ApacheHadoop 3.2.1集群集成Kerberos
Posted 淡极无痕
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ApacheHadoop 3.2.1集群集成Kerberos相关的知识,希望对你有一定的参考价值。
【Apache】Hadoop 3.2.1集群集成Kerberos
- 系列文章传送门
- 参考资料
- 1. 创建HDFS相关的Kerberos账户并导出keytab文件
- 2. 权限配置
- 3. 修改HDFS配置文件
- 4.创建HTTPS证书
- 5. 编辑ssl-server.xml
- 6. 编辑ssl-client.xml
- 7.开启HTTPS
- 8.启动集群
系列文章传送门
前篇:【Apache】Hadoop 3.2.1集群搭建
中篇:Kerberos的安装与配置
后篇:【Apache】Hadoop 3.2.1集群集成Kerberos
参考资料
1、《Hadoop权威指南》
2、http://t.csdn.cn/Yrq0Q
1. 创建HDFS相关的Kerberos账户并导出keytab文件
# 在每个节点都创建存放keytab的文件夹
mkdir -p /etc/security/keytabs
1.1 master节点
kadmin # 输入密码123456, 进入Kerberos的admin后台
# 防止启动或者操作的过程中需要输入密码,创建免密登录的keytab文件
addprinc -randkey hdfs/master.hadoop.com@HADOOP.COM
ktadd -k /etc/security/keytabs/hdfs.keytab hdfs/master.hadoop.com@HADOOP.COM
quit
klist -ket /etc/security/keytabs/hdfs.keytab
cd /etc/security/keytabs/
cp hdfs.keytab /opt/bigdata/hadoop-3.2.1/etc/hadoop/
1.2 slave1节点
kadmin # 输入密码123456, 进入Kerberos的admin后台
addprinc -randkey hdfs/slave1.hadoop.com@HADOOP.COM
ktadd -k /etc/security/keytabs/hdfs.keytab hdfs/slave1.hadoop.com@HADOOP.COM
quit
klist -ket /etc/security/keytabs/hdfs.keytab
cd /etc/security/keytabs/
cp hdfs.keytab /opt/bigdata/hadoop-3.2.1/etc/hadoop/
1.3 slave2节点
kadmin # 输入密码123456, 进入Kerberos的admin后台
addprinc -randkey hdfs/slave2.hadoop.com@HADOOP.COM
ktadd -k /etc/security/keytabs/hdfs.keytab hdfs/slave2.hadoop.com@HADOOP.COM
quit
klist -ket /etc/security/keytabs/hdfs.keytab
cd /etc/security/keytabs/
cp hdfs.keytab /opt/bigdata/hadoop-3.2.1/etc/hadoop/
2. 权限配置
chown -R hdfs:hadoop $HADOOP_HOME
chown root:hadoop $HADOOP_HOME
chmod 755 -R $HADOOP_HOME/etc/hadoop/*
chown root:hadoop $HADOOP_HOME/etc
chown root:hadoop $HADOOP_HOME/etc/hadoop
chown -R hdfs:hadoop $DFS_DATANODE_DATA_DIR
chown -R hdfs:hadoop $DFS_NAMENODE_NAME_DIR
chmod 700 $DFS_DATANODE_DATA_DIR
chmod 700 $DFS_NAMENODE_NAME_DIR
3. 修改HDFS配置文件
cd $HADOOP_HOME/etc/hadoop
3.1 yarn-env.sh
vim yarn-env.sh
export JAVA_HOME=/usr/local/jdk1.8.0_351
xsync $HADOOP_HOME/etc/hadoop/yarn-env.sh
3.2 mapred-env.sh
vim mapred-env.sh
export JAVA_HOME=/usr/local/jdk1.8.0_351
xsync $HADOOP_HOME/etc/hadoop/mapred-env.sh
3.3 core-site.xml
vim core-site.xml
<configuration>
<property>
<name>fs.defaultFS</name>
<value>hdfs://master:9000</value>
</property>
<property>
<name>hadoop.tmp.dir</name>
<value>/opt/bigdata/hadoop-3.2.1/tmp</value>
</property>
<property>
<name>io.file.buffer.size</name>
<value>131072</value>
</property>
<property>
<name>hadoop.security.authorization</name>
<value>true</value>
<description>是否开启hadoop的安全认证</description>
</property>
<property>
<name>hadoop.security.authentication</name>
<value>kerberos</value>
<description>使用kerberos作为hadoop的安全认证方案</description>
</property>
<property>
<name>hadoop.rpc.protection</name>
<value>authentication</value>
</property>
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[2:$1@$0](hdfs@.*HADOOP.COM)s/.*/hdfs/
RULE:[2:$1@$0](yarn@.*HADOOP.COM)s/.*/yarn/
DEFAULT
</value>
</property>
<property>
<name>hadoop.proxyuser.root.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.root.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.hdfs.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.hdfs.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.yarn.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.yarn.groups</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.hive.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.hive.groups</name>
<value>*</value>
</property>
</configuration>
xsync $HADOOP_HOME/etc/hadoop/core-site.xml
3.4 hdfs-site.xml
vim hdfs-site.xml
<configuration>
<property>
<name>dfs.namenode.name.dir</name>
<value>/data/nn</value>
</property>
<property>
<name>dfs.datanode.data.dir</name>
<value>/data/dn</value>
</property>
<property>
<name>dfs.namenode.http-address</name>
<value>master.hadoop.com:9870</value>
</property>
<property>
<name>dfs.namenode.secondary.https-address</name>
<value>slave2.hadoop.com:9869</value>
<description>HTTPS web UI address for the Secondary NameNode.</description>
</property>
<property>
<name>dfs.namenode.hosts</name>
<value>master.hadoop.com,slave2.hadoop.com</value>
</property>
<property>
