Ambari集成kerberos认证机制

Posted by Blog of JackerWang on June 6, 2018

常用的Kerberos命令

#进入KDC的管理命令
kadmin.local (用输入密码,但是需要在KDC本地运行)
kadmin  (需要输入密码)

#进入管理命令行之后列出所有的principals
kadmin.local: listprincs

KDC Server 搭建

1 关闭防火墙,关闭SELINUX

2 安装组件

yum install krb5-server krb5-libs krb5-workstation

KDC Serber 配置

vim /etc/krb5.conf (服务端和客户端都会用到的配置文件)

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 720h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = ENABLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
ENABLE.COM = {
  kdc = KDC server主机名或者IP
  admin_server = KDC server主机名或者IP
}

[domain_realm]
 .enable.com = ENABLE.COM
 enable.com = ENABLE.COM

vim /var/kerberos/krb5kdc/kdc.conf (只是KDC服务端使用的配置)

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 ENABLE.COM ={
  master_key_type = des3-hmac-sha1
  database_name = /var/kerberos/krb5kdc/principal
  key_stash_file = /var/kerberos/krb5kdc/.ENABLE.COM
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  kdc_ports = 750,88
  max_life = 2d 0h 2m 0s
  max_renewable_life = 500d 0h 0m 0s
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

使用kdb5_util创建数据库

kdb5_util create -r DCS.COM –s

过程中输入的密码请记住!!!

启动服务以及设置开机自启动

 service krb5kdc start
 service kadmin start
 chkconfig krb5kdc on
 chkconfig kadmin on

创建KDC管理

kadmin.local
kadmin.local: addprinc admin/admin
kadmin.local: 输入密码
kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin

配置节点JCE(每个节点都要配置)

下载地址:

jdk1.8

http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

jdk1.7

http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

unzip -o -j -q jce_policy-8.zip -d $JAVA_HOME/jre/lib/security/

通过Ambari启用kerberos

Ambari UI界面操作

1 选择使用已存在的KDC

2 填写KDC的host

最后进行检测。

等检测通过之后,会停止所有服务,自动修改相关配置文件,然后等待服务都启动起来就可以了。

创建princ并且添加keytab

以下是批量添加principal的脚本

#需要添加的principal的用户名称
user=alogic
#kdc的root/admin的密码
passwd=1234
hostname=$(hostname -f)

ssh 192.168.1.137 -p 2200 -t $*
"

sudo /usr/bin/kadmin -p root/admin -w ${passwd} -q 'ank -randkey  ${user}/${hostname}';

sudo /usr/bin/kadmin -p root/admin -w ${passwd} -q 'xst -k /etc/security/keytabs/${user}.app.keytab   ${user}/${hostname}';

sudo su - alogic -c 'kinit -kt /etc/security/keytabs/${user}.app.keytab ${user}/${hostname};

klist'

"
FEATURED TAGS
知乎
FRIENDS