CDP存量集群启动Kerberos

本操作流程中将KDC服务安装在Cloudera Manager Server所在服务器上（KDC服务可根据自己需要安装在其他服务器）。

前提条件

1. CDP集群正常运行

2. 集群未启用Kerberos

操作流程

1. 安装及配置KDC服务

2. CDP集群启用Kerberos

集群环境

1. 操作系统：CentOS7.9

2. CDP版本：Cloudera Runtime 7.1.6 (Parcels)

3. 采用root用户进行操作

KDC服务安装及配置

1.修改/etc/krb5.conf配置

vim/etc/krb5.conf 配置模板

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = BDPHTSEC.COM
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 1d
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = aes256-cts aes128-cts
default_tkt_enctypes = aes256-cts aes128-cts
permitted_enctypes = aes256-cts aes128-cts
udp_preference_limit = 1
kdc_timeout = 3000

[realms]
BDPHTSEC.COM = {
  kdc = cdp-utility-1.c-a4542b55a0e64699.cn-hangzhou.cdp.aliyuncs.com
  admin_server = cdp-utility-1.c-a4542b55a0e64699.cn-hangzhou.cdp.aliyuncs.com
}

[domain_realm]
.c-a4542b55a0e64699.cn-hangzhou.cdp.aliyuncs.com = BDPHTSEC.COM
c-a4542b55a0e64699.cn-hangzhou.cdp.aliyuncs.com = BDPHTSEC.COM

2.修改/var/kerberos/krb5kdc/kadm5.acl配置

*/admin@BDPHTSEC.COM      *

3.修改/var/kerberos/krb5kdc/kdc.conf配置

[kdcdefaults]
  kdc_ports = 88
  kdc_tcp_ports = 88

[realms]
BDPHTSEC.COM = {
  database_name = /var/kerberos/krb5kdc/principal
  max_renewable_life = 7d
  master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts aes128-cts
}

4.创建Kerberos数据库，并输入密码

 kdb5_util create –r BDPHTSEC.COM -s

5.创建Kerberos的管理账号需要输入管理员密码

[root@cdp-utility-1 ~]# kadmin.local
Authenticating as principal root/admin@BDPHTSEC.COM with password.
kadmin.local:  addprinc admin/admin@BDPHTSEC.COM
WARNING: no policy specified for admin/admin@BDPHTSEC.COM; defaulting to no policy
Enter password for principal "admin/admin@BDPHTSEC.COM":
Re-enter password for principal "admin/admin@BDPHTSEC.COM":
Principal "admin/admin@BDPHTSEC.COM" created.
kadmin.local:  exit

6.将Kerberos服务添加到自启动服务，并启动krb5kdc和kadmin服务

[root@ ~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@ ~]# systemctl enable kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@~]# systemctl start krb5kdc
[root@ ~]# systemctl start kadmin

7.测试Kerberos的管理员账号

[root@cdp-utility-1 ~]# kinit admin/admin@BDPHTSEC.COM
Password for admin/admin@BDPHTSEC.COM:
[root@cdp-utility-1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@BDPHTSEC.COM

Valid starting       Expires              Service principal
2021-10-15T16:26:47  2021-10-16T16:26:47  krbtgt/BDPHTSEC.COM@BDPHTSEC.COM
        renew until 2021-10-22T16:26:47

8.Cloudera Manager Server服务器上已经默认安装了openldap-clients，如果没有可以执行下面命令安装

[root@cdp-utility-1 ~]# yum -y install openldap-client
已加载插件：fastestmirror
Loading mirror speeds from cached hostfile
没有可用软件包 openldap-client。
错误：无须任何处理

9.将KDC Server上的krb5.conf文件拷贝到所有Kerberos客户端（分发到所有的节点）

scp /etc/krb5.conf cdp-master-1:/etc
scp /etc/krb5.conf cdp-core-1:/etc
scp /etc/krb5.conf cdp-core-2:/etc
scp /etc/krb5.conf cdp-core-3:/etc

CDH集群启用Kerberos

1.在KDC中给Cloudera Manager添加管理员账号，并输入密码确认。

[root@cdp-utility-1 ~]# kadmin.local
Authenticating as principal admin/admin@BDPHTSEC.COM with password.
kadmin.local:  addprinc cloudera/admin@BDPHTSEC.COM

2.进入Cloudera Manager的“管理”->“安全”界面，选择“启用Kerberos”。

3.确保如下列出的所有检查项都已完成，点击勾选并继续。

4.Enter KDC Information

配置相关的KDC信息，包括类型、KDC服务器、KDC Realm、加密类型以及待创建的Service Principal（hdfs，yarn，hbase，hive等）的更新生命期等，并继续。

5.不建议让Cloudera Manager来管理krb5.conf, 点击“继续”。

6.输入Cloudera Manager的Kerbers管理员账号，一定得和之前创建的账号一致，点击“继续”。

7.验证通过，点击下一步。

8.保持默认点击继续。

9.点击“完成”，至此已成功启用Kerberos。

等待服务安装完成，查看各个服务都能正常启动。