Article catalog
Introduction to Kerberos
Kerberos is a computer network authorization protocol, which is used to authenticate personal communication by secure means in non secure networks. The term also refers to a set of computer software developed by MIT for this agreement. The software design adopts the client / server structure, and can authenticate each other, that is, the client and server can authenticate each other. It can be used to prevent eavesdropping, replay attacks and protect data integrity. It is a key management system using symmetric key system.
This article describes how to enable Kerberos security authentication in the CDH cluster and let Kerberos escort the cluster data security.
Kerberos authentication principle

1. Basic concepts
KDC: key distribution center, including authentication server, ticket authorization server, and database AS: authentication server TGS: TicketGranting Server TGT: ticket granting ticket Principal: principal, used to mark a unique identity in the kerberos encryption system. The principal can be a user (such as zhangsan) or a service (such as namenode or hive).
2. Certification process
(1) The client executes the kinit command, enters the Principal and Password, proves the identity to the AS, and requests to obtain the TGT. (2) The AS checks whether the Principal input by the client is stored in the Database, and returns TGT to the client if any. (3) After obtaining TGT, the client requests ServerTicket from TGS. (4) After receiving the request, TGS checks whether the Principal of the service requested by the client is stored in the Database. If so, it returns ServerTicket to the client. (5) When the client receives a ServerTicket, it initiates a request to the target service. (6) The target service receives the request and responds to the client.
Kerberos deployment
1. Install Kerberos related services
Select a host in the cluster (Hadoop 102. Example. Com) as the Kerberos server and install KDC. All hosts need to deploy Kerberos clients.
The server host executes the following installation commands
yum install -y krb5-server krb5-workstation krb5-libs
The client host executes the following installation commands
yum install -y krb5-workstation krb5-libs
2. Modify profile
(1) Server host (Hadoop 102. Example. Com)
Modify the / var/kerberos/krb5kdc/kdc.conf file as follows
[root@node105 ~]# cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] YINZHENGJIE.ORG.CN = { master_key_type = aes256-cts #We can start the aes256 encryption algorithm, and the JDK needs to be patched with JCE. We have patched it before, and it can actually be started. max_renewable_life= 7d 0h 0m 0s #We here for the maximum duration of the lease. Most of the following parameters are specified paths. We can specify them by default and do not need to modify them! acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal } [root@node105 ~]#
(2) Client hosts (all hosts)
Modify the / etc/krb5.conf file as follows
[root@node105 ~]# cat /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt default_realm = YINZHENGJIE.ORG.CN [realms] YINZHENGJIE.ORG.CN = { kdc = node105.yinzhengjie.org.cn admin_server = node105.yinzhengjie.org.cn } [domain_realm] .yinzhengjie.org.cn = YINZHENGJIE.ORG.CN yinzhengjie.org.cn = YINZHENGJIE.ORG.CN [root@node105 ~]#
3. Initialize KDC database
Execute the following command on the server host (Hadoop 102. Example. Com)
[root@node105 ~]# kdb5_util create -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.ORG.CN', master key name 'K/M@YINZHENGJIE.ORG.CN' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: #Here you need to set an initial password for the KDC. Note that we must remember that the password is used to manage the KDC server! Re-enter KDC database master key to verify: [root@node105 ~]#
4. Create administrator users and ordinary users
You need to set a password during the creation process. Then, the keytab file is generated for user to facilitate subsequent password free login. If no path is specified, it is placed in the current working directory by default, and we specify it under "/ etc/ security /".
