Ambari+HDP启用kerberos(基于FreeIPA)

作者: sysit 分类: d 发表于 2021-07-14 147人围观

## 1. 前置要件
* FreeIPA 集群安装
* HDP集群安装完成

## 2. HDP集成kerberos
### 2.1 配置FreeIPA服务器

* 修改FreeIPA的default_ccache_name

```
vi /etc/krb5.conf

#修改default_ccache_name = KEYRING:persistent:%{uid}为
default_ccache_name = /tmp/krb5cc_%{uid}
```

* 修改密码策略，永不过期

```
ipa pwpolicy-mod --maxlife=0 --minlife=0 global_policy
```

* 创建hadoopadmin用户

```
[root@ipa1 admin]# kinit admin
Password for admin@SYSIT.CN:

[root@ipa1 admin]# ipa user-add hadoopadmin --first=Hadoop --last=Admin
ipa group-add-member admins --users=hadoopadmin
ipa passwd hadoopadmin------------------------
Added user "hadoopadmin"
------------------------
  User login: hadoopadmin
  First name: Hadoop
  Last name: Admin
  Full name: Hadoop Admin
  Display name: Hadoop Admin
  Initials: HA
  Home directory: /home/hadoopadmin
  GECOS: Hadoop Admin
  Login shell: /bin/sh
  Principal name: hadoopadmin@SYSIT.CN
  Principal alias: hadoopadmin@SYSIT.CN
  Email address: hadoopadmin@sysit.cn
  UID: 803200003
  GID: 803200003
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
  
[root@ipa1 admin]# ipa group-add-member admins --users=hadoopadmin
  Group name: admins
  Description: Account administrators group
  GID: 803200000
  Member users: admin, hadoopadmin
-------------------------
Number of members added 1
-------------------------

[root@ipa1 admin]# ipa passwd hadoopadmin
New Password: 
Enter New Password again to verify: 
-----------------------------------------------------
Changed password for "hadoopadmin@SYSIT.CN"
-----------------------------------------------------

[root@ipa1 admin]# ipa group-add ambari-managed-principals
---------------------------------------
Added group "ambari-managed-principals"
---------------------------------------
  Group name: ambari-managed-principals
  GID: 803200004
  
[root@ipa1 admin]# kinit hadoopadmin@SYSIT.CN
Password for hadoopadmin@SYSIT.CN: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
```

### 2.2 客户端配置

* 统一时间服务器

```
systemctl stop chronyd
systemctl disable chronyd
```

* 客户机将DNS指向FreeIPA服务器

```
echo "nameserver $ipaserver_ip_address" > /etc/resolv.conf
```

* 安装ipa-client

```
yum -y install ipa-client
```

* 向FreeIPA注册

```
ipa-client-install --domain=sysit.cn \
    --realm=SYSIT.CN \
    --principal=hadoopadmin@SYSIT.CN \
    --enable-dns-updates
```

### 2.3 kerberos启用

kerberos页面

![title](/api/file/getImage?fileId=60ee8f5ce0dda66a8a00d5f5)

点击“ENABLE KERBEROS”进入如下界面：

![title](/api/file/getImage?fileId=60ee8f8ee0dda66a8a00d5f6)

选择Existing IPA，并确认下面的4个项目已经配置完毕，点击“NEXT”，进入下一步

![title](/api/file/getImage?fileId=60ee8fdfe0dda66a8a00d5f7)

填写完整的信息，点击“NEXT”进入安装

![title](/api/file/getImage?fileId=60ee9004e0dda66a8a00d5f8)

一直点击NEXT进入下一步直到完成

![title](/api/file/getImage?fileId=60ee9029e0dda66a8a00d5f9)

![title](/api/file/getImage?fileId=60ee9042e0dda66a8a00d5fa)

![title](/api/file/getImage?fileId=60ee9063e0dda66a8a00d5fb)

![title](/api/file/getImage?fileId=60ee9071e0dda66a8a00d5fc)

至此集成kerberos完成。

如果觉得我的文章对您有用，请随意赞赏。您的支持将鼓励我继续创作！