僅以此篇記錄虛擬機linux安裝zookeeper的認證配置的過程笨使,以昨日后學習之用
本篇是為了安裝kerberos對zookeeper的認證配置的過程泪电,zookeeper的集群安裝zookeeper集群的部署安裝
已經(jīng)涵蓋不在此篇贅述啥箭。
希望讀者可以通讀全篇之后加上自己的理解然后參照進行配置。
本篇完全借鑒相關(guān)博主配置皮钠,在此基礎(chǔ)上補充路徑识樱,添加配置等操作,更加詳細以便日后配置學習之用猴贰,參考鏈接放到文章末尾对雪。
zookeeper的kerberos配置
1.生成zk的kerberos的認證標志
1.1執(zhí)行kadmin.local
kadmin.local
1.2生成票據(jù)
addprinc zookeeper/master
#密碼輸入1234
addprinc zookeeper/slave1
#密碼輸入1234
addprinc zookeeper/slave2
#密碼輸入1234
addprinc zkcli/hadoop
ktadd -norandkey -k /etc/security/keytab/zk-master.keytab zookeeper/master
ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/master
ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/slave1
ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/slave2
1.3拷貝keytab到所有的節(jié)點
進入/etc/security/keytab/
cd /etc/security/keytab/
scp zk-server.keytab root@master:/usr/local/zookeeper-3.4.10/conf/
scp zk-server.keytab root@slave1:/usr/local/zookeeper-3.4.10/conf/
scp zk-server.keytab root@slave2:/usr/local/zookeeper-3.4.10/conf/
2.修改zk的配置文件,加如下數(shù)據(jù)
2.1進入/usr/local/zookeeper-3.4.10/conf/
cd /usr/local/zookeeper-3.4.10/conf/
zoo.cfg
2.2添加配置
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
kerberos.rem
image.png
2.3同步到其他節(jié)點
scp /usr/local/zookeeper-3.4.10/conf/zoo.cfg root@slave1:/usr/local/zookeeper-3.4.10/conf/
scp /usr/local/zookeeper-3.4.10/conf/zoo.cfg root@slave2:/usr/local/zookeeper-3.4.10/conf/
3.生成jaas.conf文件
進入/usr/local/zookeeper-3.4.10/conf/米绕,創(chuàng)建文件
cd /usr/local/zookeeper-3.4.10/conf/
touch jaas.conf
image.png
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/usr/local/zookeeper-3.4.10/conf/zk-server.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/master@HADOOP.COM";
};
4.創(chuàng)建client的priincipal
4.1執(zhí)行kadmin.local
addprinc zkcli/master
addprinc zkcli/slave1
addprinc zkcli/slave2
ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/master
ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/slave1
ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/slave2
4.2分發(fā)keytab文件到其他節(jié)點
scp /etc/security/keytab/zk-clie.keytab root@master:/usr/local/zookeeper-3.4.10/conf/
scp /etc/security/keytab/zk-clie.keytab root@slave1:/usr/local/zookeeper-3.4.10/conf/
scp /etc/security/keytab/zk-clie.keytab root@slave2:/usr/local/zookeeper-3.4.10/conf/
5.配置client-jaas.conf文件
當前位置為 /usr/local/zookeeper-3.4.10/conf/
touch client-jaas.conf
vi client-jaas.conf
#添加以下配置瑟捣,保存并退出
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/usr/local/zookeeper-3.4.10/conf/zk-clie.keytab"
storeKey=true
useTicketCache=false
principal="zkcli/master@HADOOP.COM";
};
分發(fā)到其他節(jié)點馋艺,并修改其他節(jié)點的principal
scp client-jaas.conf root@slave1:/usr/local/zookeeper-3.4.10/conf/
scp client-jaas.conf root@slave2:/usr/local/zookeeper-3.4.10/conf/
6.驗證zk的kerberos
新增java.env文件
touch java.env
vi java.env
#加入下面的配置保存并退出
SERVER_JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper-3.4.10/conf/jaas.conf"
image.png
export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper-3.4.10/conf/jaas.conf"
./zkServer.sh start
#注意是所有節(jié)點都要起來
export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper-3.4.10/conf/client-jaas.conf"
echo $JVMFLAGS
./zkCli.sh -server master:2181
報錯解決
問題1:./zkCli.sh -server master:2181 執(zhí)行報錯 #注意是所有節(jié)點都要起來
錯誤參考:https://github.com/UKHomeOffice/docker-zookeeper/issues/1
image.png
錯誤參考:https://blog.csdn.net/weixin_44388193/article/details/102797296
image.png
錯誤參考:ZooKeeperSaslClient 247 SASL authentication failed using login context Client
解決鏈接地址:https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
image.png
