今天需要在hbase上配置kerberos认证,所以需要安装kerberos,安装配置过程如下:
kerberos简介
kerberos简单来说就是一套完全控制机制,它有一个中心服务器(KDC),KDC中有数据库,你可以往里添加各种“人”以及各种“服务”的“身份证”,当某个人要访问某个服务时,他拿着自己的“身份证”联系KDC并告诉KDC他想要访问的服务,KDC经过一系列验证步骤,最终依据验证结果允许/拒绝这个人访问此服务。
kerberos server配置
安装
#yum install krb5-libs krb5-server krb5-workstation
配置
1)#vim /etc/krb5.conf
注意在/etc/krb5.conf文件中,最后的YOUR.DOMAIN_NAME = {
admin_server=mj1
kdc = mj1
}
这里的mj1必须是在/etc/hosts中配置过的域名,我的/etc/hosts的内容如下:
否则在后期的kinit admin/admin命令中,将出现错误如下:
2)#vim /var/kerberos/krb5kdc/kdc.conf
3)#vim /var/kerberos/krb5kdc/kadm5.acl
这个文件是用来控制哪些人可以使用kadmin工具来管理kerberos数据库,我这里就配了一行:
*/admin@MH.COM *
其中前一个*号是通配符,表示像名为“abc/admin”或“xxx/admin”的人都可以使用此工具(远程或本地)管理kerberos数据库,后一个*跟权限有关,*表示所有权限
4)#kdb5_util create -s初始化一个kerberos数据库。
5)现在数据库是空的,想要使用kadmin添加一个人到数据库中,这是需要权限的,那么最开始的那一个人是怎么加到数据库中的?这就需要kadmin.local这个工具,这个工具只能在kerberos server上执行(类似于oracle中的sys用户无密码登录)。
#kadmin.local -q "addprinc admin/admin"
我这里把管理员叫“admin/admin”,你可以叫任何名字,但是因为此前我们在kadm5.acl中的配置,名字必须以/admin结尾。过程中会提示你输入两次密码,记住这个密码,当你在别的机器连接kadmin时,需要这个密码。
启动
- #service krb5kdc start
- #service kadmin start
- #chkconfig krb5kdc on
- #chkconfig kadmin on
验证
- #kinit admin/admin
如果kinit不带参数,则会默认以当前操作系统用户名,比如root,作为名称。因为root在kerberos的数据库中并没有,所以会提示失败
成功的话,会让你输入之前设定的密码。- #klist
正常应该显示如下:
以下这两个应该不是必须的,与兼容性有关,ktadd命令会把“身份证”写入到文件(.keytab后缀),可以指定keytab文件,如不指定,默认写入/etc/krb5.keytab
- kadmin.local: ktadd kadmin/admin
- kadmin.local: ktadd kadmin/changepw
其它一些命令
- #kdestroy,退出当前kerberos用户,即你最后使用kinit过的那个用户
- kadmin.local>listprincs 列出所有存在数据库中的人或服务
- kadmin.local>delprinc zookeeper/kbhbase1.mh.com@MH.COM 删除人或服务
- kadmin.local>addprinc admin/admin 添加人或服务
- kadmin.local>q 退出kadmin
- kadmin: addprinc -randkey root/kbhbase1.mh@MH.COM
- kadmin: xst -k root.keytab root/kbhbase1.mh.com
- # klist -kt root.keytab 列出这个keytab中保存的所有人或服务
一般在实例使用中通过kinit的方式较少,因为每次都要输入密码,所以更经常使用的是keytab文件,相当于为某个人或服务生成一个密码,并放在文件中,程序中则指向这个keytab,不用每次都输入密码。
hbase配置kerberos环境准备:本机上都装好了hadoop,zookeeper,hbase,版本如下:
hadoop:2.7.2
hbase:1.2.1
同时检查了在没有启动kerberos的情况下,hbase工作正常。
- 禁用selinux
#vim /etc/sysconfig/selinux 设置SELINUX=disabled,并重启
- 安装JCE
从Oracle网站下载JCE(Java Cryptography Extension)补丁,此补丁与AES-256加密有关。下载解压之后,把得到的两个jar文件local_policy.jar,US_export_policy.jar拷贝到$JAVA_HOME/ jre/lib/security下进行覆盖。
Hadoop配置
创建keytab
输入kadmin.local进入kadmin.local的命令行(记住kerberos的服务必须起来),如下:
之后便可以进入kadmin.local的命令行:
在kerberos服务器上创建用户:
addprinc -randkey root/mj1@YOUR.DOMAIN_NAME
其中的root随便起,后面的mj1.bdsm.cmcc为你的主机域名,后面的@YOUR.DOMAIN_NAME是你当初配置kerberos时定义的。
在当前目录下生成root.keytab文件
xst -k root.keytab root/mj1
之后拷贝root.keytab文件到hadoop的配置目录,在我的机器上是:/opt/hadoop-2.7.2//etc/hadoop
cp root.keytab /opt/hadoop-2.7.2/etc/hadoop/
修改/opt/hadoop-2.7.2/etc/hadoop/core-site.xml
修改/opt/hadoop-2.7.2/etc/hadoop/hadoop-env.sh
- export HADOOP_SECURE_DN_USER=root
- export JSVC_HOME=/usr/local/hadoop-2.6.0/libexec/
关于JSVC,默认指向hadoop安装目录的libexec下,但我的libexec下并没有jsvc文件(我的hadoop是直接下载的tar.gz包,不是rpm安装),google搜索jsvc,然后在apache网站下载源代码包以及bin包,我下的是commons-daemon-1.0.15-src.tar.gz及commons-daemon-1.0.15-bin.tar.gz,先解压src包后进入src/native/unix目录依次执行 ./configure命令, make命令,这样会在当前目录下生成一个叫jsvc的文件,把它拷贝到hadoop目录下的libexec下。 再解压bin包,然后把得到的commons-daemon-1.0.15.jar 文件拷贝到hadoop安装目录下share/hadoop/hdfs/lib下,同时删除自带版本的commons-daemon-xxx.jar包。
