當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

安装Kerberos服务端和客户端

發布時間：2025/1/21 编程问答 34 豆豆

生活随笔收集整理的這篇文章主要介紹了安装Kerberos服务端和客户端小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

簡介

Kerberos認證流程

環境準備

安裝Kerberos服務端

yum安裝

yum install krb5-server krb5-libs krb5-workstation -y

vim /etc/krb5.conf

[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log[libdefaults]default_realm = HADOOP.COMdns_lookup_realm = falsedns_lookup_kdc = falseticket_lifetime = 24hrenew_lifetime = 7dforwardable = trueclockskew = 120udp_preference_limit = 1[realms]HADOOP.COM = {kdc = node1admin_server = node1}[domain_realm].hadoop.com = HADOOP.COMhadoop.com = HADOOP.COMnode1 = HADOOP.COMnode2 = HADOOP.COMnode3 = HADOOP.COMnode4 = HADOOP.COMnode5 = HADOOP.COM

說明：
[logging]：表示server端的日志的打印位置
udp_preference_limit = 1 禁止使用udp可以防止一個Hadoop中的錯誤
ticket_lifetime：表明憑證生效的時限，一般為24小時。
renew_lifetime：表明憑證最長可以被延期的時限，一般為一個禮拜。當憑證過期之后，對安全認證的服務的后續訪問則會失敗。
clockskew：時鐘偏差是不完全符合主機系統時鐘的票據時戳的容差，超過此容差將不接受此票據，單位是秒

vim /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]kdc_ports = 88kdc_tcp_ports = 88[realms]HADOOP.COM = {#master_key_type = aes256-ctsacl_file = /var/kerberos/krb5kdc/kadm5.acldict_file = /usr/share/dict/wordsadmin_keytab = /var/kerberos/krb5kdc/kadm5.keytabmax_renewable_life = 7dsupported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal}

vim /var/kerberos/krb5kdc/kadm5.acl

#修改如下 */admin@HADOOP.COM * #kadm5.acl 文件更多內容可參考：kadm5.acl

只要名稱滿足上述規則就可以擁有最高權限。

初始化kerberos database

cd /var/kerberos/krb5kdc/ kdb5_util create -s -r HADOOP.COM # hust@4400

圖示有誤，是會創建4個文件。

創建賬戶

kadmin.local addprinc root/admin@HADOOP.COM listprincs

設置開機自啟

[root@node1 krb5kdc]# systemctl restart krb5kdc.service [root@node1 krb5kdc]# systemctl restart kadmin [root@node1 krb5kdc]# systemctl enable krb5kdc.service Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service. [root@node1 krb5kdc]# systemctl enable kadmin.service Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service. [root@node1 krb5kdc]#

安裝Kerberos客戶端

每一個node節點都需要安裝客戶端及其配置。

yum安裝

yum install krb5-libs krb5-workstation -y

vim /etc/krb5.conf

或者直接將server節點的該配置文件拷貝到各個節點即可：

[root@node1 krb5kdc]# scp /etc/krb5.conf node2:/etc/krb5.conf krb5.conf 100% 557 544.7KB/s 00:00 [root@node1 krb5kdc]# scp /etc/krb5.conf node3:/etc/krb5.conf krb5.conf 100% 557 561.7KB/s 00:00 [root@node1 krb5kdc]# scp /etc/krb5.conf node4:/etc/krb5.conf krb5.conf 100% 557 490.3KB/s 00:00 [root@node1 krb5kdc]# scp /etc/krb5.conf node5:/etc/krb5.conf krb5.conf 100% 557 472.8KB/s 00:00 [root@node1 krb5kdc]#

客戶端登錄服務端

kinit root/admin@HADOOP.COM #輸入密碼后沒任何輸出表示正確 klist #登錄輸入密碼后進入 kadmin listprincs

規劃Hadoop中各個服務分配kerberos的principal

nm和nodemanager可自定義，易于識別即可

配置HDFS

配置HDFS相關的kerberos賬戶

keytab文件就相當于kerberos賬戶的鑰匙，有了它就可以免密使用該賬戶。

mkdir /etc/security/keytabs cd /etc/security/keytabs kadmin

node1上的服務：

建一個就行了，其他的多余！！
addprinc -rankey hdfs/node1@HADOOP.COM

kadmin addprinc -rankey nn/node1@HADOOP.COM addprinc -rankey rm/node1@HADOOP.COM addprinc -rankey HTTP/node1@HADOOP.COM

ktadd -k /etc/security/keytabs/nn.service.keytab nn/node1@HADOOP.COM

ktadd -k /etc/security/keytabs/rm.service.keytab rm/node1@HADOOP.COM

ktadd -k /etc/security/keytabs/spnego.service.keytab HTTP/node1@HADOOP.COM

ll /etc/security/keytabs

cd /etc/security/keytabs chmod 400 *

編譯及拷貝程序

core-site.xml

hdfs-site.xml

自己配置

kerberos server上執行kadmin.local：

kadmin.local: addprinc hdfs/node1@HADOOP.COM kadmin.local: addprinc hdfs/node2@HADOOP.COM kadmin.local: addprinc hdfs/node3@HADOOP.COM kadmin.local: addprinc hdfs/node4@HADOOP.COM kadmin.local: addprinc hdfs/node5@HADOOP.COM kadmin.local: addprinc http/node1@HADOOP.COM kadmin.local: addprinc http/node2@HADOOP.COM kadmin.local: addprinc http/node3@HADOOP.COM kadmin.local: addprinc http/node4@HADOOP.COM kadmin.local: addprinc http/node5@HADOOP.COMkadmin.local: ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node1@HADOOP.COM kadmin.local: ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node2@HADOOP.COM kadmin.local: ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node3@HADOOP.COM kadmin.local: ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node4@HADOOP.COM kadmin.local: ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab hdfs/node5@HADOOP.COM kadmin.local: ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node1@HADOOP.COM kadmin.local: ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node2@HADOOP.COM kadmin.local: ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node3@HADOOP.COM kadmin.local: ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node4@HADOOP.COM kadmin.local: ktadd -norandkey -k /etc/security/keytabs/http.keytab http/node5@HADOOP.COM

總結

以上是生活随笔為你收集整理的安装Kerberos服务端和客户端的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇：配置maven mvn命令使用jdk 1
下一篇： HDFS配置Kerberos