[root@node105 ~]# [root@node105 ~]# kadmin.local #Log in to KDC server locally Authenticating as principal root/admin@YINZHENGJIE.ORG.CN with password. kadmin.local: kadmin.local: kadmin.local: addprinc admin/admin #Let's create an administrator user here WARNING: no policy specified for admin/admin@YINZHENGJIE.ORG.CN; defaulting to no policy Enter password for principal "admin/admin@YINZHENGJIE.ORG.CN": Re-enter password for principal "admin/admin@YINZHENGJIE.ORG.CN": Principal "admin/admin@YINZHENGJIE.ORG.CN" created. kadmin.local: kadmin.local: kadmin.local: addprinc jason #Create a normal user jason WARNING: no policy specified for jason@YINZHENGJIE.ORG.CN; defaulting to no policy Enter password for principal "jason@YINZHENGJIE.ORG.CN": Re-enter password for principal "jason@YINZHENGJIE.ORG.CN": Principal "jason@YINZHENGJIE.ORG.CN" created. kadmin.local: kadmin.local: kadmin.local: addprinc yinzhengjie #Create an ordinary user WARNING: no policy specified for yinzhengjie@YINZHENGJIE.ORG.CN; defaulting to no policy Enter password for principal "yinzhengjie@YINZHENGJIE.ORG.CN": Re-enter password for principal "yinzhengjie@YINZHENGJIE.ORG.CN": Principal "yinzhengjie@YINZHENGJIE.ORG.CN" created. kadmin.local: kadmin.local: kadmin.local: xst -k /etc/security/jason.keytab jason #Generate keytab file for jason user Entry for principal jason with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/jason.keytab. Entry for principal jason with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/jason.keytab. Entry for principal jason with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/jason.keytab. Entry for principal jason with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/jason.keytab. Entry for principal jason with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/jason.keytab. Entry for principal jason with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/jason.keytab. Entry for principal jason with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/jason.keytab. Entry for principal jason with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/jason.keytab. kadmin.local: kadmin.local: xst -k /etc/security/yinzhengjie.keytab yinzhengjie #Generate keytab files for users Entry for principal yinzhengjie with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/yinzhengjie.keytab. Entry for principal yinzhengjie with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/yinzhengjie.keytab. Entry for principal yinzhengjie with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/yinzhengjie.keytab. Entry for principal yinzhengjie with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/yinzhengjie.keytab. Entry for principal yinzhengjie with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/yinzhengjie.keytab. Entry for principal yinzhengjie with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/yinzhengjie.keytab. Entry for principal yinzhengjie with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/yinzhengjie.keytab. Entry for principal yinzhengjie with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/yinzhengjie.keytab. kadmin.local: kadmin.local: quit [root@node105 ~]# [root@node105 ~]# [root@node105 ~]# ll /etc/security/*.keytab -rw------- 1 root root 554 Mar 8 11:42 /etc/security/jason.keytab -rw------- 1 root root 602 Mar 8 11:43 /etc/security/yinzhengjie.keytab [root@node105 ~]#
Method 2: create Kerberos administrator principal for CM
kadmin.local -q "addprinc admin/admin"
5. Modify administrator rights profile
Set administrator permissions for the account with the suffix "/ admin". Other accounts have normal permissions by default.
Modify the / var/kerberos/krb5kdc/kadm5.acl file on the server host (Hadoop 102. Example. Com), as follows
[root@node105 ~]# cat /var/kerberos/krb5kdc/kadm5.acl */admin@YINZHENGJIE.ORG.CN * [root@node105 ~]#
6. Start the Kerberos service and set it to boot
[root@node105 ~]# [root@node105 ~]# systemctl start krb5kdc #Start KDC [root@node105 ~]# [root@node105 ~]# systemctl start kadmin # Start Kadmin, which is the KDC database access portal [root@node105 ~]# [root@node105 ~]# systemctl enable krb5kdc Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service. [root@node105 ~]# [root@node105 ~]# systemctl enable kadmin Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service. [root@node105 ~]# [root@node105 ~]#
7. Test whether the kerberos service is normal
[root@node105 ~]# [root@node105 ~]# kinit -kt /etc/security/yinzhengjie.keytab yinzhengjie [root@node105 ~]# [root@node105 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: yinzhengjie@YINZHENGJIE.ORG.CN Valid starting Expires Service principal 03/08/2019 11:55:20 03/09/2019 11:55:20 krbtgt/YINZHENGJIE.ORG.CN@YINZHENGJIE.ORG.CN renew until 03/15/2019 11:55:20 [root@node105 ~]# [root@node105 ~]#
8. Copy the krb5.conf configuration file in the KDC server of the master node to other nodes of the cluster
[root@node105 ~]# scp /etc/krb5.conf root@node101.yinzhengjie.org.cn:/etc/krb5.conf
Kerberos configuration on Cloudera Manager platform (please check whether the server is normal before doing this)
Enable keberos

