前言
大数据Hadoop集群启用Kerberos认证之后,访问返回会被限制到单个集群内部。如果有需要访问另一个开启Kerberos集群的需求(例如跨集群数据导入导出),需要配置Kerberos集群互信。
前提条件
- 两个集群的Kerberos Realm不能相同。
- 两个集群的FQDN二级域名不能相同。
- 两个集群的网络互通。
配置方法
环境信息
假定两个集群分别为BEIJING集群和SHANGHAI集群。
对于/etc/krb5.conf配置文件的[realms]片段,BEIJING集群的配置为:
[realms]
BEIJING = {
admin_server = host1.beijing.com
kdc = host1.beijing.com
}
SHANGHAI集群的配置为:
[realms]
SHANGHAI = {
admin_server = host1.shanghai.com
kdc = host1.shanghai.com
}
对于/et/hosts,BEIJING集群的配置为:
100.0.0.1 host1.beijing.com
100.0.0.2 host2.beijing.com
100.0.0.3 host3.beijing.com
SHANGHAI集群的配置为:
120.0.0.1 host1.shanghai.com
120.0.0.2 host2.shanghai.com
120.0.0.3 host3.shanghai.com
下面为互信的配置步骤。
修改/etc/krb5.conf文件
确保双方的集群都具有对方的realms配置。domain_realm和capaths按照下面的例子配置。
BEIJING集群的配置修改为:
[realms]
BEIJING = {
admin_server = host1.beijing.com
kdc = host1.beijing.com
}
SHANGHAI = {
admin_server = host1.shanghai.com
kdc = host1.shanghai.com
}
[domain_realm]
.beijing.com = BEIJING
beijing.com = BEIJING
.shanghai.com = SHANGHAI
shanghai.com = SHANGHAI
[capaths]
BEIJING = {
SHANGHAI = .
}
SHANGHAI集群的配置修改为:
[realms]
SHANGHAI = {
admin_server = host1.shanghai.com
kdc = host1.shanghai.com
}
BEIJING = {
admin_server = host1.beijing.com
kdc = host1.beijing.com
}
[domain_realm]
.shanghai.com = SHANGHAI
shanghai.com = SHANGHAI
.beijing.com = BEIJING
beijing.com = BEIJING
[capaths]
SHANGHAI = {
BEIJING = .
}
需要注意的是,如果存在有二级域名不是shanghai.com或者beijing.com的节点,需要在[domain_realm]片段中单独指定所属realm。例如:
[domain_realm]
.shanghai.com = SHANGHAI
shanghai.com = SHANGHAI
.beijing.com = BEIJING
beijing.com = BEIJING
testnode1 = BEIJING
配置完毕之后需要重启两个集群的Kerberos服务:
systemctl restart krb5kdc.service
systemctl restart kadmin.service
修改/etc/hosts文件
确保双方集群都具有对方的hosts信息。
BEIJING集群的配置修改为:
100.0.0.1 host1.beijing.com
100.0.0.2 host2.beijing.com
100.0.0.3 host3.beijing.com
120.0.0.1 host1.shanghai.com
120.0.0.2 host2.shanghai.com
120.0.0.3 host3.shanghai.com
SHANGHAI集群的配置修改为:
120.0.0.1 host1.shanghai.com
120.0.0.2 host2.shanghai.com
120.0.0.3 host3.shanghai.com
100.0.0.1 host1.beijing.com
100.0.0.2 host2.beijing.com
100.0.0.3 host3.beijing.com
配置krbtgt
在BEIJING集群添加krbtgt:
kadmin.local: addprinc -pw admin krbtgt/BEIJING@SHANGHAI
kadmin.local: addprinc -pw admin krbtgt/SHANGHAI@BEIJING
同样也需要在SHANGHAI集群添加krbtgt:
kadmin.local: addprinc -pw admin krbtgt/BEIJING@SHANGHAI
kadmin.local: addprinc -pw admin krbtgt/SHANGHAI@BEIJING
配置core-site.xml的hadoop.security.auth_to_local
hadoop.security.auth_to_local配置项的作用是定义将principal名称转化为user的规则。因此对于BEIJING和集群来说,需要得知SHANGHAI集群的转换规则,可以将SHANGHAI集群的hadoop.security.auth_to_local复制追加到本集群配置的后面(DEFAULT除外)。反过来也一样。
BEIJING集群的hadoop.security.auth_to_local配置修改为:
RULE:[1:$1@$0](^.*@BEIJING$)s/^(.*)@BEIJING$/$1/g
RULE:[2:$1@$0](^.*@BEIJING$)s/^(.*)@BEIJING$/$1/g
...省略BEIJING集群的其余配置
RULE:[1:$1@$0](^.*@SHANGHAI$)s/^(.*)@SHANGHAI$/$1/g
RULE:[2:$1@$0](^.*@SHANGHAI$)s/^(.*)@SHANGHAI$/$1/g
...省略SHANGHAI集群的其余配置
DEFAULT
SHANGHAI集群的hadoop.security.auth_to_local配置修改为:
RULE:[1:$1@$0](^.*@SHANGHAI$)s/^(.*)@SHANGHAI$/$1/g
RULE:[2:$1@$0](^.*@SHANGHAI$)s/^(.*)@SHANGHAI$/$1/g
...省略SHANGHAI集群的其余配置
RULE:[1:$1@$0](^.*@BEIJING$)s/^(.*)@BEIJING$/$1/g
RULE:[2:$1@$0](^.*@BEIJING$)s/^(.*)@BEIJING$/$1/g
...省略BEIJING集群的其余配置
DEFAULT
以上配置仅为示例,实际使用已真实环境配置为准,不要擅自修改以防止用户名解析出现问题。
配置完毕之后需要重启HDFS等相关组件才能生效。
结果验证
验证principal转用户名是否正常
两个集群的HDFS等相关组件重启完毕后。以hdfs/host1.shanghai.com转换为用户名为例,在BEIJING集群执行:
hadoop org.apache.hadoop.security.HadoopKerberosName hdfs/host1.shanghai.com@SHANGHAI
Name: hdfs/host1.shanghai.com@SHANGHAI to hdfs
如果显示类似上面的输出,说明BEIJING能够将SHANGHAI集群的hdfs/host1.shanghai.com@SHANGHAI转换为hdfs用户,配置是正确的。
假如这里遇到问题,需要检查BEIJING集群的core-site.xml中hadoop.security.auth_to_local配置是否正确。
验证是否可以访问对方集群的数据
在BEIJING集群执行:
kinit hdfs/host1.beijing.com
# 假定SHANGHAI集群的namenode安装在host1.shanghai.com上
# 访问SHANGHAI集群的数据
hdfs dfs -ls hdfs://host1.shanghai.com:8020/
如果互信配置正确,认证之后可以访问到对方集群HDFS的数据。