DEMO-两个Hadoop集群Kerberos认证跨域互信

适用模块

新旧集群跨集群拷贝数据

具体说明

带有Kerberos认证的HDFS跨集群distcp前置操作,对两个Hadoop集群Kerberos认证跨域互信

使用示例

两个Hadoop集群开启Kerberos验证后,集群间不能够相互访问,需要实现Kerberos之间的互信,使用Hadoop集群A的客户端访问Hadoop集群B的服务(实质上是使用Kerberos Realm A上的Ticket实现访问Realm B的服务)。 先决条件: 1)两个集群(BDMS.163.COM和BDMS.COM)均开启Kerberos认证 2)Kerberos的REALM分别设置为BDMS.163.COM和BDMS.COM

一、修改hadoop配置

旧集群NameNode的core-site.xml 配置需要调整, 新增以下规则后,

# 新增 hadoop.security.auth_to_local 属性需要添加以下属性

RULE:[1:$1@$0](.*@BDMS.163.COM)s/@.*//
RULE:[2:$1@$0](.*@BDMS.163.COM)s/@.*//
RULE:[1:$1@$0](hdfs@BDMS.163.COM)s/.*/hdfs/
RULE:[2:$1@$0](hdfs@BDMS.163.COM)s/.*/hdfs/
RULE:[1:$1@$0](ranger@BDMS.163.COM)s/.*/ranger/
RULE:[2:$1@$0](ranger@BDMS.163.COM)s/.*/ranger/
RULE:[1:$1@$0](hbase@BDMS.163.COM)s/.*/hbase/
RULE:[2:$1@$0](hbase@BDMS.163.COM)s/.*/hbase/
RULE:[1:$1@$0](yarn@BDMS.163.COM)s/.*/yarn/
RULE:[2:$1@$0](yarn@BDMS.163.COM)s/.*/yarn/
RULE:[1:$1@$0](hive@BDMS.163.COM)s/.*/hive/
RULE:[2:$1@$0](hive@BDMS.163.COM)s/.*/hive/
RULE:[1:$1@$0](mammut@BDMS.163.COM)s/.*/mammut/
RULE:[2:$1@$0](mammut@BDMS.163.COM)s/.*/mammut/
RULE:[1:$1@$0](mapred@BDMS.163.COM)s/.*/mapred/
RULE:[2:$1@$0](mapred@BDMS.163.COM)s/.*/mapred/
RULE:[1:$1@$0](.*@BDMS.COM)s/@.*//
RULE:[2:$1@$0](.*@BDMS.COM)s/@.*//
DEFAULT

1)应用同步配置,确认该参数已修改
2)先重启standby namenode,待SNN重启完成后,确认日志和WebUI界面正常
3)再重启active namenode,此时观察原来的SNN切换为ANN,并确认该服务日志和WebUI界面正常
同时执行Distcp的任务所用的客户端配置也需要进行上述调整

二、创建跨域认证的principal

以root角色登录到2个Admin KDC服务上,分别创建以下2个principal krbtgt/realmA@realmB、krbtgt/realmB@realmA

kadmin.local

ank -kvno 1 krbtgt/BDMS.163.COM@BDMS.COM
ank -kvno 1 krbtgt/BDMS.COM@BDMS.163.COM

两者要使用同样的密码(另外一个KDC的这2个principal密码也要一致)

三、更改 /etc/krb5.conf

1)增加 新KDC域 的配置

[realms]
BDMS.163.COM = {
admin_server = gnode1.local
kdc = gnode1.local
kdc = gnode2.local
}
BDMS.COM = {
admin_server = onode1.local
kdc = onode1.local
kdc = onode2.local
}

2)若机器的domain名称一致,或者没有domain,则需要显示指定下哪些机器属于哪个reamls

[domain_realm]       
    bdms.163.com = BDMS.163.COM
    .bdms.163.com = BDMS.163.COM
    bdms.com = BDMS.COM
    .bdms.com = BDMS.COM
    gnode1.local = BDMS.163.COM
    gnode2.local = BDMS.163.COM
    gnode3.local = BDMS.163.COM
    gnode4.local = BDMS.163.COM
    onode1.local = BDMS.COM
    onode2.local = BDMS.COM
    onode3.local = BDMS.COM
    onode4.local = BDMS.COM

3)增加 capaths section

[capaths]
BDMS.163.COM = {
  BDMS.COM = .
}

BDMS.COM = {
  BDMS.163.COM = .
}

4)即调整为如下形式

[domain_realm]
       bdms.com = BDMS.COM
        .bdms.com = BDMS.COM
       bdms.163.com = BDMS.163.COM
        .bdms.163.com = BDMS.163.COM
gnode1.local = BDMS.163.COM
gnode2.local = BDMS.163.COM
gnode3.local = BDMS.163.COM
gnode4.local = BDMS.163.COM
onode1.local = BDMS.COM
onode2.local = BDMS.COM
onode3.local = BDMS.COM
onode4.local = BDMS.COM

[realms]
    BDMS.163.COM = {
                        admin_server = gnode1.local:1749
                                        kdc = gnode1.local:1088
                                        kdc = gnode2.local:1088
                    }
    BDMS.COM = {
                        admin_server = onode1.local:1749
                                        kdc = onode1.local:1088
                                        kdc = onode2.local:1088
                    }

[capaths]
BDMS.163.COM = {
  BDMS.COM = .
}

BDMS.COM = {
  BDMS.163.COM = .
}

四、手动分发 /etc/krb5.conf 文件至所有节点

五、验证

以一个集群的keytab认证后,看能否访问另外一个集群的HDFS

DEMO-两个Hadoop集群Kerberos认证跨域互信 - 图1

在一个集群上YARN启动DistCp任务,从A集群拷贝数据至B集群,看能否正常完成
使用yarn客户端跑任务

cd /usr/easyops/yarn/default_yarn_client

current/bin/hadoop --config config/ jar current/share/hadoop/tools/lib/hadoop-distcp-2.9.2.jar  -Dmapreduce.task.timeout=1200000 -update -skipcrccheck -bandwidth 20 -m 30 hdfs://<NN>:8020/user/mammut hdfs://easyops-cluster/user/mammut

作者:李云龙