服务器列表信息:
10.29.200.241 testhadoop-01
10.81.51.210 testhadoop-02
10.81.75.23 testhadoop-03
10.81.66.119 testhadoop-04
10.81.88.137 testhadoop-05
1.在testhadoop-02 服务器上安装KDC服务
yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
2.修改/etc/krb5.conf配置文件(#号注释掉的地方需要注释掉,否则安装结束之后hive客户端会报错java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS])
3.修改/var/kerberos/krb5kdc/kadm5.acl配置
5.testhadoop-02 服务器上创建数据库 kdb5_util create -r FAYSON.COM -s 数据库密码: 123456
6.创建Kerberos的管理账号 ,kerberos管理员密码: 123456
[[email protected]~]# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: addprinc admin/[email protected]
WARNING: no policy specified for admin/[email protected]; defaulting to no policy
Enter password for principal “admin/[email protected]”:
Re-enter password for principal “admin/[email protected]”:
Principal “admin/[email protected]” created.
kadmin.local: exit
7. 将服务,并启动krb5kdc和kadmin服务
[[email protected]~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[[email protected]~]# systemctl enable kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[[email protected]~]# systemctl start krb5kdc
[[email protected]~]# systemctl start kadmin
8、 为集群安装所有Kerberos客户端,包括Cloudera Manager
使用批处理脚本执行shell语句: yum -y install krb5-libs krb5-workstation
testhadoop-02上 /etc/krb5.conf的配置文件分发到各个集群的/etc目录下;
9.CDH集群启用Kerberos
1.在KDC(testhadoop-02)中给Cloudera Manager添加管理员账号
[[email protected] shell]# kadmin.local
Authenticating as principal admin/[email protected] with password.
kadmin.local: addprinc cloudera-scm/[email protected]
WARNING: no policy specified for cloudera-scm/[email protected]; defaulting to no policy
Enter password for principal “cloudera-scm/[email protected]”:
Re-enter password for principal “cloudera-scm/[email protected]”:
Principal “cloudera-scm/[email protected]” created.
kadmin.local: exit
2.进入Cloudera Manager的“管理”->“安全”界面
3.选择“启用Kerberos”,进入如下界面
!
5.点击“继续”,配置相关的KDC信息,包括类型、KDC服务器、KDC Realm、加密类型以及待创建的Service Principal(hdfs,yarn,,hbase,hive等)的更新生命期等 6.不建议让Cloudera Manager来管理krb5.conf, 点击“继续”
7.输入Cloudera Manager的Kerbers管理员账号,一定得和之前创建的账号一致,点击“继续”
8.点击“继续”启用Kerberos
9.Kerberos启用完成,点击“继续”
10.集群重启完成,点击“继续”
11.点击“继续”
点击“完成”,至此已成功启用Kerberos。
12.回到主页,一切正常,再次查看“管理”->“安全”,界面显示“已成功启用 Kerberos。
安装过程中如果出现问题可以参照如下链接:
https://www.cnblogs.com/barneywill/p/10398663.html
集成之后,出现hive客户端执行的count指令失败,报错信息为/dfs/data1/yarn/nm/usercache相应的目录下没有创建文件的去权限,最后的解决方案是删除所有机器的usercache目录,重新启动cm集群解决。