Ambari 配置dfs.http.policy=HTTPS_ONLY

1，生成 keystore

在其中一個節點上執行如下命令

openssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days 9999 -subj '/C=CN/ST=beijing/L=chaoyang/O=xxxx/OU=dt/CN=xxxx.com'

生成 hdfs_ca_key,hdfs_ca_cert

將hdfs_ca_key,hdfs_ca_cert拷貝到集羣中的每個節點上

分別登錄每個節點執行一下命令

mkdir tmp
cd tmp
cp ../hdfs_ca_key .
cp ../hdfs_ca_cert .

// 生成 keystore

/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=${本節點的fqdn}, OU=DT, O=DT, L=CY, ST=BJ, C=CN"

//添加 CA 到 truststore

/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert

//從 keystore 中導出 cert

/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -certreq -alias localhost -keystore keystore -file cert

//用 CA 對 cert 簽名

openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial

//將 CA 的 cert 和用 CA 簽名之後的 cert 導入 keystore

/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -keystore keystore -alias CARoot -import -file hdfs_ca_cert
/usr/lib/jvm/java-1.8.0-openjdk/bin/keytool -keystore keystore -alias localhost -import -file cert_signed

將生成的文件拷貝到對應的目錄下

sudo mkdir /etc/https
sudo cp keystore /etc/https/keystore.jks
sudo cp truststore /etc/https/truststore.jks
sudo chmod 755 /etc/https
sudo chmod 644 /etc/https/keystore.jks
sudo chmod 644 /etc/https/truststore.jks

2，修改hdfs的配置

advanced hdfs-site選項中修改

dfs.datanode.address=0.0.0.0:61004
dfs.http.policy=HTTPS_ONLY

custom hdfs-site選項中添加

dfs.client.https.need-auth=false
dfs.data.transfer.protection=integrity

修改hadoop-env.sh,註釋以下內容

#On secure datanodes, user to run the datanode as after dropping privileges 
#export HADOOP_SECURE_DN_USER=

配置ssl-client.xml

<configuration>
 <property>
  <name>ssl.client.truststore.location</name>
  <value>/etc/https/truststore.jks</value>
  <description>Truststore to be used by clients like distcp. Must be specified.</description>
</property>
 <property>
  <name>ssl.client.truststore.password</name>
  <value>adminadmin</value>
  <description>Optional. Default value is "".</description>
</property>
 <property>
  <name>ssl.client.truststore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".</description>
</property>
<property>
  <name>ssl.client.truststore.reload.interval</name>
  <value>10000</value>
  <description>Truststore reload check interval, in milliseconds.Default value is 10000 (10 seconds).</description>
</property>
<property>
  <name>ssl.client.keystore.location</name>
  <value>/etc/https/keystore.jks</value>
  <description>Keystore to be used by clients like distcp. Must be specified.</description>
</property>
<property>
  <name>ssl.client.keystore.password</name>
  <value>adminadmin</value>
  <description>Optional. Default value is "".</description>
</property>
<property>
  <name>ssl.client.keystore.keypassword</name>
  <value>adminadmin</value>
  <description>Optional. Default value is "".</description>
</property>
<property>
  <name>ssl.client.keystore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".</description>
</property>
</configuration>

配置ssl-server.xml

<configuration>
 <property>
  <name>ssl.server.truststore.location</name>
  <value>/etc/https/truststore.jks</value>
  <description>Truststore to be used by NN and DN. Must be specified.</description>
</property>
<property>
  <name>ssl.server.truststore.password</name>
  <value>adminadmin</value>
  <description>Optional. Default value is "".</description>
</property>
 <property>
  <name>ssl.server.truststore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".</description>
</property>
<property>
  <name>ssl.server.truststore.reload.interval</name>
  <value>10000</value>
  <description>Truststore reload check interval, in milliseconds.Default value is 10000 (10 seconds).</description>
</property>
<property>
  <name>ssl.server.keystore.location</name>
  <value>/etc/https/keystore.jks</value>
  <description>Keystore to be used by NN and DN. Must be specified.</description>
</property>
<property>
  <name>ssl.server.keystore.password</name>
  <value>adminadmin</value>
  <description>Must be specified.</description>
</property>
 <property>
  <name>ssl.server.keystore.keypassword</name>
  <value>adminadmin</value>
  <description>Must be specified.</description>
</property>
 <property>
  <name>ssl.server.keystore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".</description>
</property>
</configuration>

爲Ambari_server設置truststore

ambari-server setup-security
Using python  /usr/bin/python2.6
Security setup options...
===========================================================================
Choose one of the following options:
  [1] Enable HTTPS for Ambari server.
  [2] Encrypt passwords stored in ambari.properties file.
  [3] Setup Ambari kerberos JAAS configuration.
  [4] Setup truststore.
  [5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): *4*
Do you want to configure a truststore [y/n] (y)? *y*
TrustStore type [jks/jceks/pkcs12] (jks): *jks*
Path to TrustStore file : /etc/https/truststore.jks
Password for TrustStore:
Re-enter password:
Ambari Server 'setup-security' completed successfully.

重啓ambari-server

ambari-server restart