Most Hadoop clusters adopt Kerberos as the authentication protocol
安装 KDC
- 启动Kerberos 认证需要安装 KDC 服务器和必要的软件。安装KDC 的命令可以在任何机器上执行。
yum -y install krb5-server krb5-lib krb5-auth-dialog krb5-workstation
- 接着,在集群中的其他节点上安装Kerberos client和命令
yum -y install krb5-lib krb5-auth-dialog krb5-workstation
- 编辑 KDC 配置的realms,AD(active directory)
krb5.conf 文件包含 KDCs、admin 服务器的地址,是当前 realm 和 Kerberos 应用的默认配置,该配置将主机名映射到 Kerberos realms。krb5.conf一般在/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
HADOOP.COM = {
kdc = node1.hadoop.com
admin_server = node1.hadoop.com
}
AD.COM = {
kdc = windc.ad.com
admin_server = windc.ad.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
.ad.com = AD.COM
ad.com = AD.COM
[capaths]
AD.COM = {
HADOOP.COM = .
}
realms: HADOOP_COM下的 kdc, admin_server是我们安装KDC的主机地址,AD.COM下的是 Domain Controller主机地址。
domain_realm: 提供domain name 或者主机名字到kerberos realms名字的转换。两者都必须小写。
capaths: cross-realm authentication中,不同 realms 之间需要数据库去创建authentication paths。 这部分定义存储。
- 编辑 kdc.conf,默认在 /var/Kerberos/krb5kdc/kdc.conf。包含 KDC 配置信息,包括发放 Kerberos tickets 时的默认值。
[realms]
HADOOP.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
时间: 2024-10-07 13:31:02