修改hdfs-site.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?><!--Licensed under the Apache License, Version 2.0 (the "License");you may not use this file except in compliance with the License.You may obtain a copy of the License athttp://www.apache.org/licenses/LICENSE-2.0Unless required by applicable law or agreed to in writing, softwaredistributed under the License is distributed on an "AS IS" BASIS,WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.See the License for the specific language governing permissions andlimitations under the License. See accompanying LICENSE file.
--><!-- Put site-specific property overrides in this file. --><configuration>
<property><name>dfs.replication</name><value>1</value></property><property><name>dfs.namenode.name.dir</name><value>file:/opt/hadoop-2.7.2/dfs/name</value></property><property><name>dfs.datanode.data.dir</name><value>file:/opt/hadoop-2.7.2/dfs/data</value></property><property> <name>dfs.permissions</name><value>true</value></property>
<property><name>dfs.permissions.enabled</name><value>true</value></property><property><name>dfs.namenode.inode.attributes.provider.class</name><value>org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer</value></property><!--add for kerberos--><property><name>dfs.https.address</name><value>mj1:50470</value></property><property><name>dfs.https.port</name><value>50470</value></property><property><name>dfs.namenode.keytab.file</name><value>/opt/hadoop-2.7.2/etc/hadoop/root.keytab</value></property><property><name>dfs.namenode.kerberos.principal</name><value>root/mj1@YOUR.DOMAIN_NAME</value></property><property><name>dfs.namenode.keytab.file</name><value>/opt/hadoop-2.7.2/etc/hadoop/root.keytab</value></property><property><name>dfs.namenode.kerberos.principal</name><value>root/mj1@YOUR.DOMAIN_NAME</value></property><property><name>dfs.namenode.kerberos.https.principal</name><value>root/mj1@YOUR.DOMAIN_NAME</value></property><property><name>dfs.secondary.https.address</name><value>mj1:50495</value></property><property><name>dfs.secondary.https.port</name><value>50495</value></property><property><name>dfs.secondary.namenode.keytab.file</name><value>/opt/hadoop-2.7.2/etc/hadoop/root.keytab</value></property><property><name>dfs.secondary.namenode.kerberos.principal</name><value>root/mj1@YOUR.DOMAIN_NAME</value></property><property><name>dfs.secondary.namenode.kerberos.https.principal</name><value>root/mj1@YOUR.DOMAIN_NAME</value>
</property><property><name>dfs.datanode.data.dir.perm</name><value>700</value></property><property><name>dfs.datanode.address</name><value>mj1:1003</value></property><property><name>dfs.datanode.http.address</name><value>mj1:1007</value></property><property><name>dfs.datanode.https.address</name><value>mj1:1005</value></property><property><name>dfs.datanode.keytab.file</name><value>/opt/hadoop-2.7.2/etc/hadoop/root.keytab</value></property><property><name>dfs.datanode.kerberos.principal</name><value>root/mj1@YOUR.DOMAIN_NAME</value></property><property><name>dfs.datanode.kerberos.hppts.principal</name><value>root/mj1@YOUR.DOMAIN_NAME</value></property><property><name>dfs.web.authentication.kerberos.principal</name><value>root/mj1.bdsm.cmcc@YOUR.DOMAIN_NAME</value></property><property><name>dfs.web.authentication.kerberos.keytab</name><value>/opt/hadoop-2.7.2/etc/hadoop/root.keytab</value></property><property><name>dfs.datanode.require.secure.ports</name><value>false</value></property></configuration>
修改yarn-site.xml
<configuration><!-- Site specific YARN configuration properties -->
<property>
