Ambari+HDP启用kerberos(基于FreeIPA) 作者: sysit 分类: d 发表于 2021-07-14 122人围观 ## 1. 前置要件 * FreeIPA 集群安装 * HDP集群安装完成 ## 2. HDP集成kerberos ### 2.1 配置FreeIPA服务器 * 修改FreeIPA的default_ccache_name ``` vi /etc/krb5.conf #修改default_ccache_name = KEYRING:persistent:%{uid}为 default_ccache_name = /tmp/krb5cc_%{uid} ``` * 修改密码策略,永不过期 ``` ipa pwpolicy-mod --maxlife=0 --minlife=0 global_policy ``` * 创建hadoopadmin用户 ``` [root@ipa1 admin]# kinit admin Password for admin@SYSIT.CN: [root@ipa1 admin]# ipa user-add hadoopadmin --first=Hadoop --last=Admin ipa group-add-member admins --users=hadoopadmin ipa passwd hadoopadmin------------------------ Added user "hadoopadmin" ------------------------ User login: hadoopadmin First name: Hadoop Last name: Admin Full name: Hadoop Admin Display name: Hadoop Admin Initials: HA Home directory: /home/hadoopadmin GECOS: Hadoop Admin Login shell: /bin/sh Principal name: hadoopadmin@SYSIT.CN Principal alias: hadoopadmin@SYSIT.CN Email address: hadoopadmin@sysit.cn UID: 803200003 GID: 803200003 Password: False Member of groups: ipausers Kerberos keys available: False [root@ipa1 admin]# ipa group-add-member admins --users=hadoopadmin Group name: admins Description: Account administrators group GID: 803200000 Member users: admin, hadoopadmin ------------------------- Number of members added 1 ------------------------- [root@ipa1 admin]# ipa passwd hadoopadmin New Password: Enter New Password again to verify: ----------------------------------------------------- Changed password for "hadoopadmin@SYSIT.CN" ----------------------------------------------------- [root@ipa1 admin]# ipa group-add ambari-managed-principals --------------------------------------- Added group "ambari-managed-principals" --------------------------------------- Group name: ambari-managed-principals GID: 803200004 [root@ipa1 admin]# kinit hadoopadmin@SYSIT.CN Password for hadoopadmin@SYSIT.CN: Password expired. You must change it now. Enter new password: Enter it again: ``` ### 2.2 客户端配置 * 统一时间服务器 ``` systemctl stop chronyd systemctl disable chronyd ``` * 客户机将DNS指向FreeIPA服务器 ``` echo "nameserver $ipaserver_ip_address" > /etc/resolv.conf ``` * 安装ipa-client ``` yum -y install ipa-client ``` * 向FreeIPA注册 ``` ipa-client-install --domain=sysit.cn \ --realm=SYSIT.CN \ --principal=hadoopadmin@SYSIT.CN \ --enable-dns-updates ``` ### 2.3 kerberos启用 kerberos页面  点击“ENABLE KERBEROS”进入如下界面:  选择Existing IPA,并确认下面的4个项目已经配置完毕,点击“NEXT”,进入下一步  填写完整的信息,点击“NEXT”进入安装  一直点击NEXT进入下一步直到完成     至此集成kerberos完成。 如果觉得我的文章对您有用,请随意赞赏。您的支持将鼓励我继续创作! 赞赏支持