Kerberos认证部署

一、准备环境

[root@poc1 ~]# cat /etc/hosts
192.168.0.126 poc1.xuncetehch.com poc1
192.168.0.127 poc2.xuncetehch.com poc2
192.168.0.128 poc3.xuncetehch.com poc3

二、软件安装

2.1服务端安装

[root@poc1 ~]# yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation -y

2.2编辑配置文件

[root@poc1 ~]# vim /etc/krb5.conf
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_tgs_enctypes = aes256-cts
 default_tkt_enctypes = aes256-cts
 permitted_enctypes = aes256-cts
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_realm = XUNCETECH.COM
 default_ccache_name = KEYRING:persistent:%{uid}
 kdc_timeout = 3000

[realms]
 XUNCETECH.COM = {
  kdc = poc1.xuncetehch.com
  admin_server = poc1.xuncetehch.com
 }

[domain_realm]
 .xuncetech.com = XUNCETECH.COM
  xuncetech.com = XUNCETECH.COM

2.3配置kdc

[root@poc1 ~]# vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 XUNCETECH.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

2.4客户端安装

# yum install krb5-devel krb5-workstation -y

2.5服务端krb5.conf分别拷贝至客户端

# scp /etc/krb5.conf opadm@192.168.0.127:/tmp/        //scp至远端客户端
# scp /etc/krb5.conf opadm@192.168.0.128:/tmp/        //scp至远端客户端

#如果有root权限可直接拷贝至对应目录
# cp /tmp/krb5.conf /etc/

三、配置节点添加ACL权限

[root@poc1 ~]# vim /var/kerberos/krb5kdc/kadm5.acl            //只需要在服务端做配置
*/admin@XUNCETECH.COM *

四、服务初始化

[root@poc1 ~]# kdb5_util create -s -r XUNCETECH.COM        //直接回车创建
[root@poc1 ~]# ll /var/kerberos/krb5kdc        //生成如下6个文件则初始化正确
总用量 24
-rw------- 1 root root 24 8月 13 16:46 kadm5.acl
-rw------- 1 root root 453 8月 13 16:44 kdc.conf
-rw------- 1 root root 8192 8月 13 16:47 principal
-rw------- 1 root root 8192 8月 13 16:47 principal.kadm5
-rw------- 1 root root 0 8月 13 16:47 principal.kadm5.lock
-rw------- 1 root root 0 8月 13 16:47 principal.ok

五、启动服务

[root@poc1 ~]# systemctl start krb5kdc.service
[root@poc1 ~]# systemctl start kadmin.service

开机自启动
[root@poc1 ~]# systemctl enable krb5kdc.service
[root@poc1 ~]# systemctl enable kadmin.service

六、创建管理账号

执行命令，这里密码是6zI2MfUcIl7
[root@cdh-master ~]# kadmin.local -q "addprinc admin/admin"     //可以通过listprincs查询

#测试管理账号(slave端执行)
[root@poc2 cloudera-scm-agent]# kinit admin/admin@XUNCETECH.COM

七、KDC添加Cloudera Manager管理员账号

• 以下操作仅限于CDH集群的配置

这里密码配置是6zI2MfUcIl7
[root@poc1 ~]# kadmin.local -q "addprinc cloudera-scm/admin@XUNCETECH.COM"

八、启用 Kerberos

• 如果是安装了CDH集群的话，将第七步配置的kerberos的用户名密码进行认证并启动kerberos

• CDH在启动kerberos后会创建对应的用户

九、生成kerberos用户

Authenticating as principal root/admin@XUNCETECH.COM with password.
kadmin.local:
addprinc -randkey hdfs/xiangys0134-haddop01
addprinc -randkey http/xiangys0134-haddop01
addprinc -randkey yarn/xiangys0134-haddop01
addprinc -randkey hdfs/xiangys0134-haddop02
addprinc -randkey http/xiangys0134-haddop02
addprinc -randkey yarn/xiangys0134-haddop02
addprinc -randkey hdfs/xiangys0134-haddop03
addprinc -randkey http/xiangys0134-haddop03
addprinc -randkey yarn/xiangys0134-haddop03

十、查看认证信息

[root@node2 opadm]# kadmin.local
kadmin.local: listprincs

[root@xiangys0134-haddop03 krb]# kinit -kt admin.keytab hdfs/xiangys0134-haddop01@XUNCETECH.COM    //通过key进行认证
[root@xiangys0134-haddop03 krb]# kinit cloudera-scm/admin@XUNCETECH.COM        //通过用户名进行认证
[root@xiangys0134-haddop03 krb]# klist         //客户端查看当前的认证用户
Ticket cache: KEYRING:persistent:0:0
Default principal: cloudera-scm/admin@XUNCETECH.COM

Valid starting Expires Service principal
2020-04-21T09:50:18 2020-04-22T09:50:18 krbtgt/XUNCETECH.COM@XUNCETECH.COM

十一、导出keytab

[root@xiangys0134-cdh01 test]# kadmin.local
xst -k admin.keytab hdfs/xiangys0134-haddop01@XUNCETECH.COM
xst -k admin.keytab hdfs/xiangys0134-haddop02@XUNCETECH.COM
xst -k admin.keytab hdfs/xiangys0134-haddop03@XUNCETECH.COM
xst -k admin.keytab http/xiangys0134-haddop01@XUNCETECH.COM
xst -k admin.keytab http/xiangys0134-haddop02@XUNCETECH.COM
xst -k admin.keytab http/xiangys0134-haddop03@XUNCETECH.COM
xst -k admin.keytab yarn/xiangys0134-haddop01@XUNCETECH.COM
xst -k admin.keytab yarn/xiangys0134-haddop02@XUNCETECH.COM
xst -k admin.keytab yarn/xiangys0134-haddop03@XUNCETECH.COM

十二、查看keytab的用户

#如果那到一个陌生的keytab文件可以通过以下方法查询具体用户
[root@xiangys0134-haddop02 krb]# klist -kte admin.keytab
Keytab name: FILE:admin.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
   2 2020-04-20T17:11:34 hdfs/xiangys0134-haddop01@XUNCETECH.COM (aes256-cts-hmac-sha1-96) 
   2 2020-04-20T17:11:34 hdfs/xiangys0134-haddop01@XUNCETECH.COM (aes128-cts-hmac-sha1-96) 
   2 2020-04-20T17:11:34 hdfs/xiangys0134-haddop01@XUNCETECH.COM (des3-cbc-sha1) 
   2 2020-04-20T17:11:34 hdfs/xiangys0134-haddop01@XUNCETECH.COM (arcfour-hmac) 
   2 2020-04-20T17:11:34 hdfs/xiangys0134-haddop01@XUNCETECH.COM (camellia256-cts-cmac) 
   2 2020-04-20T17:11:34 hdfs/xiangys0134-haddop01@XUNCETECH.COM (camellia128-cts-cmac)
...