文章目錄

1，集羣架構

4, 使用kerberos認證，調用hive,hbase等服務

1，集羣架構

角色	主機ip	kerberos軟件包	說明
CDH集羣 (單節點: kerberos客戶端)	192.168.56.161, cdh-node1	krb5-libs, krb5-workstation	CM server端（額外安裝包）: openldap-clients
kerberos集羣(單節點: kerberos服務端)	192.168.56.162, cdh-node2	krb5-libs, krb5-workstation , krb5-auth-dialog ,krb5-server	realm名稱: CDH.COM

a, kerberos: 命令行工具

操作目的	命令
登錄賬號	kinit [-kt keytab文件路徑] 賬號名
列出當前賬號信息	klist [-e]
進入管理員命令行	kadmin , kadmin.local
銷燬登錄信息	kdestory

b, kadmin命令行: 修改賬號密碼, 導出keytab認證文件

##kerberos客戶端使用：kadmin (需要登錄驗證)
##kerberos服務端使用: kadmin.local (無需登錄驗證)
[root@cdh-node1 ~]# kadmin
Authenticating as principal scmroot/[email protected] with password.
Password for scmroot/[email protected]: 
kadmin:  ?
Available kadmin requests:
add_principal, addprinc, ank
                         Add principal
delete_principal, delprinc
                         Delete principal
modify_principal, modprinc
                         Modify principal
rename_principal, renprinc
                         Rename principal
change_password, cpw     Change password
get_principal, getprinc  Get principal
list_principals, listprincs, get_principals, getprincs
                         List principals
add_policy, addpol       Add policy
modify_policy, modpol    Modify policy
delete_policy, delpol    Delete policy
get_policy, getpol       Get policy
list_policies, listpols, get_policies, getpols
                         List policies
get_privs, getprivs      Get privileges
ktadd, xst               Add entry(s) to a keytab
ktremove, ktrem          Remove entry(s) from a keytab
lock                     Lock database exclusively (use with extreme caution!)
unlock                   Release exclusive database lock
purgekeys                Purge previously retained old keys from a principal
get_strings, getstrs     Show string attributes on a principal
set_string, setstr       Set a string attribute on a principal
del_string, delstr       Delete a string attribute on a principal
list_requests, lr, ?     List available requests.
quit, exit, q            Exit program.

kadmin:  change_password 
usage: change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] principal

kadmin:  change_password 
usage: change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] principal
kadmin:  change_password scmroot/[email protected]
Enter password for principal "scmroot/[email protected]": 
Re-enter password for principal "scmroot/[email protected]": 
Password for "scmroot/[email protected]" changed.

kadmin:  listprincs 
HTTP/[email protected]
hbase/[email protected]

kadmin:  ktadd 
Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]

kadmin:  ktadd -k /root/hbae.keytab hbase/[email protected]
Entry for principal hbase/[email protected] with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/root/hbae.keytab.
Entry for principal hbase/[email protected] with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/root/hbae.keytab.
Entry for principal hbase/[email protected] with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:/root/hbae.keytab.
Entry for principal hbase/[email protected] with kvno 3, encryption type arcfour-hmac added to keytab WRFILE:/root/hbae.keytab.
Entry for principal hbase/[email protected] with kvno 3, encryption type des-hmac-sha1 added to keytab WRFILE:/root/hbae.keytab.
Entry for principal hbase/[email protected] with kvno 3, encryption type des-cbc-md5 added to keytab WRFILE:/root/hbae.keytab.
kadmin:  quit

[root@cdh-node1 ~]# ls /root/hbae.keytab 
/root/hbae.keytab

2, 安裝kerberos服務

####################1, kdc服務安裝 ####################
		yum -y install  krb5-libs krb5-workstation  krb5-auth-dialog krb5-server

##a,修改配置 ： /etc/krb5.conf
		sed -i s/EXAMPLE/CDH/ /etc/krb5.conf
		sed -i "s/example.com/$(hostname)/" /etc/krb5.conf

##b,修改配置 ： /var/kerberos/krb5kdc/kadm5.acl  
		sed -i  s/EXAMPLE/CDH/ /var/kerberos/krb5kdc/kadm5.acl  

