DEMO-两个Hadoop集群Kerberos认证跨域互信
更新时间: 2024-03-11 02:46:49
阅读 2053
DEMO-两个Hadoop集群Kerberos认证跨域互信
适用模块
新旧集群跨集群拷贝数据
具体说明
带有Kerberos认证的HDFS跨集群distcp前置操作,对两个Hadoop集群Kerberos认证跨域互信
使用示例
两个Hadoop集群开启Kerberos验证后,集群间不能够相互访问,需要实现Kerberos之间的互信,使用Hadoop集群A的客户端访问Hadoop集群B的服务(实质上是使用Kerberos Realm A上的Ticket实现访问Realm B的服务)。 先决条件: 1)两个集群(BDMS.163.COM和BDMS.COM)均开启Kerberos认证 2)Kerberos的REALM分别设置为BDMS.163.COM和BDMS.COM
一、修改hadoop配置
旧集群NameNode的core-site.xml 配置需要调整, 新增以下规则后,
# 新增 hadoop.security.auth_to_local 属性需要添加以下属性
RULE:[1:$1@$0](.*@BDMS.163.COM)s/@.*//
RULE:[2:$1@$0](.*@BDMS.163.COM)s/@.*//
RULE:[1:$1@$0](hdfs@BDMS.163.COM)s/.*/hdfs/
RULE:[2:$1@$0](hdfs@BDMS.163.COM)s/.*/hdfs/
RULE:[1:$1@$0](ranger@BDMS.163.COM)s/.*/ranger/
RULE:[2:$1@$0](ranger@BDMS.163.COM)s/.*/ranger/
RULE:[1:$1@$0](hbase@BDMS.163.COM)s/.*/hbase/
RULE:[2:$1@$0](hbase@BDMS.163.COM)s/.*/hbase/
RULE:[1:$1@$0](yarn@BDMS.163.COM)s/.*/yarn/
RULE:[2:$1@$0](yarn@BDMS.163.COM)s/.*/yarn/
RULE:[1:$1@$0](hive@BDMS.163.COM)s/.*/hive/
RULE:[2:$1@$0](hive@BDMS.163.COM)s/.*/hive/
RULE:[1:$1@$0](mammut@BDMS.163.COM)s/.*/mammut/
RULE:[2:$1@$0](mammut@BDMS.163.COM)s/.*/mammut/
RULE:[1:$1@$0](mapred@BDMS.163.COM)s/.*/mapred/
RULE:[2:$1@$0](mapred@BDMS.163.COM)s/.*/mapred/
RULE:[1:$1@$0](.*@BDMS.COM)s/@.*//
RULE:[2:$1@$0](.*@BDMS.COM)s/@.*//
DEFAULT
1)应用同步配置,确认该参数已修改
2)先重启standby namenode,待SNN重启完成后,确认日志和WebUI界面正常
3)再重启active namenode,此时观察原来的SNN切换为ANN,并确认该服务日志和WebUI界面正常
同时执行Distcp的任务所用的客户端配置也需要进行上述调整
二、创建跨域认证的principal
以root角色登录到2个Admin KDC服务上,分别创建以下2个principal krbtgt/realmA@realmB、krbtgt/realmB@realmA
kadmin.local
ank -kvno 1 krbtgt/BDMS.163.COM@BDMS.COM
ank -kvno 1 krbtgt/BDMS.COM@BDMS.163.COM
两者要使用同样的密码(另外一个KDC的这2个principal密码也要一致)
三、更改 /etc/krb5.conf
1)增加 新KDC域 的配置
[realms]
BDMS.163.COM = {
admin_server = gnode1.local
kdc = gnode1.local
kdc = gnode2.local
}
BDMS.COM = {
admin_server = onode1.local
kdc = onode1.local
kdc = onode2.local
}
2)若机器的domain名称一致,或者没有domain,则需要显示指定下哪些机器属于哪个reamls
[domain_realm]
bdms.163.com = BDMS.163.COM
.bdms.163.com = BDMS.163.COM
bdms.com = BDMS.COM
.bdms.com = BDMS.COM
gnode1.local = BDMS.163.COM
gnode2.local = BDMS.163.COM
gnode3.local = BDMS.163.COM
gnode4.local = BDMS.163.COM
onode1.local = BDMS.COM
onode2.local = BDMS.COM
onode3.local = BDMS.COM
onode4.local = BDMS.COM
3)增加 capaths section
[capaths]
BDMS.163.COM = {
BDMS.COM = .
}
BDMS.COM = {
BDMS.163.COM = .
}
4)即调整为如下形式
[domain_realm]
bdms.com = BDMS.COM
.bdms.com = BDMS.COM
bdms.163.com = BDMS.163.COM
.bdms.163.com = BDMS.163.COM
gnode1.local = BDMS.163.COM
gnode2.local = BDMS.163.COM
gnode3.local = BDMS.163.COM
gnode4.local = BDMS.163.COM
onode1.local = BDMS.COM
onode2.local = BDMS.COM
onode3.local = BDMS.COM
onode4.local = BDMS.COM
[realms]
BDMS.163.COM = {
admin_server = gnode1.local:1749
kdc = gnode1.local:1088
kdc = gnode2.local:1088
}
BDMS.COM = {
admin_server = onode1.local:1749
kdc = onode1.local:1088
kdc = onode2.local:1088
}
[capaths]
BDMS.163.COM = {
BDMS.COM = .
}
BDMS.COM = {
BDMS.163.COM = .
}
四、手动分发 /etc/krb5.conf 文件至所有节点
五、验证
以一个集群的keytab认证后,看能否访问另外一个集群的HDFS
在一个集群上YARN启动DistCp任务,从A集群拷贝数据至B集群,看能否正常完成
使用yarn客户端跑任务
cd /usr/easyops/yarn/default_yarn_client
current/bin/hadoop --config config/ jar current/share/hadoop/tools/lib/hadoop-distcp-2.9.2.jar -Dmapreduce.task.timeout=1200000 -update -skipcrccheck -bandwidth 20 -m 30 hdfs://<NN>:8020/user/mammut hdfs://easyops-cluster/user/mammut
作者:李云龙
文档反馈
以上内容对您是否有帮助?