如何解决在 Hadoop 3.3.1 集群上配置 Kerberos
我制作了一个 hadoop 集群并能够用它实现一些处理(avro、spark、kafka),现在我想设置 kerberos 以确保安全,但经过多次尝试后我没有得到任何结果。>
有人可以做到或知道如何进行吗?无论是什么系统(Centos 或 Debian)
我收到如下错误:
base | Authenticating as principal root/admin@EXAMPLE.COM with password.
base | kadmin: Client 'root/admin@EXAMPLE.COM' not found in Kerberos database while initializing kadmin interface
Dockerfile
FROM centos:7
RUN yum clean all; \
rpm --rebuilddb; \
yum install -y initscripts curl nano cmake git curl which tar sudo rsync openssh-server openssh-clients
RUN yum update -y libselinux
RUN yum install -y java-1.8.0-openjdk
# RUN ssh-keygen && \
# ssh-copy-id -i localhost
ENV JAVA_HOME=/usr/lib/jvm/java-1.8.0/jre
RUN curl -O https://dist.apache.org/repos/dist/release/hadoop/common/KEYS
RUN gpg --import KEYS
ENV HADOOP_VERSION 3.3.1
ENV HADOOP_URL https://www.apache.org/dist/hadoop/common/hadoop-$HADOOP_VERSION/hadoop-$HADOOP_VERSION.tar.gz
RUN set -x \
&& curl -fSL "$HADOOP_URL" -o /tmp/hadoop.tar.gz \
&& curl -fSL "$HADOOP_URL.asc" -o /tmp/hadoop.tar.gz.asc \
&& gpg --verify /tmp/hadoop.tar.gz.asc \
&& tar -xvf /tmp/hadoop.tar.gz -C /opt/ \
&& rm /tmp/hadoop.tar.gz*
RUN ln -s /opt/hadoop-$HADOOP_VERSION/etc/hadoop /etc/hadoop
RUN mkdir /opt/hadoop-$HADOOP_VERSION/logs
RUN mkdir /hadoop-data
ENV HADOOP_HOME=/opt/hadoop-$HADOOP_VERSION
ENV HADOOP_PREFIX=/opt/hadoop-$HADOOP_VERSION
ENV HADOOP_CONF_DIR=/etc/hadoop
ENV MULTIHOMED_NETWORK=1
ENV USER=root
ENV PATH $HADOOP_HOME/bin/:$PATH
# Kerberos client
RUN yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
RUN yum -y install apache-commons-daemon-jsvc
RUN yum install net-tools -y
RUN yum install telnet telnet-server -y
RUN yum -y install which
RUN mkdir -p /var/log/kerberos
RUN touch /var/log/kerberos/kadmind.log
ENV HADOOP_COMMON_HOME $HADOOP_HOME
ENV HADOOP_HDFS_HOME $HADOOP_HOME
ENV HADOOP_MAPRED_HOME $HADOOP_HOME
ENV HADOOP_YARN_HOME $HADOOP_HOME
ENV HADOOP_CONF_DIR $HADOOP_HOME/etc/hadoop
ENV YARN_CONF_DIR $HADOOP_HOME/etc/hadoop
ENV NM_CONTAINER_EXECUTOR_PATH $HADOOP_HOME/bin/container-executor
ENV HADOOP_BIN_HOME $HADOOP_HOME/bin
ENV PATH $PATH:$HADOOP_BIN_HOME
ENV KRB_REALM EXAMPLE.COM
ENV DOMAIN_REALM EXAMPLE.COM
ENV KERBEROS_ADMIN admin/admin
ENV KERBEROS_ADMIN_PASSWORD admin
ENV KERBEROS_ROOT_USER_PASSWORD password
ENV KEYTAB_DIR /etc/security/keytabs
ENV FQDN hadoop.docker.com
RUN mkdir $HADOOP_HOME/input
RUN cp $HADOOP_HOME/etc/hadoop/*.xml $HADOOP_HOME/input
ADD config_files/hadoop-env.sh $HADOOP_HOME/etc/hadoop/hadoop-env.sh
ADD config_files/krb5.conf /etc/krb5.conf
ADD config_files/core-site.xml $HADOOP_HOME/etc/hadoop/core-site.xml
ADD config_files/hdfs-site.xml $HADOOP_HOME/etc/hadoop/hdfs-site.xml
ADD config_files/mapred-site.xml $HADOOP_HOME/etc/hadoop/mapred-site.xml
ADD config_files/yarn-site.xml $HADOOP_HOME/etc/hadoop/yarn-site.xml
ADD config_files/container-executor.cfg $HADOOP_HOME/etc/hadoop/container-executor.cfg
RUN mkdir $HADOOP_HOME/nm-local-dirs \
&& mkdir $HADOOP_HOME/nm-log-dirs
ADD config_files/ssl-server.xml $HADOOP_HOME/etc/hadoop/ssl-server.xml
ADD config_files/ssl-client.xml $HADOOP_HOME/etc/hadoop/ssl-client.xml
ADD config_files/keystore.jks $HADOOP_HOME/lib/keystore.jks
ADD entrypoint.sh /entrypoint.sh
RUN chmod a+x /entrypoint.sh
EXPOSE 8188 9864 9870 8042 8088 9866 22
ENTRYPOINT ["/entrypoint.sh"]
entrypoint.sh