##c,修改配置 ： /var/kerberos/krb5kdc/kdc.conf   --> 
		sed -i -e '8i\\tmax_renewable_life= 7d 0h 0m 0s' -e s/EXAMPLE/CDH/  /var/kerberos/krb5kdc/kdc.conf

####################2，設置kerberso數據庫賬號 ####################
#創建kdc數據庫: 設置密碼: kdc
kdb5_util create  -s  -P kdc
		
#創建kdc管理員賬號
echo -e "addprinc admin/[email protected]  \nadmin\nadmin" |kadmin.local
#交互式命令行=> kadmin.local:  addprinc admin/[email protected]  #設置密碼: admin

#啓動服務, 測試賬號
chkconfig  krb5kdc on
chkconfig  kadmin  on
service krb5kdc start
service kadmin start
####################3，設置kerberos中的cdh管理員賬號 ####################
#交互式命令行⇒ kadmin.local:  addprinc scmroot/[email protected], 設置密碼:scmroot
echo -e "addprinc scmroot/[email protected]  \nscmroot\nscmroot" |kadmin.local

#驗證登錄賬戶
echo "scmroot" |kinit scmroot/[email protected]
klist

3, CDH集羣啓用kerberos

a, Administrator: security

b, Enable Kerberos

c, 確認並勾選

d, 填寫kdc信息

e, 略過CDH管理kerberos, 填寫CDH管理員賬號

4, 使用kerberos認證，調用hive,hbase等服務

a, 獲取CDH各服務的kerberos賬號

[root@cdh-node1 ~]# kdestroy 
[root@cdh-node1 ~]# klist 
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root@cdh-node1 ~]# su hdfs

[hdfs@cdh-node1 root]$ hive 
##登錄報錯，Caused by: GSSException: No valid credentials provided
Logging initialized using configuration in jar:file:/opt/cloudera/parcels/CDH-5.12.0-1.cdh5.12.0.p0.29/jars/hive-common-1.1.0-cdh5.12.0.jar!/hive-log4j.properties
Exception in thread "main" java.lang.RuntimeException: java.io.IOException: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "cdh-node1/192.168.56.161"; destination host is: "cdh-node1":8020; 
..........
#2, 查詢cdh中的hive,hbase等服務註冊的kerberos賬號
[root@cdh-node1 ~]# klist 
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
[root@cdh-node1 ~]# echo -e "scmroot" |kinit scmroot/[email protected]
Password for scmroot/[email protected]: 
[root@cdh-node1 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: scmroot/[email protected]

Valid starting     Expires            Service principal
01/20/20 02:43:24  01/21/20 02:43:24  krbtgt/[email protected]
	renew until 01/27/20 02:43:24
[root@cdh-node1 ~]# kadmin
Authenticating as principal scmroot/[email protected] with password.
Password for scmroot/[email protected]: 
kadmin:  listprincs 
HTTP/[email protected]
K/[email protected]
admin/[email protected]
hbase/[email protected]
hdfs/[email protected]
hive/[email protected]
hue/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
krbtgt/[email protected]
mapred/[email protected]
oozie/[email protected]
scm/[email protected]
scmroot/[email protected]
test/[email protected]
yarn/[email protected]
zookeeper/[email protected]

b, 使用keytab登錄hive

# 找到hive的keytab文件，驗證kerberos賬號
[root@cdh-node1 ~]# find /opt/ |grep keytab |grep hive
/opt/cm-5.12.2/run/cloudera-scm-agent/process/91-hive-HIVESERVER2/hive.keytab
/opt/cm-5.12.2/run/cloudera-scm-agent/process/90-hive-HIVEMETASTORE/hive.keytab
[root@cdh-node1 ~]# kinit -kt /opt/cm-5.12.2/run/cloudera-scm-agent/process/91-hive-HIVESERVER2/hive.keytab  hive/[email protected] 
[root@cdh-node1 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hive/[email protected]

Valid starting     Expires            Service principal
01/20/20 02:45:44  01/21/20 02:45:44  krbtgt/[email protected]
	renew until 01/25/20 02:45:44