<name>dfs.namenode.kerberos.principal</name>
<value>hdfs/master.hadoop.com@HADOOP.COM</value>
<description>namenode对应的kerberos账户</description>
</property>
<property>
<name>dfs.namenode.keytab.file</name>
<value>/opt/bigdata/hadoop-3.2.1/etc/hadoop/hdfs.keytab</value>
<description>指定namenode需要用的keytab文件在哪里</description>
</property>
<property>
<name>dfs.namenode.kerberos.internal.spnego.principal</name>
<value>hdfs/_HOST@HADOOP.COM</value>
<description>https 相关(如开启namenodeUI)使用的账户</description>
</property>
<property>
<name>dfs.namenode.secondary.http-address</name>
<value>slave2.hadoop.com:9868</value>
</property>
<property>
<name>dfs.secondary.namenode.kerberos.principal</name>
<value>hdfs/_HOST@HADOOP.COM</value>
<description>secondarynamenode使用的账户</description>
</property>
<property>
<name>dfs.secondary.namenode.keytab.file</name>
<value>/opt/bigdata/hadoop-3.2.1/etc/hadoop/hdfs.keytab</value>
<description>sn对应的keytab文件</description>
</property>
<property>
<name>dfs.secondary.namenode.kerberos.internal.spnego.principal</name>
<value>hdfs/_HOST@HADOOP.COM</value>
<description>sn需要开启http页面用到的账户</description>
</property>
<property>
<name>dfs.datanode.data.dir.perm</name>
<value>700</value>
</property>
<property>
<name>dfs.datanode.address</name>
<value>0.0.0.0:1004</value>
</property>
<property>
<name>dfs.datanode.http.address</name>
<value>0.0.0.0:1006</value>
</property>
<property>
<name>dfs.datanode.https.address</name>
<value>0.0.0.0:9865</value>
<description>HTTPS web UI address for the Data Node.</description>
</property>
<property>
<name>dfs.datanode.kerberos.principal</name>
<value>hdfs/_HOST@HADOOP.COM</value>
<description>datanode用到的账户</description>
</property>
<property>
<name>dfs.datanode.keytab.file</name>
<value>/opt/bigdata/hadoop-3.2.1/etc/hadoop/hdfs.keytab</value>
<description>datanode用到的keytab文件路径</description>
</property>
<property>
<name>dfs.block.access.token.enable</name>
<value>true</value>
</property>
<property>
<name>dfs.permissions.supergroup</name>
<value>hadoop</value>
</property>
<property>
<name>dfs.replication</name>
<value>1</value>
</property>
<property>
<name>dfs.data.transfer.protection</name>
<value>integrity</value>
</property>
<property>
<name>dfs.encrypt.data.transfer</name>
<value>true</value>
<description>数据传输协议激活数据加密</description>
</property>
<property>
<name>dfs.web.authentication.kerberos.principal</name>
<value>hdfs/_HOST@HADOOP.COM</value>
<description>web hdfs 使用的账户</description>
</property>
<property>
<name>dfs.web.authentication.kerberos.keytab</name>
<value>/opt/bigdata/hadoop-3.2.1/etc/hadoop/hdfs.keytab</value>
<description>对应的keytab文件</description>
</property>
<property>
<name>dfs.http.policy</name>
<value>HTTPS_ONLY</value>
<description>所有开启的web页面均使用https, 细节在ssl server 和client那个配置文件内配置</description>
</property>
</configuration>
xsync $HADOOP_HOME/etc/hadoop/hdfs-site.xml
3.5 yarn-site.xml
vim yarn-site.xml
<configuration>
<property>
<name>yarn.nodemanager.aux-services</name>
<value>mapreduce_shuffle</value>
</property>
<property>
<name>yarn.resourcemanager.hostname</name>
<value>slave1.hadoop.com</value>
</property>
<property>
<name>yarn.nodemanager.env-whitelist</name>
<value>JAVA_HOME,HADOOP_HOME</value>
</property>
<!-- Resource Manager 服务的Kerberos主体 -->
<property>
<name>yarn.resourcemanager.principal</name>
<value>hdfs/_HOST@HADOOP.COM</value>
</property>
<!-- Resource Manager 服务的Kerberos密钥文件 -->
<property>
<name>yarn.resourcemanager.keytab</name>
<value>/opt/bigdata/hadoop-3.2.1/etc/hadoop/hdfs.keytab</value>
</property>
<!-- Node Manager 服务的Kerberos主体 -->
<property>
<name>yarn.nodemanager.principal</name>
<value>hdfs/_HOST@HADOOP.COM</value>
</property>
<!-- Node Manager 服务的Kerberos密钥文件 -->
<property>
<name>yarn.nodemanager.keytab</name>
<value>/opt/bigdata/hadoop-3.2.1/etc/hadoop/hdfs.keytab</value>
</property>
</configuration>
xsync yarn-site.xml
3.6 mapred-site.xml
vim mapred-site.xml
<configuration>
<property>
<name>mapreduce.framework.name</name>
<value>yarn</value>
</property>
<!-- 历史服务器的Kerberos主体 -->
<property>
<name>mapreduce.jobhistory.keytab</name>
<value>/opt/bigdata/hadoop-3.2.1/etc/hadoop<以上是关于ApacheHadoop 3.2.1集群集成Kerberos的主要内容,如果未能解决你的问题,请参考以下文章