文章目錄
1.kerberos概念介紹
principal:認證的主體,如kafka/[email protected]
,其中kafka
是主體的用戶名,stream.dt.local
表示一個組,EXAMPLE.COM
表示一個命名空間;
realm: realm有點像編程語言中的namespace。在編程語言中,變量名只有在某個"namespace"裏纔有意義。同樣的,一個principal只有在某個realm下才有意義;kafka配置kerberos(SASL)認證時,realm必須爲當前kafka broker所在機器的hostname,如kafka/[email protected]
;大家都約定成俗用大寫來命名realm, 比如"EXAMPLE.COM";
password:某個用戶的密碼,即kerberos中的master_key。password可以存在一個keytab文件中。所以kerberos中需要使用密碼的場景都可以用一個keytab作爲輸入;
2. kerberos認證過程
step1:用戶通過kinit
命令登錄KDC(key distribution center),其中的AS認證服務器到本地數據庫中查詢用戶發送過來的principal是否存在,如果存在,則返回TGT給用戶
Step2:kafka客戶端無法直接連通開啓kerberos認證的kafka broker,需要將緩存在用戶端的TGT發送給KDC,其中的TGS票據授權服務器會驗證TGT是否對應數據庫中某個principal,如果驗證通過,則返回server ticket給kafka客戶端,然後便可以訪問kafka broker
術語解釋:
KDC:Key Distribution Center,密鑰分發中心
TGT:Ticket-Granting-Ticket,Ticket for getting tickets
AS:Authentication Service,認證服務器
TGS:Ticket Granting Service,票據授權服務器
3. kerberos安裝
-
安裝kerberos
# The krb5-server package contains the programs that must be installed on a Kerberos 5 key distribution center (KDC). If you are installing a Kerberos 5 KDC, you need to install this package (in other words, most people should NOT install this package). # krb5-workstation package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd). If your network uses Kerberos, this package should be installed on every workstation. # The krb5-libs package contains the shared libraries needed by Kerberos 5. If you are using Kerberos, you need to install this package. yum install -y krb5-libs krb5-server krb5-workstation
-
修改配置文件
/var/kerberos/krb5kdc/kdc.conf,kdc配置
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
EXAMPLE.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_life = 1d
max_renewable_life = 7d
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
/etc/krb5.conf,kdc和客戶端配置
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM
udp_preference_limit=1
# default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = stream.dt.local
admin_server = stream.dt.local
}
# admin_server 數據庫連接服務
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
4. 創建 KDC 數據庫
$ kdb5_util create -s -r EXAMPLE.COM
5. 編輯 kadm5.acl
# 賦予admin組所有權限
$ vim /var/kerberos/krb5kdc/kadm5.acl
*/[email protected] *
6. 啓動kdc和admin
$ systemctl start krb5kdc
$ systemctl start kadmin
# kadmin即admin_server,是數據庫連接服務,當使用kadmin.local命令時,就要用到該服務
# 設置開機自啓
$ systemctl enable krb5kdc
$ systemctl enable kadmin
7. 添加principal
$ kadmin.local
$ kadmin.local: addprinc kafka/stream.dt.local
$ kadmin.local: listprincs
8. 使用keytab登陸
使用kinit
進行登陸共有兩種登錄方式,第一種是通過密碼登陸,第二種是通過keytab文件,其中keytab文件是通過加密算法將密碼進行加密並存入文件中。此處演示通過keytab進行登陸
$ kadmin.local
# 生成keytab文件
$ kadmin.local: xst -k /opt/third/kafka/kerberos/kafka_server.keytab kafka/[email protected]
# 查看keytab文件支持的加密算法,驗證其是否與kdc.conf配置的加密算法一致
$ klist -t -e -k /opt/third/kafka/kerberos/kafka_server.keytab
# 利用keytab進行登陸
$ kinit -kt /opt/third/kafka/kerberos/kafka_server.keytab kafka/stream.dt.local
# 查看是否登陸成功
$ klist
參考:
https://www.jianshu.com/p/fc2d2dbd510b
https://rpmfind.net/linux/rpm2html/search.php?query=krb5-libs&submit=Search+…&system=&arch=
https://simple.wikipedia.org/wiki/Kerberos_(protocol)