#登錄Hive
[root@cdh-node1 ~]# hive
Logging initialized using configuration in jar:file:/opt/cloudera/parcels/CDH-5.12.0-1.cdh5.12.0.p0.29/jars/hive-common-1.1.0-cdh5.12.0.jar!/hive-log4j.properties
WARNING: Hive CLI is deprecated and migration to Beeline is recommended.
hive> show tables;
OK
t1
Time taken: 1.948 seconds, Fetched: 1 row(s)
hive> select * from t1;
OK
1
2
Time taken: 0.398 seconds, Fetched: 2 row(s)
hive> insert into t1 values(3);
Query ID = root_20200120024646_9b765d52-d72e-432d-8bd9-2c73405b856e
Total jobs = 3
Launching Job 1 out of 3
Number of reduce tasks is set to 0 since there's no reduce operator
Starting Job = job_1579483243323_0001, Tracking URL = http://cdh-node1:8088/proxy/application_1579483243323_0001/
Kill Command = /opt/cloudera/parcels/CDH-5.12.0-1.cdh5.12.0.p0.29/lib/hadoop/bin/hadoop job  -kill job_1579483243323_0001
Hadoop job information for Stage-1: number of mappers: 1; number of reducers: 0
2020-01-20 02:46:57,558 Stage-1 map = 0%,  reduce = 0%
2020-01-20 02:47:04,998 Stage-1 map = 100%,  reduce = 0%, Cumulative CPU 1.49 sec
MapReduce Total cumulative CPU time: 1 seconds 490 msec
Ended Job = job_1579483243323_0001
Stage-4 is selected by condition resolver.
Stage-3 is filtered out by condition resolver.
Stage-5 is filtered out by condition resolver.
Moving data to: hdfs://cdh-node1:8020/user/hive/warehouse/t1/.hive-staging_hive_2020-01-20_02-46-41_281_126491748162214148-1/-ext-10000
Loading data to table default.t1
Table default.t1 stats: [numFiles=3, numRows=3, totalSize=6, rawDataSize=3]
MapReduce Jobs Launched: 
Stage-Stage-1: Map: 1   Cumulative CPU: 1.49 sec   HDFS Read: 3214 HDFS Write: 68 SUCCESS
Total MapReduce CPU Time Spent: 1 seconds 490 msec
OK
Time taken: 25.386 seconds
hive>

c, 使用keytab登錄hbase

#################### 登錄hbase ####################
[root@cdh-node1 ~]# kinit  -kt /opt/cm-5.12.2/run/cloudera-scm-agent/process/82-hbase-REGIONSERVER/hbase.keytab hbase/[email protected]
[root@cdh-node1 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hbase/[email protected]

Valid starting     Expires            Service principal
01/20/20 02:50:37  01/21/20 02:50:37  krbtgt/[email protected]
	renew until 01/25/20 02:50:37
	
[root@cdh-node1 ~]# hbase shell
Version 1.2.0-cdh5.12.0, rUnknown, Thu Jun 29 04:42:07 PDT 2017
hbase(main):001:0> list
TABLE                                                                                                                                                                        
t1                                                                                                                                                                           
1 row(s) in 0.1630 seconds

=> ["t1"]
hbase(main):002:0> scan 't1'
ROW                                          COLUMN+CELL                                                                                                                     
 r1                                          column=f:name, timestamp=1579423658722, value=a                                                                                 
 r2                                          column=f:name, timestamp=1579430009816, value=b                                                                                 
2 row(s) in 0.1070 seconds

hbase(main):003:0> put 't1','r3','f:name','cc'
0 row(s) in 0.0600 seconds

CDH啓用kerberos認證

文章目錄

1，集羣架構

a, kerberos: 命令行工具

b, kadmin命令行: 修改賬號密碼, 導出keytab認證文件

2, 安裝kerberos服務

3, CDH集羣啓用kerberos

a, Administrator: security

b, Enable Kerberos

c, 確認並勾選

d, 填寫kdc信息

e, 略過CDH管理kerberos, 填寫CDH管理員賬號

4, 使用kerberos認證，調用hive,hbase等服務

a, 獲取CDH各服務的kerberos賬號

b, 使用keytab登錄hive

c, 使用keytab登錄hbase

Linux防刪除，恢復刪除

InterSystem Ensemble配置：一個BS ->三個BO

centos 安裝mysql8，配置root遠程登陸, mysql忘記密碼

Centos安裝LAMP環境

maven 打包第三方jar包到本地倉庫

Mac下配置sublime實現LaTeX

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結