CDP集群安全指南-动态数据加密

罗仲虎2025-01-07 16:12

[〇]关于本文

集群的动态数据加密主要指的是加密通过网络协议传输的数据,防止数据在传输的过程中被窃取。由于大数据涉及的主机及服务众多。你需要更具集群的实际环境来评估需要为哪些环节实施动态加密。

这里介绍一种通过Cloudera Manager 的Auto-TLS功能来为整个Cloudera Manager层面开启动态加密的步骤。Auto-TLS 功能可以自动完成在集群级别启用 TLS 加密所需的所有步骤。通过使用 Auto-TLS,您可以选择让 Cloudera 管理集群中所有证书的证书颁发机构 (CA),或者使用公司现有的 CA。

在大多数情况下,所有必要的步骤都可以通过 Cloudera Manager 的 UI 界面轻松完成。

开启后将会发生以下变化

  1. 对 Admin Console 使用 TLS 加密:启用用户和 Cloudera Manager Admin Console 之间的 TLS 加密 (HTTPS)。检查时会使用 HTTPS 端口
  2. 为Cloudera Manager Agent使用 TLS 加密:在服务器和agent之间启用 TLS 加密。
  3. 使用代理到服务器的 TLS 身份验证:启用代理到服务器的 TLS 身份验证。
  4. Cloudera Management Service所有服务启用TLS/SSL

**【重要提醒】**我这里只为Cloudera Manager开启TLS 加密,并不打算为CDP的服务启用TLS/SSL,因为开启后所有服务的使用方式都会发生改变。这是一个非常大的变更。所以我这里再次提醒您,请谨慎评估您是否需要为整个CDP的服务启用TLS/SSL

