[1067] Kerberos security authentication of cdh6.3.2

Article catalog

Introduction to Kerberos

Kerberos is a computer network authorization protocol, which is used to authenticate personal communication by secure means in non secure networks. The term also refers to a set of computer software developed by MIT for this agreement. The software design adopts the client / server structure, and can authenticate each other, that is, the client and server can authenticate each other. It can be used to prevent eavesdropping, replay attacks and protect data integrity. It is a key management system using symmetric key system.

This article describes how to enable Kerberos security authentication in the CDH cluster and let Kerberos escort the cluster data security.

Kerberos authentication principle

1. Basic concepts

KDC: key distribution center, including authentication server, ticket authorization server, and database AS: authentication server TGS: TicketGranting Server TGT: ticket granting ticket Principal: principal, used to mark a unique identity in the kerberos encryption system. The principal can be a user (such as zhangsan) or a service (such as namenode or hive).

2. Certification process

(1) The client executes the kinit command, enters the Principal and Password, proves the identity to the AS, and requests to obtain the TGT. (2) The AS checks whether the Principal input by the client is stored in the Database, and returns TGT to the client if any. (3) After obtaining TGT, the client requests ServerTicket from TGS. (4) After receiving the request, TGS checks whether the Principal of the service requested by the client is stored in the Database. If so, it returns ServerTicket to the client. (5) When the client receives a ServerTicket, it initiates a request to the target service. (6) The target service receives the request and responds to the client.

Kerberos deployment

1. Install Kerberos related services

Select a host in the cluster (Hadoop 102. Example. Com) as the Kerberos server and install KDC. All hosts need to deploy Kerberos clients.

The server host executes the following installation commands

yum install -y krb5-server krb5-workstation krb5-libs

The client host executes the following installation commands

yum install -y krb5-workstation krb5-libs

2. Modify profile

(1) Server host (Hadoop 102. Example. Com)

Modify the / var/kerberos/krb5kdc/kdc.conf file as follows

[root@node105 ~]# cat /var/kerberos/krb5kdc/kdc.conf   
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 YINZHENGJIE.ORG.CN = {
  master_key_type = aes256-cts              #We can start the aes256 encryption algorithm, and the JDK needs to be patched with JCE. We have patched it before, and it can actually be started.
  max_renewable_life= 7d 0h 0m 0s            #We here for the maximum duration of the lease. Most of the following parameters are specified paths. We can specify them by default and do not need to modify them!
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }
[root@node105 ~]#

(2) Client hosts (all hosts)

Modify the / etc/krb5.conf file as follows

[root@node105 ~]# cat /etc/krb5.conf                                   
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = YINZHENGJIE.ORG.CN

[realms]
 YINZHENGJIE.ORG.CN = {
  kdc = node105.yinzhengjie.org.cn
  admin_server = node105.yinzhengjie.org.cn
 }

[domain_realm]
.yinzhengjie.org.cn =  YINZHENGJIE.ORG.CN
yinzhengjie.org.cn = YINZHENGJIE.ORG.CN
[root@node105 ~]#

3. Initialize KDC database

Execute the following command on the server host (Hadoop 102. Example. Com)

[root@node105 ~]# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'YINZHENGJIE.ORG.CN',
master key name 'K/M@YINZHENGJIE.ORG.CN'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:                   #Here you need to set an initial password for the KDC. Note that we must remember that the password is used to manage the KDC server!
Re-enter KDC database master key to verify: 
[root@node105 ~]#

4. Create administrator users and ordinary users

You need to set a password during the creation process. Then, the keytab file is generated for user to facilitate subsequent password free login. If no path is specified, it is placed in the current working directory by default, and we specify it under "/ etc/ security /".

