（接上一篇）

五、Kerberos

1、jsvc

所有節(jié)點：

十多年的仁壽網(wǎng)站建設(shè)經(jīng)驗，針對設(shè)計、前端、開發(fā)、售后、文案、推廣等六對一服務(wù)，響應(yīng)快，48小時及時工作處理。營銷型網(wǎng)站的優(yōu)勢是能夠根據(jù)用戶設(shè)備顯示端的尺寸不同，自動調(diào)整仁壽建站的顯示方式，使網(wǎng)站能夠適用不同顯示終端，在瀏覽器中調(diào)整網(wǎng)站的寬度，無論在任何一種瀏覽器上瀏覽網(wǎng)站，都能展現(xiàn)優(yōu)雅布局與設(shè)計，從而大程度地提升瀏覽體驗。創(chuàng)新互聯(lián)從事“仁壽網(wǎng)站設(shè)計”,“仁壽網(wǎng)站推廣”以來，每個客戶項目都認(rèn)真落實執(zhí)行。

# cd ~/soft

# wget http://mirror.bit.edu.cn/apache/commons/daemon/source/commons-daemon-1.0.15-native-src.tar.gz

# tar zxfcommons-daemon-1.0.15-native-src.tar.gz

# cd commons-daemon-1.0.15-native-src/unix;./configure; make

# cp jsvc /usr/local/hadoop-2.4.0/libexec/

# cd ~/soft

# wgethttp://mirror.bit.edu.cn/apache//commons/daemon/binaries/commons-daemon-1.0.15-bin.tar.gz

# tar zxf commons-daemon-1.0.15-bin.tar.gz

# cpcommons-daemon-1.0.15/commons-daemon-1.0.15.jar/usr/local/hadoop-2.4.0/share/hadoop/hdfs/lib/

# cpcommons-daemon-1.0.15/commons-daemon-1.0.15.jar/usr/local/hadoop-2.4.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/lib/

# rm -f /usr/local/hadoop-2.4.0/share/hadoop/hdfs/lib/commons-daemon-1.0.13.jar

# rm -f/usr/local/hadoop-2.4.0/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/lib/commons-daemon-1.0.13.jar

# # vim/usr/local/hadoop-2.4.0/etc/hadoop/hadoop-env.sh

                   exportJSVC_HOME=/usr/local/hadoop-2.4.0/libexec/

2、256位加密

所有節(jié)點：

# wget–c http://download.oracle.com/otn-pub/java/jce/7/UnlimitedJCEPolicyJDK7.zip?AuthParam=1400207941_ee158c414c707a057960c521a7b29866

# unzipUnlimitedJCEPolicyJDK7.zip

# cp UnlimitedJCEPolicy/*.jar/usr/java/jdk1.7.0_65/jre/lib/security/

cp：是否覆蓋"/usr/java/jdk1.7.0_51/jre/lib/security/local_policy.jar"？ y

cp：是否覆蓋"/usr/java/jdk1.7.0_51/jre/lib/security/US_export_policy.jar"？ y

3、部署KDC

主機test3：

安裝kdc server

# yum -y install krb5\*

配置文件krb5.conf

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc= FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 default_realm = cc.cn

 DNS_lookup_realm = false

 dns_lookup_kdc = false

 ticket_lifetime = 365d

 renew_lifetime = 365d

 forwardable = true

[realms]

 cc.cn = {

  kdc = test3

 admin_server = test3

 }

[kdc]

 profile = /var/kerberos/krb5kdc/kdc.conf

配置文件kdc.conf

# vim /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults]

 kdc_ports = 88

 kdc_tcp_ports = 88

[realms]

 cc.cn = {

 #master_key_type = aes256-cts

 acl_file = /var/kerberos/krb5kdc/kadm5.acl

 dict_file = /usr/share/dict/words

 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

 supported_enctypes = aes256-cts:normal aes128-cts:normaldes3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normaldes-cbc-md5:normal des-cbc-crc:normal

 }

配置文件kadm5.acl

# vim /var/kerberos/krb5kdc/kadm5.acl

*/admin@cc.cn *

創(chuàng)建數(shù)據(jù)庫

# kdb5_util create -r cc.cn –s

Enter KDC database master key:

啟動及開機啟動

# service krb5kdc start

# service kadmin start

# chkconfig krb5kdc on

# chkconfig kadmin on

創(chuàng)建管理員用戶

# kadmin.local

kadmin.local:  addprinc root/admin

Enter password for principal "root/admin@cc.cn":