<name>mapredure.framework.name</name>
<value>yarn</value>
</property>
<!--property>
<name>yarn.nodemanager.aux-services</name>
<value>mapredure_shuffle</value>
</property-->
<!--add for kerberos-->
<property><name>yarn.resourcemanager.keytab</name><value>/opt/hadoop-2.7.2/etc/hadoop/root.keytab</value>
</property>
<property><name>yarn.resourcemanager.principal</name><value>root/mj1@YOUR.DOMAIN_NAME</value>
</property>
<property><name>yarn.nodemanager.keytab</name><value>/opt/hadoop-2.7.2/etc/hadoop/root.keytab</value>
</property>
<property><name>yarn.nodemanager.principal</name><value>root/mj1@YOUR.DOMAIN_NAME</value>
</property>
<!--end adding for kerberos -->
</configuration>• 配置container-executor.cfg
将container-executor.cfg移动到/etc
mv /opt/hadoop-2.7.2/etc/hadoop/container-executor.cfg /etc
修改container-executor.cfg配置
内容如下:
<strong>yarn.nodemanager.linux-container-executor.group=root
banned.users=#comma separated list of users who can not run applications
min.user.id=499
allowed.system.users=##comma separated list of system users who CAN run applications
</strong>• 将container-executor拷贝到/opt/hadoop-2.6.0/bin,然后执行以下内容
<strong>chown root:hadoop container-executor /etc/container-executor.cfg</strong>chmod 4750 container-executor
<strong>chmod 400 /etc/container-executor.cfg
</strong>HBase配置
创建keytab
- kadmin: addprinc -randkey hbase/mj1.bdsm.cmcc@YOUR.DOMAIN_NAME
- kadmin: xst -k hbase.keytab hbase/mj1.bdsm.cmcc
将生成的文件拷贝到hbase配置目录/opt/hbase-1.2.1/conf
修改hbase-env.sh
- export HBASE_OPTS="-XX:+UseConcMarkSweepGC -Djava.security.auth.login.config=/usr/local/hbase-0.98.9-hadoop2/conf/zk-jaas.conf"
- export HBASE_MANAGES_ZK=false
修改hbase-site.xml
<configuration>
<property>
<name>hbase.rootdir</name>
<value>hdfs://mj1:9000/hbase</value>
</property>
<property>
<name>hbase.cluster.distributed</name>
<value>true</value>
</property>
<property>
<name>hbase.tmp.dir</name>
<value>/opt/hbase-1.2.1/tmp</value>
</property>
<property>
<name>hbase.zookeeper.quorum</name>
<value>localhost</value>
</property>
<property>
<name>hbase.zookeeper.property.dataDir</name>
<value>/opt/hbase-1.2.1/zookeeper</value>
</property>
<property><name>hbase.security.authorization</name><value>true</value></property><property><name>hbase.coprocessor.master.classes</name><value>org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor</value></property><property><name>hbase.coprocessor.region.classes</name><value>org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor</value></property>
<!-- add for kerberos-->
<property><name>hbase.regionserver.kerberos.principal</name><value>hbase/mj1.bdsm.cmcc@YOUR.DOMAIN_NAME</value>
</property>
<property><name>hbase.regionserver.keytab.file</name><value>/opt/hbase-1.2.1/conf/hbase.keytab</value>
</property>
<property><name>hbase.master.kerberos.principal</name><value>hbase/mj1.bdsm.cmcc@YOUR.DOMAIN_NAME</value>
</property>
<property><name>hbase.master.keytab.file</name><value>/opt/hbase-1.2.1/conf/hbase.keytab</value>
</property>
<property><name>hbase.security.authentication</name><value>kerberos</value>
</property>
<!--end adding for kerberos -->
</configuration>
之后,启动hbase,进入hbase shell界面,list总是出错:ERROR: Can't get master address from ZooKeeper; znode data == null
查看/opt/hbase-1.2.1/logs/hbase-root-master-mj1.bdsm.cmcc.log
找到错误如下:
2016-04-28 15:19:12,699 FATAL [mj1:16000.activeMasterManager] master.HMaster: Unhandled exception. Starting shutdown.