[一]开启Auto-TLS

1-生成CA证书

bash 复制代码 
[root@cdp73-1 ~]# mkdir -p /etc/tls/ca
[root@cdp73-1 ~]# cd /etc/tls/ca
[root@cdp73-1 ca]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................................................................................................................................................................+++++
.................................+++++
e is 65537 (0x010001)
[root@cdp73-1 ca]# openssl rsa -check -in ca.key
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAoI77S2bmyDU+2J/K+DdFsPSz7+NIfmoFdXvR+jrmBdUoAkXJ
2iYI1+2RuxTIySj6tQYI8njlfcpXXUe7qLA6K1NAYSuCrK4602YgfSlNuozF5v7Y
oPXsFjhUd8ifrKpQXcockaQTRIVfkqszo+le7HkUwnM75udI99KZtNZy07g8oqs8
aPYeZLCw6qiBVs+1bBkRaEPx5ZMpOnEPl3z61d/3yAJEMxlhEr6qFQOStYtYtXAG
tckDH3I77Wz1LbwyWGV5Pg2YOm9Yyf1S+xxNybKMHnkXrGpZ7gH36uaFoYVufW60
B4Q5GUisScTCb1axcC4OR/Lnm5feCxkyvCCjwwIDAQABAoIBAAVeIlqX+xkwZoR5
eyCnQGY1GBrp/09ynfIajJ+P/oatZKQGz0PCx8LoR1n4zOmkvBT3Oa9ZiVqWPCt7
LXPrSFaQdvOIr9q0DHVq0aU9j0KwWCFr3bQr5JOtmG1UwLnWC8/G5QOdd6Nvzg0q
OhS9xZWkSqRhk9wZWWAno0nfbYFUdutat8CJQnSrKy3CgHybGNiQoEuOl/C1TNNw
oP3HEs+HxRGyKZ+w903uMGsj3FleBCfGLlxSGwB1LUSi6rrWxq1dzRvSiTFJ8vdS
qjVzB/WOvmd/IbBktIFsbinihqqLYgxvu4KtK/prGmXJfHbJEIVyvHzGUW4nQRsK
3dylTuECgYEAzzDJtAjKvcHgdfJrAz5O7muaV5vLdY1f/d17hdp+EYJM1FUQ04bE
lhCdJafkReKrIqbZ5GGmIck/xezYCMivU3aXLBzDUDoMRnRpZQg5NEIj9P5OIL3v
lW8ekveqnlvlOtvxxRXcdK60SbXJOEy31llvDckwqjFoPXtLcH+du5MCgYEAxmHq
hF+VeHrlvz4mGG5QPDvLn7i8x6wQZ68LsAPLUMcQNK/oSgQCp2I74fpZ5b4m9MRa
S6HIDn0VohLJk4G79Lb8ZfHG8xP/9csL+wWNwfJEolB6R0HbwgbmPyxn42hwWBtD
OEXRhSLUUaYbSoqqJ1OXKp2CxV0FEQuouyp/dRECgYAXiJ8gh+8fZqosO4DUOXuV
sTsywEt36rsAhuvE5HB1ZKt9YrwqiqBBu1leMZfIKFrv8KvHOSA5rjZEMQbI2KKx
hELfi9TThARo7EgcZba5rNmQtmIBbhGMk7aRUvhaTG3ZJapsjHMh/cYUqUVV08D9
4+KtWjDg5APHF/4VpSkxaQKBgBNEXT9//QdXgErDoXWL+TTwZcVcbtFBr9IyGQN+
StfMjZFgaEIQA6X4D3LSGrsKbcQl8dMYolJt6ZT1GCjAV93bi8Xm5nijP5/CmaZG
ks78VZgiEs4q4koE24XVLT3T3d1gwHWNqlyw1kgbxtjFgOMS5kKYS6QZda2DIV8U
MI7RAoGAV7aQMIzQ5V/FBtN8T0e3+zTXmg9d9c5vjHRCe737AOBNLSeRHvWk/Nt/
6113PhacXqzE/ZRX0XM/oNjX0jil13wte8z1yXdLVdNfPUr8zV/0FV0NqpivyOqT
sujPUay17tD9gdg03tz6TGJIMLu7jo8rx7SgTdeNAPjjN5hfp0w=
-----END RSA PRIVATE KEY-----
[root@cdp73-1 ca]# openssl rsa -text -in ca.key -noout
RSA Private-Key: (2048 bit, 2 primes)
modulus:
    00:a0:8e:fb:4b:66:e6:c8:35:3e:d8:9f:ca:f8:37:
    45:b0:f4:b3:ef:e3:48:7e:6a:05:75:7b:d1:fa:3a:
    e6:05:d5:28:02:45:c9:da:26:08:d7:ed:91:bb:14:
    c8:c9:28:fa:b5:06:08:f2:78:e5:7d:ca:57:5d:47:
    bb:a8:b0:3a:2b:53:40:61:2b:82:ac:ae:3a:d3:66:
    20:7d:29:4d:ba:8c:c5:e6:fe:d8:a0:f5:ec:16:38:
    54:77:c8:9f:ac:aa:50:5d:ca:1c:91:a4:13:44:85:
    5f:92:ab:33:a3:e9:5e:ec:79:14:c2:73:3b:e6:e7:
    48:f7:d2:99:b4:d6:72:d3:b8:3c:a2:ab:3c:68:f6:
    1e:64:b0:b0:ea:a8:81:56:cf:b5:6c:19:11:68:43:
    f1:e5:93:29:3a:71:0f:97:7c:fa:d5:df:f7:c8:02:
    44:33:19:61:12:be:aa:15:03:92:b5:8b:58:b5:70:
    06:b5:c9:03:1f:72:3b:ed:6c:f5:2d:bc:32:58:65:
    79:3e:0d:98:3a:6f:58:c9:fd:52:fb:1c:4d:c9:b2:
    8c:1e:79:17:ac:6a:59:ee:01:f7:ea:e6:85:a1:85:
    6e:7d:6e:b4:07:84:39:19:48:ac:49:c4:c2:6f:56:
    b1:70:2e:0e:47:f2:e7:9b:97:de:0b:19:32:bc:20:
    a3:c3
publicExponent: 65537 (0x10001)
privateExponent:
    05:5e:22:5a:97:fb:19:30:66:84:79:7b:20:a7:40:
    66:35:18:1a:e9:ff:4f:72:9d:f2:1a:8c:9f:8f:fe:
    86:ad:64:a4:06:cf:43:c2:c7:c2:e8:47:59:f8:cc:
    e9:a4:bc:14:f7:39:af:59:89:5a:96:3c:2b:7b:2d:
    73:eb:48:56:90:76:f3:88:af:da:b4:0c:75:6a:d1:
    a5:3d:8f:42:b0:58:21:6b:dd:b4:2b:e4:93:ad:98:
    6d:54:c0:b9:d6:0b:cf:c6:e5:03:9d:77:a3:6f:ce:
    0d:2a:3a:14:bd:c5:95:a4:4a:a4:61:93:dc:19:59:
    60:27:a3:49:df:6d:81:54:76:eb:5a:b7:c0:89:42:
    74:ab:2b:2d:c2:80:7c:9b:18:d8:90:a0:4b:8e:97:
    f0:b5:4c:d3:70:a0:fd:c7:12:cf:87:c5:11:b2:29:
    9f:b0:f7:4d:ee:30:6b:23:dc:59:5e:04:27:c6:2e:
    5c:52:1b:00:75:2d:44:a2:ea:ba:d6:c6:ad:5d:cd:
    1b:d2:89:31:49:f2:f7:52:aa:35:73:07:f5:8e:be:
    67:7f:21:b0:64:b4:81:6c:6e:29:e2:86:aa:8b:62:
    0c:6f:bb:82:ad:2b:fa:6b:1a:65:c9:7c:76:c9:10:
    85:72:bc:7c:c6:51:6e:27:41:1b:0a:dd:dc:a5:4e:
    e1
prime1:
    00:cf:30:c9:b4:08:ca:bd:c1:e0:75:f2:6b:03:3e:
    4e:ee:6b:9a:57:9b:cb:75:8d:5f:fd:dd:7b:85:da:
    7e:11:82:4c:d4:55:10:d3:86:c4:96:10:9d:25:a7:
    e4:45:e2:ab:22:a6:d9:e4:61:a6:21:c9:3f:c5:ec:
    d8:08:c8:af:53:76:97:2c:1c:c3:50:3a:0c:46:74:
    69:65:08:39:34:42:23:f4:fe:4e:20:bd:ef:95:6f:
    1e:92:f7:aa:9e:5b:e5:3a:db:f1:c5:15:dc:74:ae:
    b4:49:b5:c9:38:4c:b7:d6:59:6f:0d:c9:30:aa:31:
    68:3d:7b:4b:70:7f:9d:bb:93
prime2:
    00:c6:61:ea:84:5f:95:78:7a:e5:bf:3e:26:18:6e:
    50:3c:3b:cb:9f:b8:bc:c7:ac:10:67:af:0b:b0:03:
    cb:50:c7:10:34:af:e8:4a:04:02:a7:62:3b:e1:fa:
    59:e5:be:26:f4:c4:5a:4b:a1:c8:0e:7d:15:a2:12:
    c9:93:81:bb:f4:b6:fc:65:f1:c6:f3:13:ff:f5:cb:
    0b:fb:05:8d:c1:f2:44:a2:50:7a:47:41:db:c2:06:
    e6:3f:2c:67:e3:68:70:58:1b:43:38:45:d1:85:22:
    d4:51:a6:1b:4a:8a:aa:27:53:97:2a:9d:82:c5:5d:
    05:11:0b:a8:bb:2a:7f:75:11
exponent1:
    17:88:9f:20:87:ef:1f:66:aa:2c:3b:80:d4:39:7b:
    95:b1:3b:32:c0:4b:77:ea:bb:00:86:eb:c4:e4:70:
    75:64:ab:7d:62:bc:2a:8a:a0:41:bb:59:5e:31:97:
    c8:28:5a:ef:f0:ab:c7:39:20:39:ae:36:44:31:06:
    c8:d8:a2:b1:84:42:df:8b:d4:d3:84:04:68:ec:48:
    1c:65:b6:b9:ac:d9:90:b6:62:01:6e:11:8c:93:b6:
    91:52:f8:5a:4c:6d:d9:25:aa:6c:8c:73:21:fd:c6:
    14:a9:45:55:d3:c0:fd:e3:e2:ad:5a:30:e0:e4:03:
    c7:17:fe:15:a5:29:31:69
exponent2:
    13:44:5d:3f:7f:fd:07:57:80:4a:c3:a1:75:8b:f9:
    34:f0:65:c5:5c:6e:d1:41:af:d2:32:19:03:7e:4a:
    d7:cc:8d:91:60:68:42:10:03:a5:f8:0f:72:d2:1a:
    bb:0a:6d:c4:25:f1:d3:18:a2:52:6d:e9:94:f5:18:
    28:c0:57:dd:db:8b:c5:e6:e6:78:a3:3f:9f:c2:99:
    a6:46:92:ce:fc:55:98:22:12:ce:2a:e2:4a:04:db:
    85:d5:2d:3d:d3:dd:dd:60:c0:75:8d:aa:5c:b0:d6:
    48:1b:c6:d8:c5:80:e3:12:e6:42:98:4b:a4:19:75:
    ad:83:21:5f:14:30:8e:d1
coefficient:
    57:b6:90:30:8c:d0:e5:5f:c5:06:d3:7c:4f:47:b7:
    fb:34:d7:9a:0f:5d:f5:ce:6f:8c:74:42:7b:bd:fb:
    00:e0:4d:2d:27:91:1e:f5:a4:fc:db:7f:eb:5d:77:
    3e:16:9c:5e:ac:c4:fd:94:57:d1:73:3f:a0:d8:d7:
    d2:38:a5:d7:7c:2d:7b:cc:f5:c9:77:4b:55:d3:5f:
    3d:4a:fc:cd:5f:f4:15:5d:0d:aa:98:af:c8:ea:93:
    b2:e8:cf:51:ac:b5:ee:d0:fd:81:d8:34:de:dc:fa:
    4c:62:48:30:bb:bb:8e:8f:2b:c7:b4:a0:4d:d7:8d:
    00:f8:e3:37:98:5f:a7:4c
[root@cdp73-1 ca]# openssl req -x509 -new -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:lh
State or Province Name (full name) []:lh
Locality Name (eg, city) [Default City]:lh
Organization Name (eg, company) [Default Company Ltd]:lh
Organizational Unit Name (eg, section) []:lh
Common Name (eg, your name or your server's hostname) []:lh
Email Address []:lh
[root@cdp73-1 ca]#

