以下命令,并输入密码,完成注册
代码语言:javascript复制kadmin.local -q "addprinc hdfs/hdfs@EXAMPLE.COM"2.用户认证,执行以下命令,并输入密码,完成认证
代码语言:javascript复制kinit hdfs/hdfs@EXAMPLE.COM查看当前认证状态
代码语言:javascript复制$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/hdfs@EXAMPLE.COM
Valid starting Expires Service principal
11/05/2020 14:29:23 11/06/2020 14:29:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 11/12/2020 14:29:23注:如需在非交互环境认证,例如在代码中认证,则可通过以下命令生成密钥文件,在代码中指定密钥文件路径即可。需要注意的是,生成密钥文件之后,密码随之失效。
代码语言:javascript复制kadmin.local -q "xst -k /path/to/your/keytab/admin.keytab hdfs/hdfs@EXAMPLE.COM"3.访问HDFS
认证前
代码语言:javascript复制$ hadoop fs -ls /
20/11/05 14:28:28 WARN ipc.Client: Exception encountered while connecting to the server : org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
ls: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessCont认证后
代码语言:javascript复制$ hadoop fs -ls /
Found 2 items
drwxrwxrwt - hdfs supergroup 0 2020-11-02 15:52 /tmp
drwxr-xr-x - hdfs supergroup 0 2020-11-03 09:23 /user4.访问Hive
(1)hive客户端
认证前
代码语言:javascript复制$ hive
Exception in thread "main" java.lang.RuntimeException: java.io.IOException: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: "hadoop102.example.com/172.26.131.1"; destination host is: "hadoop102.example.com":8020;
at org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:604)
at org.apache.hadoop.hive.ql.session.SessionState.beginStart(SessionState.java:545)认证后
代码语言:javascript复制$ hive
WARNING: Hive CLI is deprecated and migration to Beeline is recommended.
hive>(2)beeline客户端
注:开启Kerberos之后,jdbc的url需增加hiveserver2的principal信息,如下
认证前
代码语言:javascript复制$ beeline -u " jdbc:hive2://hadoop102.example.com:10000/;principal=hive/hadoop102.example.com@EXAMPLE.COM"
Connecting to jdbc:hive2://hadoop102.example.com:10000/;principal=hive/hadoop102.example.com@EXAMPLE.COM
20/11/05 14:42:57 [main]: ERROR transport.TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:2认证后
代码语言:javascript复制$ beeline -u " jdbc:hive2://hadoop102.example.com:10000/;principal=hive/hadoop102.example.com@EXAMPLE.COM"
Connecting to jdbc:hive2://hadoop102.example.com:10000/;principal=hive/hadoop102.example.com@EXAMPLE.COM
Connected to: Apache Hive (version 2.1.1-cdh6.3.2)
Driver: Hive JDBC (version 2.1.1-cdh6.3.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 2.1.1-cdh6.3.2 by Apache Hive
0: jdbc:hive2://hadoop102.example.com:10000/>参考:https://blog.csdn.net/ytp552200ytp/article/details/109643832 https://www.cnblogs.com/yinzhengjie/articles/10483362.html