六、Hadoop整合Kerberos

1、配置節(jié)點認(rèn)證

主機test1：

# yum -y install krb5\*

# scp test3:/etc/krb5.conf /etc/

# kadmin –p root/admin

kadmin: addprinc -randkey root/test1

kadmin: addprinc -randkey HTTP/test1

kadmin: ktadd -k /hadoop/krb5.keytab root/test1 HTTP/test1

主機test2：

# yum -y install krb5\*

# scp test3:/etc/krb5.conf /etc/

# kadmin -p root/admin

kadmin: addprinc -randkey root/test2

kadmin: addprinc -randkey HTTP/test2

kadmin: ktadd -k /hadoop/krb5.keytab root/test2 HTTP/test2

主機test3：

# kadmin.local

kadmin.local:   addprinc -randkey root/test3

kadmin.lcoal:   addprinc -randkey HTTP/test3

kadmin.local:   ktadd -k /hadoop/krb5.keytab root/test3 HTTP/test3

2、添加配置

配置文件core-site.xml

主機test1：

# vim/usr/local/hadoop-2.4.0/etc/hadoop/core-site.xml

       hadoop.security.authentication

       kerberos

       hadoop.security.authorization

       true

配置文件hdfs-site.xm

主機test1：

# vim /usr/local/hadoop-2.4.0/etc/hadoop/hdfs-site.xml

       dfs.journalnode.keytab.file

       /hadoop/krb5.keytab

       dfs.journalnode.kerberos.principal

       root/_HOST@cc.cn

       dfs.journalnode.kerberos.internal.spnego.principal

       HTTP/_HOST@cc.cn

       dfs.block.access.token.enable

       true

       dfs.namenode.keytab.file

       /hadoop/krb5.keytab

       dfs.namenode.kerberos.principal

       root/_HOST@cc.cn

       dfs.web.authentication.kerberos.keytab

       /hadoop/krb5.keytab

       dfs.web.authentication.kerberos.principal

       HTTP/_HOST@cc.cn

       ignore.secure.ports.for.testing

       true

       dfs.datanode.keytab.file

       /hadoop/krb5.keytab

       dfs.datanode.kerberos.principal

       root/_HOST@cc.cn

       hadoop.http.staticuser.user

       root

配置文件yarn-site.xml

主機test1：

# vim/usr/local/hadoop-2.4.0/etc/hadoop/yarn-site.xml

       yarn.resourcemanager.keytab

       /hadoop/krb5.keytab

       yarn.resourcemanager.principal

       root/_HOST@cc.cn

       yarn.nodemanager.keytab

       /hadoop/krb5.keytab

       yarn.nodemanager.principal

       root/_HOST@cc.cn

配置文件mapred-site.xml

主機test1：

# vim /usr/local/hadoop-2.4.0/etc/hadoop/mapred-site.xml

       mapreduce.jobhistory.keytab

       /hadoop/krb5.keytab

       mapreduce.jobhistory.principal

       root/_HOST@cc.cn

3、同步配置文件

主機test1：

# scp -r/usr/local/hadoop-2.4.0/ test2:/usr/local/

# scp -r/usr/local/hadoop-2.4.0/ test3:/usr/local/

4、啟動

主機test1：

# start-all.sh

5、驗證

主機test3：

# kinit -k -t /hadoop/krb5.keytab root/test3

# hdfs dfs –ls /

七、Hbase整合Kerberos

1、添加配置

配置文件hbase-site.xml

主機test1：

# vim/usr/local/hbase-0.98.1/conf/hbase-site.xml

       hbase.security.authentication

       kerberos

       hbase.security.authorization

        true

       hbase.rpc.engine

       org.apache.hadoop.hbase.ipc.SecureRpcEngine

       hbase.coprocessor.region.classes

       org.apache.hadoop.hbase.security.token.TokenProvider

       hbase.master.keytab.file

       /hadoop/krb5.keytab

       hbase.master.kerberos.principal

       root/_HOST@cc.cn

       hbase.regionserver.keytab.file

       /hadoop/krb5.keytab

       hbase.regionserver.kerberos.principal

       root/_HOST@cc.cn

2、同步配置文件

主機test1：

# scp/usr/local/hbase-0.98.1/conf/hbase-site.xml test2:/usr/local/hbase-0.98.1/conf/

# scp /usr/local/hbase-0.98.1/conf/hbase-site.xmltest3:/usr/local/hbase-0.98.1/conf/

3、啟動

主機test1：

# start-hbase.sh

4、驗證

主機test3：

# kinit -k -t /hadoop/krb5.keytab root/test3

# hbase shell

八、集群連接方式

1、keytab文件位置

/etc/xiaofeiyun.keytab

創(chuàng)建過程

主機test1：

# kadmin -p root/admin

Password for root/admin@cc.cn:

kadmin: addprinc -randkey data/xiaofeiyun

kadmin: addprinc -randkey platform/xiaofeiyun

kadmin: ktadd -k /etc/xiaofeiyun.keytab data/xiaofeiyun platform/xiaofeiyun

# scp /etc/xiaofeiyun.keytab test2:/etc/

# scp /etc/xiaofeiyun.keytab test3:/etc/

2、krb5.conf文件位置

/etc/krb5.conf

3、hadoop連接

conf.set("fs.defaultFS","hdfs://cluster1");

conf.set("dfs.nameservices","cluster1");

conf.set("dfs.ha.namenodes.cluster1","test1,test2");

conf.set("dfs.namenode.rpc-address.cluster1.test1","test1:9000");

conf.set("dfs.namenode.rpc-address.cluster1.test2","test2:9000");

conf.set("dfs.client.failover.proxy.provider.cluster1","org.apache.hadoop.hdfs.server.namenode.ha.ConfiguredFailoverProxyProvider");

4、hbase連接

ha.zookeeper.quorum

test1:2181,test2:2181,test3:2181