Kerberos 高可用配置和验证

参考

https://cloud.tencent.com/developer/article/1078314
https://mp.weixin.qq.com/s?__biz=MzI4OTY3MTUyNg==&mid=2247485861&idx=1&sn=bb930a497f63ac5e63ed20c64643eec5

机器准备

Kerberos主

ip-172-31-22-86.ap-southeast-1.compute.internal

7.common2.hadoop.fql.com

Kerberos备

ip-172-31-21-45.ap-southeast-1.compute.internal

6.common2.hadoop.fql.com

配置

服务端

ll /var/kerberos/krb5kdc/

vim /etc/krb5.conf

客户端

vim /etc/krb5.conf

ll /etc/krb5.keytab

其他配置操作

addprinc -randkey host/7.common2.hadoop.fql.com

addprinc -randkey host/6.common2.hadoop.fql.com

ktadd host/7.common2.hadoop.fql.com

ktadd host/6.common2.hadoop.fql.com

scp -P 39000 /etc/krb5.conf 10.14.XX.248:/etc/

scp -P 39000 /etc/krb5.keytab 10.14.XX.248:/etc/

scp -P 39000 /var/kerberos/krb5kdc/.k5.LEXIN.COM 10.14.XX.248:/etc/

scp -P 39000 /var/kerberos/krb5kdc/kadm5.acl 10.14.XX.248:/etc/

scp -P 39000 /var/kerberos/krb5kdc/kdc.conf 10.14.XX.248:/etc/

命令

shell 复制代码
一、krb5kdc 和 kadmin 是主备节点都需要启动的服务
systemctl enable krb5kdc
systemctl start krb5kdc
systemctl status krb5kdc
`krb5kdc is the Kerberos version 5 Authentication Service and Key Distribution Center (AS/KDC).`

systemctl enable kadmin
systemctl start kadmin
systemctl status kadmin

二、kprop 是在备节点启动的服务
systemctl enable kprop
systemctl start kprop
systemctl status kprop

主备同步

shell 复制代码
一、一次性同步
在主节点上使用kprop命令将master.dump文件同步至备节点
kprop -f /var/kerberos/krb5kdc/master.dump -d -P 754 6.common2.hadoop.fql.com


二、定时同步
在主节点上配置crontab

# Kerberos同步
*/6 * * * * sh /var/kerberos/krb5kdc/kprop_sync.sh >> /var/kerberos/krb5kdc/kprop_sync.log 2>&1 



vim /var/kerberos/krb5kdc/kprop_sync.sh

#!/bin/bash
DUMP=/var/kerberos/krb5kdc/master.dump
PORT=754
SLAVE="6.common2.hadoop.fql.com"
TIMESTAMP=`date`

echo "begin at $TIMESTAMP"
/sbin/kdb5_util dump $DUMP
/sbin/kprop -f $DUMP -d -P $PORT $SLAVE

验证

结论:

1、一个账号,需要在Kerberos主备服务端都存在,才能认证使用。

2、主备的 krb5kdc 服务都停止后,kinit 有以下异常信息

shell 复制代码
[hive@1 ~]$ kinit -kt /etc/security/keytab/hive.service.keytab hive/1.common2.hadoop.fql.com@LEXIN.COM
kinit: Cannot contact any KDC for realm 'LEXIN.COM' while getting initial credentials

[root@1 ~]# kinit test_2023
kinit: Cannot contact any KDC for realm 'LEXIN.COM' while getting initial credentials

3、主备的 krb5kdc 服务都停止后,HDFS 异常,NameNode 会有以下异常信息:

shell 复制代码
Caused by: java.io.IOException: Couldn't setup connection for nn/2.common2.hadoop.fql.com@LEXIN.COM to 1.common2.hadoop.fql.com/10.14.37.243:8485
        at org.apache.hadoop.ipc.Client$Connection$1.run(Client.java:772)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1938)
        at org.apache.hadoop.ipc.Client$Connection.handleSaslConnectionFailure(Client.java:743)
        at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:846)
        at org.apache.hadoop.ipc.Client$Connection.access$3700(Client.java:423)
        at org.apache.hadoop.ipc.Client.getConnection(Client.java:1621)
        at org.apache.hadoop.ipc.Client.call(Client.java:1450)
        ... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: ICMP Port Unreachable)]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:211)
        at org.apache.hadoop.security.SaslRpcClient.saslConnect(SaslRpcClient.java:407)
        at org.apache.hadoop.ipc.Client$Connection.setupSaslConnection(Client.java:629)
        at org.apache.hadoop.ipc.Client$Connection.access$2200(Client.java:423)
        at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:833)
        at org.apache.hadoop.ipc.Client$Connection$2.run(Client.java:829)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1938)
        at org.apache.hadoop.ipc.Client$Connection.setupIOstreams(Client.java:828)

4、主备的 krb5kdc 服务都停止后,再恢复启动主节点或备节点,kerberos 就会恢复正常使用。

相关推荐
开着拖拉机回家22 天前
【DBeaver】连接带kerberos的hive[Apache|HDP]
数据仓库·hive·hadoop·kerberos·dbeaver
极客先躯2 个月前
Hadoop krb5.conf 配置详解
大数据·hadoop·分布式·kerberos·krb5.conf·认证系统
开着拖拉机回家2 个月前
【HDP】zookeeper未授权漏洞修复
linux·zookeeper·kerberos·授权·zk-client
HHoao3 个月前
学习Kerberos
大数据·hadoop·kerberos
sangfor_edu4 个月前
Kerberos认证原理
kerberos
hamish-wu8 个月前
Kerberos 认证 javax.security.auth.logon.LoginException:拒绝链接 (Connection refused)
java·大数据·kerberos
但行益事莫问前程9 个月前
ktutil编写生成keytab文件的脚本、通过keytab文件认证用户
linux·kerberos
梓芮.10 个月前
SPN的重要性 | 保障服务安全和身份验证
windows·安全·kerberos·ad·spn·activedirectory·spn 配置
Jumay06121 年前
MacOS 14.1 配置kerberos认证
macos·kerberos·tickets
数据的小伙伴1 年前
kerberos详解
大数据·kerberos