Confirm that the four requirements are met, tick and click the Continue button

Fill in the Kerberos encryption type, RAELMS name and service address

The CM management krb5.conf configuration file is not enabled because we have manually distributed the appropriate krb5.conf before

Set the account of admin (specified in: / var/kerberos/krb5kdc/kadm5.acl in KDC server by default)

As shown in the figure below, wait until Kerberos is enabled

Configure principles

Check the option to restart the cluster

As shown in the following figure, wait for the cluster restart to complete

Kerberos started successfully

Kerberos started successfully

Kerberos security environment usage
After Kerberos is enabled in the cluster, users need to pass Kerberos authentication before accessing each service. Next, Hive demonstrates the specific operation mode by accessing HFDS.
1. Register the user's account with Kerberos (Principal)
Execute the following command on the Kerberos server host (hadoop102.example.com) and enter the password to complete the registration
kadmin.local -q "addprinc hdfs/hdfs@EXAMPLE.COM"
2. User authentication, execute the following commands and enter the password to complete authentication
kinit hdfs/hdfs@EXAMPLE.COM
View current authentication status
$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs/hdfs@EXAMPLE.COM Valid starting Expires Service principal 11/05/2020 14:29:23 11/06/2020 14:29:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 11/12/2020 14:29:23
Note: if you need to authenticate in a non interactive environment, such as in code, you can generate a key file through the following command and specify the path of the key file in the code. It should be noted that after the key file is generated, the password will become invalid.
kadmin.local -q "xst -k /path/to/your/keytab/admin.keytab hdfs/hdfs@EXAMPLE.COM"
3. Access HDFS
Before certification
$ hadoop fs -ls / 20/11/05 14:28:28 WARN ipc.Client: Exception encountered while connecting to the server : org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS] ls: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessCont
After certification
$ hadoop fs -ls / Found 2 items drwxrwxrwt - hdfs supergroup 0 2020-11-02 15:52 /tmp drwxr-xr-x - hdfs supergroup 0 2020-11-03 09:23 /user
4. Visit Hive
(1) hive client
Before certification
$ hive Exception in thread "main" java.lang.RuntimeException: java.io.IOException: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: "hadoop102.example.com/172.26.131.1"; destination host is: "hadoop102.example.com":8020; at org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:604) at org.apache.hadoop.hive.ql.session.SessionState.beginStart(SessionState.java:545)
After certification
$ hive WARNING: Hive CLI is deprecated and migration to Beeline is recommended. hive>
(2) beeline client
Note: after Kerberos is enabled, the principal information of hiveserver2 needs to be added to the jdbc url, as follows:
Before certification
$ beeline -u " jdbc:hive2://hadoop102.example.com:10000/;principal=hive/hadoop102.example.com@EXAMPLE.COM" Connecting to jdbc:hive2://hadoop102.example.com:10000/;principal=hive/hadoop102.example.com@EXAMPLE.COM 20/11/05 14:42:57 [main]: ERROR transport.TSaslTransport: SASL negotiation failure javax.security.sasl.SaslException: GSS initiate failed at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:2
After certification
$ beeline -u " jdbc:hive2://hadoop102.example.com:10000/;principal=hive/hadoop102.example.com@EXAMPLE.COM" Connecting to jdbc:hive2://hadoop102.example.com:10000/;principal=hive/hadoop102.example.com@EXAMPLE.COM Connected to: Apache Hive (version 2.1.1-cdh6.3.2) Driver: Hive JDBC (version 2.1.1-cdh6.3.2) Transaction isolation: TRANSACTION_REPEATABLE_READ Beeline version 2.1.1-cdh6.3.2 by Apache Hive 0: jdbc:hive2://hadoop102.example.com:10000/>
reference resources: https://blog.csdn.net/ytp552200ytp/article/details/109643832 https://www.cnblogs.com/yinzhengjie/articles/10483362.html