#!/bin/bash
# sudo echo "*/admin@EXAMPLE.COM *" > /var/kerberos/krb5kdc/kadm5.acl
sudo kdb5_util create -r ${KERBEROS_ADMIN} -s -P changeme
# service krb5kdc start
# service kadmin start
# service krb524 start
# create namenode kerberos principal and keytab
sudo kadmin -q "modprinc -unlock PRINCNAME root@${KRB_REALM}"
sudo kadmin -q "addprinc -p ${KERBEROS_ROOT_USER_PASSWORD} root@${KRB_REALM}"
sudo kadmin -q "addprinc -p ${KERBEROS_ROOT_USER_PASSWORD} nn/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "addprinc -p ${KERBEROS_ROOT_USER_PASSWORD} dn/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "addprinc -p ${KERBEROS_ROOT_USER_PASSWORD} HTTP/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "addprinc -p ${KERBEROS_ROOT_USER_PASSWORD} jhs/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "addprinc -p ${KERBEROS_ROOT_USER_PASSWORD} yarn/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "addprinc -p ${KERBEROS_ROOT_USER_PASSWORD} rm/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "addprinc -p ${KERBEROS_ROOT_USER_PASSWORD} nm/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "xst -k nn.service.keytab nn/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "xst -k dn.service.keytab dn/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "xst -k spnego.service.keytab HTTP/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "xst -k jhs.service.keytab jhs/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "xst -k yarn.service.keytab yarn/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "xst -k rm.service.keytab rm/$(hostname -f)@${KRB_REALM}"
sudo kadmin -q "xst -k nm.service.keytab nm/$(hostname -f)@${KRB_REALM}"
# mkdir -p ${KEYTAB_DIR}
# mv nn.service.keytab ${KEYTAB_DIR}
# mv dn.service.keytab ${KEYTAB_DIR}
# mv spnego.service.keytab ${KEYTAB_DIR}
# mv jhs.service.keytab ${KEYTAB_DIR}
# mv yarn.service.keytab ${KEYTAB_DIR}
# mv rm.service.keytab ${KEYTAB_DIR}
# mv nm.service.keytab ${KEYTAB_DIR}
# chmod 400 ${KEYTAB_DIR}/nn.service.keytab
# chmod 400 ${KEYTAB_DIR}/dn.service.keytab
# chmod 400 ${KEYTAB_DIR}/spnego.service.keytab
# chmod 400 ${KEYTAB_DIR}/jhs.service.keytab
# chmod 400 ${KEYTAB_DIR}/yarn.service.keytab
# chmod 400 ${KEYTAB_DIR}/rm.service.keytab
# chmod 400 ${KEYTAB_DIR}/nm.service.keytab
if [[ $1 == "-d" ]]; then
while true; do sleep 1000; done
fi
if [[ $1 == "-bash" ]]; then
/bin/bash
fi
docker-compose.yml*
version: "3"
networks:
custom:
driver: bridge
ipam:
driver: default
config:
- subnet: 172.22.0.0/16
gateway: 172.22.0.1
services:
kdc:
networks:
custom:
ipv4_address: 172.22.0.2
image: sequenceiq/kerberos
hostname: kdc.kerberos.com
environment:
REALM: EXAMPLE.COM
DOMAIN_REALM: kdc.kerberos.com
volumes:
- "./config_files/krb5.conf:/etc/krb5.conf"
- "/dev/urandom:/dev/random"
- "/etc/localtime:/etc/localtime:ro"
base:
networks:
custom:
ipv4_address: 172.22.0.3
build: ./base
container_name: base
restart: always
ports:
- 9870:9870
- 9000:9000
depends_on:
- kdc
hostname: hadoop
domainname: docker.com
tty: true
extra_hosts:
- "kdc.kerberos.com kdc:172.22.0.2"
environment:
CLUSTER_NAME: test
TZ: Europe/Paris
KRB_REALM: EXAMPLE.COM
DOMAIN_REALM: kdc.kerberos.com
FQDN: hadoop.docker.com
volumes:
- "./config_files/krb5.conf:/etc/krb5.conf"
- "/etc/localtime:/etc/localtime:ro"
非常感谢!
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
