117笔记问答在安全模式下配置Hadoop身份验证需要完成以下步骤:
- 生成Kerberos认证相关的密钥和凭据:
kdb5_util create -s ktadd -k /etc/security/keytabs/nn.service.keytab nn/hostname@REALM ktadd -k /etc/security/keytabs/dn.service.keytab dn/hostname@REALM ktadd -k /etc/security/keytabs/jhs.service.keytab jhs/hostname@REALM ktadd -k /etc/security/keytabs/rm.service.keytab rm/hostname@REALM ktadd -k /etc/security/keytabs/nm.service.keytab nm/hostname@REALM ktadd -k /etc/security/keytabs/spnego.service.keytab HTTP/hostname@REALM
- 配置Kerberos客户端:
vi /etc/krb5.conf
[libdefaults]
default_realm = REALM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
udp_preference_limit = 1
[realms]
REALM = {
kdc = kdc-hostname:88
admin_server = kdc-hostname:749
}
[domain_realm]
.hostname = REALM
hostname = REALM
- 配置Hadoop客户端:
vi $HADOOP_HOME/etc/hadoop/core-site.xmlvi $HADOOP_HOME/etc/hadoop/hdfs-site.xml hadoop.security.authentication kerberos hadoop.security.authorization true hadoop.security.auth_to_local RULE:[2:$1@$0](.*@REALM)s/@.*//DEFAULT/ vi $HADOOP_HOME/etc/hadoop/yarn-site.xml dfs.namenode.kerberos.principal nn/hostname@REALM dfs.namenode.keytab.file /etc/security/keytabs/nn.service.keytab dfs.datanode.kerberos.principal dn/hostname@REALM dfs.datanode.keytab.file /etc/security/keytabs/dn.service.keytab vi $HADOOP_HOME/etc/hadoop/mapred-site.xml yarn.resourcemanager.keytab /etc/security/keytabs/rm.service.keytab yarn.resourcemanager.principal rm/hostname@REALM yarn.nodemanager.keytab /etc/security/keytabs/nm.service.keytab yarn.nodemanager.principal nm/hostname@REALM mapreduce.jobhistory.keytab /etc/security/keytabs/jhs.service.keytab mapreduce.jobhistory.principal jhs/hostname@REALM
- 启动Kerberos并检查是否成功:
kadmin.local start