0. 環(huán)境
1 臺(tái)Centos7主機(jī) 部署 master KDC
2 臺(tái) Centos7主機(jī) 部署 Kerberos Client
1. Master主機(jī)安裝Kerberos
yum install krb5-server krb5-libs krb5-workstation -y
1.1 配置kdc.conf
vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
HADOOP.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
max_renewable_life = 7d
supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
說明:
- HADOOP.COM:是設(shè)定的realms。名字隨意凰锡。Kerberos可以支持多個(gè)realms缠犀,一般全用大寫
- master_key_type刷钢,supported_enctypes默認(rèn)使用aes256-cts挖腰。由于词身,JAVA使用aes256-cts驗(yàn)證方式需要安裝額外的jar包,這里暫不使用
- acl_file:標(biāo)注了admin的用戶權(quán)限贴捡。文件格式是
Kerberos_principal permissions [target_principal] [restrictions]支持通配符等 - admin_keytab:KDC進(jìn)行校驗(yàn)的keytab
- supported_enctypes:支持的校驗(yàn)方式忽肛。注意把a(bǔ)es256-cts去掉
1.2 配置krb5.conf
vim /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
clockskew = 120
udp_preference_limit = 1
[realms]
HADOOP.COM = {
kdc = node-1
admin_server = node-1
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
說明:
- [logging]:表示server端的日志的打印位置
- udp_preference_limit = 1 禁止使用udp可以防止一個(gè)Hadoop中的錯(cuò)誤
- ticket_lifetime: 表明憑證生效的時(shí)限,一般為24小時(shí)烂斋。
- renew_lifetime: 表明憑證最長(zhǎng)可以被延期的時(shí)限屹逛,一般為一個(gè)禮拜。當(dāng)憑證過期之后汛骂,對(duì)安全認(rèn)證的服務(wù)的后續(xù)訪問則會(huì)失敗罕模。
- clockskew:時(shí)鐘偏差是不完全符合主機(jī)系統(tǒng)時(shí)鐘的票據(jù)時(shí)戳的容差,超過此容差將不接受此票據(jù)帘瞭,單位是秒
1.3 初始化kerberos database
kdb5_util create -s -r HADOOP.COM
其中淑掌,[-s]表示生成stash file,并在其中存儲(chǔ)master server key(krb5kdc)蝶念;還可以用[-r]來指定一個(gè)realm name —— 當(dāng)krb5.conf中定義了多個(gè)realm時(shí)才是必要的抛腕。
1.4 修改database administrator的ACL權(quán)限
vim /var/kerberos/krb5kdc/kadm5.acl
#修改如下
*/admin@HADOOP.COM *
kadm5.acl 文件更多內(nèi)容可參考:kadm5.acl
想要管理 KDC 的資料庫(kù)有兩種方式, 一種直接在 KDC 本機(jī)上面直接執(zhí)行媒殉,可以不需要密碼就登入資料庫(kù)管理担敌;一種則是需要輸入賬號(hào)密碼才能管理~這兩種方式分別是:
- kadmin.local:需要在 KDC server 上面操作,無需密碼即可管理資料庫(kù)
- kadmin:可以在任何一臺(tái) KDC 領(lǐng)域的系統(tǒng)上面操作廷蓉,但是需要輸入管理員密碼
1.5 啟動(dòng)kerberos daemons
systemctl start kadmin krb5kdc
systemctl enable kadmin krb5kdc
2. 在另外兩臺(tái)主機(jī)部署Kerberos Client
yum install krb5-workstation krb5-libs -y
#從master主機(jī)復(fù)制krb5.conf到這兩臺(tái)主機(jī)
scp /etc/krb5.conf node-2:/etc/krb5.conf
scp /etc/krb5.conf node-3:/etc/krb5.conf
3. kerberos的日常操作
先配置下root/admin密碼
[root@node-1 ~]# kadmin.local
Authenticating as principal root/admin@HADOOP.COM with password.
kadmin.local: addprinc root/admin
WARNING: no policy specified for root/admin@HADOOP.COM; defaulting to no policy
Enter password for principal "root/admin@HADOOP.COM":
Re-enter password for principal "root/admin@HADOOP.COM":
Principal "root/admin@HADOOP.COM" created.
kadmin.local: listprincs
K/M@HADOOP.COM
kadmin/admin@HADOOP.COM
kadmin/changepw@HADOOP.COM
kadmin/instance-ay8h77o0-1@HADOOP.COM
kiprop/instance-ay8h77o0-1@HADOOP.COM
krbtgt/HADOOP.COM@HADOOP.COM
root/admin@HADOOP.COM
kadmin.local: exit
新加用戶hd1:
[root@node-3 ~]# kadmin
Authenticating as principal root/admin@HADOOP.COM with password.
Password for root/admin@HADOOP.COM:
kadmin: addprinc hd1
WARNING: no policy specified for hd1@HADOOP.COM; defaulting to no policy
Enter password for principal "hd1@HADOOP.COM":
Re-enter password for principal "hd1@HADOOP.COM":
Principal "hd1@HADOOP.COM" created.
kadmin: exit
注:輸入全封?,可以查看所有命令的用法
kadmin.local: ?