java.io.IOException: Failed on local exception: java.io.IOException: Couldn't setup connection for hbase/mj1.bdsm.cmcc@YOUR.DOMAIN_NAME to mj1.bdsm.cmcc/10.2.41.236:9000; Host Details : local host is: "mj1.bdsm.cmcc/10.2.41.236"; destination host is: "mj1.bdsm.cmcc":9000; Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)]
安装zookeeper请看另一篇博客,接下来是为了kerberos修改zookeeper的配置文件
修改 zookeeper 配置文件
server.1=mj1.bdsm.cmcc:2888:3888
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=trueauthProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000创建 JAAS 配置文件
在/opt/zookeeper-3.4.8/conf目录创建 jaas.conf 文件,内容如下:
Server {com.sun.security.auth.module.Krb5LoginModule requireduseKeyTab=truekeyTab="/opt/zookeeper-3.4.8/conf/zookeeper.keytab"storeKey=trueuseTicketCache=falseprincipal="zookeeper/mj1.bdsm.cmcc@YOUR.DOMAIN_NAME";
};export JVMFLAGS="-Djava.security.auth.login.config=/opt/zookeeper-3.4.8/conf/jaas.conf"
export JAVA_HOME="/usr/lib/jvm/jdk1.7.0_67"
在hbase配置目录conf下的hbase-site.xml中,
<property>
<name>hbase.zookeeper.quorum</name>
<value>localhost</value>
</property>
<property>
<name>hbase.zookeeper.property.dataDir</name>
<!--<value>/opt/hbase-1.2.1/zookeeper</value>-->
<value>/opt/zookeeper-3.4.8</value>
</property>
export HBASE_MANAGES_ZK=false
注意hbase-site.xml中的
hbase.zookeeper.quorum在/opt/hbase-1.2.1/conf目录下创建文件zk-jaas.conf,内容如下:
Client {com.sun.security.auth.module.Krb5LoginModule requireduseKeyTab=trueuseTicketCache=falsekeyTab="/opt/hbase-1.2.1/conf/hbase.keytab"principal="hbase/mj1.bdsm.cmcc@YOUR.DOMAIN_NAME";
};
hbase-env.sh需要添加如下:
export HBASE_OPTS="-XX:+UseConcMarkSweepGC"
export HBASE_OPTS="$HABSE_OPTS -Djava.security.auth.login.config=/opt/hbase-1.2.1/conf/zk-jaas.conf"
******************************************************************************************
但是遗憾的是,出现了新错误如下:
按照上面错误提示,在zkEnv.sh中间添加了SERVER_JVMFLAGS="-Dsun.net.spi.nameservice.provider.1=dns,sun"
之后又报错
2016-04-29 13:37:43,284 [myid:] - ERROR [main:ZooKeeperServerMain@63] - Unexpected exception, exiting abnormally
java.io.IOException: Could not configure server because SASL configuration did not allow the ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: mj1.bdsm.cmccat org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:207)at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:82)at org.apache.zookeeper.server.ZooKeeperServerMain.runFromConfig(ZooKeeperServerMain.java:111)at org.apache.zookeeper.server.ZooKeeperServerMain.initializeAndRun(ZooKeeperServerMain.java:86)at org.apache.zookeeper.server.ZooKeeperServerMain.main(ZooKeeperServerMain.java:52)at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:116)at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:78)
参考:http://www.tuicool.com/articles/uMVRFfb
http://www.tuicool.com/articles/YVbmIzm
http://blog.csdn.net/xiao_jun_0820/article/details/39375819
http://blackproof.iteye.com/blog/2023798
问题在五一之后解决,未完待续。。。。