2-开启Auto-TLS

  1. 进入管理->安全,点击Enable Aoto-TLS

  2. 填入信息

  3. 汇总

  4. 重启Cloudera-scm-server

    bash 复制代码 
    [root@cdp73-1 ca]# systemctl restart cloudera-scm-server
[root@cdp73-1 ca]#

  5. 登录到Cloudera Manger web界面,此时http://192.168.0.171:7180变为https://192.168.0.171:7183

  6. 重启Cloudera Management Service

[三]回退Auto-TLS

1-数据库中配置

bash 复制代码 
[root@cdp73-1 ~]# mysql -uroot -p
Enter password:

mysql> use scm;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> update CONFIGS set value = 'false' where attr = 'web_tls';
Query OK, 0 rows affected (0.00 sec)
Rows matched: 0  Changed: 0  Warnings: 0

mysql> update CONFIGS set value = 'false' where attr = 'agent_tls';
Query OK, 0 rows affected (0.00 sec)
Rows matched: 0  Changed: 0  Warnings: 0

mysql>

2-修改/etc/default/cloudera-scm-server

bash 复制代码 
export CMF_JAVA_OPTS="-Xmx8G -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp -Dcom.sun.management.jmxremote.ssl.enabled.protocols=TLSv1.2 -Dorg.apache.avro.specific.use_custom_coders=true"

改为

export CMF_JAVA_OPTS="-Xmx8G -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp  -Dorg.apache.avro.specific.use_custom_coders

3-修改/etc/cloudera-scm-agent/config.ini

bash 复制代码 
use_tls=1

改为

use_tls=0
相关推荐
用户962377954484 小时前
DVWA 靶场实验报告 (High Level)
安全
数据智能老司机7 小时前
用于进攻性网络安全的智能体 AI——在 n8n 中构建你的第一个 AI 工作流
人工智能·安全·agent
数据智能老司机7 小时前
用于进攻性网络安全的智能体 AI——智能体 AI 入门
人工智能·安全·agent
用户962377954489 小时前
DVWA 靶场实验报告 (Medium Level)
安全
red1giant_star9 小时前
S2-067 漏洞复现:Struts2 S2-067 文件上传路径穿越漏洞
安全
字节跳动数据平台11 小时前
代码量减少 70%、GPU 利用率达 95%:火山引擎多模态数据湖如何释放模思智能的算法生产力
大数据
得物技术12 小时前
深入剖析Spark UI界面:参数与界面详解|得物技术
大数据·后端·spark
用户9623779544812 小时前
DVWA Weak Session IDs High 的 Cookie dvwaSession 为什么刷新不出来?
安全
武子康13 小时前
大数据-238 离线数仓 - 广告业务 Hive分析实战:ADS 点击率、购买率与 Top100 排名避坑
大数据·后端·apache hive
武子康1 天前
大数据-237 离线数仓 - Hive 广告业务实战:ODS→DWD 事件解析、广告明细与转化分析落地
大数据·后端·apache hive
热门推荐
01GitHub 镜像站点02OpenClaw 使用和管理 MCP 完全指南03OpenClaw + 飞书(Feishu)环境搭建指南04小黑课堂计算机二级WPSoffice题库软件下载安装教程(2026年3月最新版)05Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services06Clawdbot部署教程:解决‘gateway token missing’授权问题的完整步骤07OpenClaw优化飞书API 额度已耗尽问题08Window 10部署openclaw报错node.exe : npm error code 12809【OpenClaw 本地实战 Ep.3】突破瓶颈:强制修改 openclaw.json 解锁 32k 上下文记忆10OpenClaw大龙虾机器人完整安装教程