Available kadmin.local requests:
add_principal, addprinc, ank
Add principal
delete_principal, delprinc
Delete principal
modify_principal, modprinc
Modify principal
rename_principal, renprinc
Rename principal
change_password, cpw Change password
get_principal, getprinc Get principal
list_principals, listprincs, get_principals, getprincs
List principals
add_policy, addpol Add policy
modify_policy, modpol Modify policy
用hd1登錄:
[root@node-3 ~]# kinit hd1
Password for hd1@HADOOP.COM:
[root@node-3 ~]# klist
# 查看已授權(quán)列表
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hd1@HADOOP.COM
Valid starting Expires Service principal
07/12/2018 17:27:32 07/13/2018 17:27:32 krbtgt/HADOOP.COM@HADOOP.COM
renew until 07/19/2018 17:27:32
刪除當(dāng)前的認(rèn)證的緩存
[root@node-3 ~]# kdestroy
強(qiáng)制更新ticket
kinit -R
使用keytab
生成keytab
kadmin.local -q "xst -k keytab/hd1.keytab hd1@HADOOP.COM"
or
kadmin -q "xst -k keytab/hd1.keytab hd1@HADOOP.COM"
注意:生成keytab后桃犬,密碼被修改了刹悴,無法再用之前輸入密碼登錄了
如果想要密碼不變,需要按照以下方式做攒暇,必須是kadmin.local
[root@node-1 ~]# kadmin.local -q "xst -k keytab/hd6.keytab -norandkey hd6@HADOOP.COM"
否則
[root@node-3 ~]# kadmin -q "xst -k keytab/hd6.keytab -norandkey hd6@HADOOP.COM"
Authenticating as principal root/admin@HADOOP.COM with password.
Password for root/admin@HADOOP.COM:
kadmin: Operation requires ``extract-keys'' privilege while changing hd6@HADOOP.COM's key
[root@node-3 ~]# kinit hd1
Password for hd1@HADOOP.COM:
kinit: Password incorrect while getting initial credentials
登錄
[root@node-3 ~]# kinit -kt keytab/hd3.keytab hd3
[root@node-3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hd3@HADOOP.COM
Valid starting Expires Service principal
07/12/2018 18:24:43 07/13/2018 18:24:43 krbtgt/HADOOP.COM@HADOOP.COM
renew until 07/19/2018 18:24:43
合并keytab文件
[root@node-3 ~]# ktutil
ktutil: ?
Available ktutil requests:
clear_list, clear Clear the current keylist.
read_kt, rkt Read a krb5 keytab into the current keylist.
read_st, rst Read a krb4 srvtab into the current keylist.
write_kt, wkt Write the current keylist to a krb5 keytab.
write_st, wst Write the current keylist to a krb4 srvtab.
add_entry, addent Add an entry to the current keylist.
delete_entry, delent Delete an entry from the current keylist.
list, l List the current keylist.
list_requests, lr, ? List available requests.
quit, exit, q Exit program.
ktutil: rkt keytab/hd2.keytab
ktutil: rkt keytab/hd3.keytab
ktutil: wkt keytab/hd23.keytab
ktutil: exit
#使用合并后的keytab登錄
[root@node-3 ~]# kinit -kt keytab/hd23.keytab hd3
[root@node-3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hd3@HADOOP.COM
Valid starting Expires Service principal
07/12/2018 18:30:27 07/13/2018 18:30:27 krbtgt/HADOOP.COM@HADOOP.COM
renew until 07/19/2018 18:30:27
可以查看keytab文件內(nèi)容
[root@node-3 ~]# klist -ket keytab/hd23.keytab
Keytab name: FILE:keytab/hd23.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 07/12/2018 18:28:33 hd2@HADOOP.COM (aes128-cts-hmac-sha1-96)
2 07/12/2018 18:28:33 hd2@HADOOP.COM (des3-cbc-sha1)
2 07/12/2018 18:28:33 hd2@HADOOP.COM (arcfour-hmac)
2 07/12/2018 18:28:33 hd2@HADOOP.COM (camellia256-cts-cmac)
2 07/12/2018 18:28:33 hd2@HADOOP.COM (camellia128-cts-cmac)
2 07/12/2018 18:28:33 hd2@HADOOP.COM (des-hmac-sha1)
2 07/12/2018 18:28:33 hd2@HADOOP.COM (des-cbc-md5)
2 07/12/2018 18:28:33 hd3@HADOOP.COM (aes128-cts-hmac-sha1-96)
2 07/12/2018 18:28:33 hd3@HADOOP.COM (des3-cbc-sha1)
2 07/12/2018 18:28:33 hd3@HADOOP.COM (arcfour-hmac)
2 07/12/2018 18:28:33 hd3@HADOOP.COM (camellia256-cts-cmac)
2 07/12/2018 18:28:33 hd3@HADOOP.COM (camellia128-cts-cmac)
2 07/12/2018 18:28:33 hd3@HADOOP.COM (des-hmac-sha1)
2 07/12/2018 18:28:33 hd3@HADOOP.COM (des-cbc-md5)