[root@node105 ~]# 
[root@node105 ~]# kadmin.local                              #Log in to KDC server locally 
Authenticating as principal root/admin@YINZHENGJIE.ORG.CN with password.
kadmin.local:  
kadmin.local:  
kadmin.local:  addprinc admin/admin                           #Let's create an administrator user here
WARNING: no policy specified for admin/admin@YINZHENGJIE.ORG.CN; defaulting to no policy
Enter password for principal "admin/admin@YINZHENGJIE.ORG.CN": 
Re-enter password for principal "admin/admin@YINZHENGJIE.ORG.CN": 
Principal "admin/admin@YINZHENGJIE.ORG.CN" created.
kadmin.local:  
kadmin.local:  
kadmin.local:  addprinc jason                              #Create a normal user jason
WARNING: no policy specified for jason@YINZHENGJIE.ORG.CN; defaulting to no policy
Enter password for principal "jason@YINZHENGJIE.ORG.CN": 
Re-enter password for principal "jason@YINZHENGJIE.ORG.CN": 
Principal "jason@YINZHENGJIE.ORG.CN" created.
kadmin.local:  
kadmin.local:  
kadmin.local:  addprinc yinzhengjie                            #Create an ordinary user
WARNING: no policy specified for yinzhengjie@YINZHENGJIE.ORG.CN; defaulting to no policy
Enter password for principal "yinzhengjie@YINZHENGJIE.ORG.CN": 
Re-enter password for principal "yinzhengjie@YINZHENGJIE.ORG.CN": 
Principal "yinzhengjie@YINZHENGJIE.ORG.CN" created.
kadmin.local:  
kadmin.local:  
kadmin.local:  xst -k /etc/security/jason.keytab jason                        #Generate keytab file for jason user
Entry for principal jason with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/jason.keytab.
Entry for principal jason with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/jason.keytab.
kadmin.local:  
kadmin.local:  xst -k /etc/security/yinzhengjie.keytab yinzhengjie                  #Generate keytab files for users
Entry for principal yinzhengjie with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
Entry for principal yinzhengjie with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/etc/security/yinzhengjie.keytab.
kadmin.local:  
kadmin.local:  quit
[root@node105 ~]# 
[root@node105 ~]# 
[root@node105 ~]# ll /etc/security/*.keytab
-rw------- 1 root root 554 Mar  8 11:42 /etc/security/jason.keytab
-rw------- 1 root root 602 Mar  8 11:43 /etc/security/yinzhengjie.keytab
[root@node105 ~]#

Method 2: create Kerberos administrator principal for CM

kadmin.local -q "addprinc admin/admin"

5. Modify administrator rights profile

Set administrator permissions for the account with the suffix "/ admin". Other accounts have normal permissions by default.

Modify the / var/kerberos/krb5kdc/kadm5.acl file on the server host (Hadoop 102. Example. Com), as follows

[root@node105 ~]# cat /var/kerberos/krb5kdc/kadm5.acl   
*/admin@YINZHENGJIE.ORG.CN      *
[root@node105 ~]#

6. Start the Kerberos service and set it to boot

[root@node105 ~]# 
[root@node105 ~]# systemctl start krb5kdc       #Start KDC
[root@node105 ~]# 
[root@node105 ~]# systemctl start kadmin      # Start Kadmin, which is the KDC database access portal
[root@node105 ~]# 
[root@node105 ~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@node105 ~]# 
[root@node105 ~]# systemctl enable kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@node105 ~]# 
[root@node105 ~]#

7. Test whether the kerberos service is normal

[root@node105 ~]# 
[root@node105 ~]# kinit -kt /etc/security/yinzhengjie.keytab yinzhengjie
[root@node105 ~]# 
[root@node105 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: yinzhengjie@YINZHENGJIE.ORG.CN

Valid starting       Expires              Service principal
03/08/2019 11:55:20  03/09/2019 11:55:20  krbtgt/YINZHENGJIE.ORG.CN@YINZHENGJIE.ORG.CN
        renew until 03/15/2019 11:55:20
[root@node105 ~]# 
[root@node105 ~]#

8. Copy the krb5.conf configuration file in the KDC server of the master node to other nodes of the cluster

[root@node105 ~]# scp /etc/krb5.conf root@node101.yinzhengjie.org.cn:/etc/krb5.conf

Kerberos configuration on Cloudera Manager platform (please check whether the server is normal before doing this)

Enable keberos

Confirm that the four requirements are met, tick and click the Continue button

Fill in the Kerberos encryption type, RAELMS name and service address

The CM management krb5.conf configuration file is not enabled because we have manually distributed the appropriate krb5.conf before

Set the account of admin (specified in: / var/kerberos/krb5kdc/kadm5.acl in KDC server by default)

As shown in the figure below, wait until Kerberos is enabled

Configure principles

Check the option to restart the cluster

As shown in the following figure, wait for the cluster restart to complete

Kerberos started successfully

Kerberos started successfully

Kerberos security environment usage

After Kerberos is enabled in the cluster, users need to pass Kerberos authentication before accessing each service. Next, Hive demonstrates the specific operation mode by accessing HFDS.

1. Register the user's account with Kerberos (Principal)

Execute the following command on the Kerberos server host (hadoop102.example.com) and enter the password to complete the registration

kadmin.local -q "addprinc hdfs/hdfs@EXAMPLE.COM"

2. User authentication, execute the following commands and enter the password to complete authentication

kinit hdfs/hdfs@EXAMPLE.COM

View current authentication status

$ klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/hdfs@EXAMPLE.COM
 
Valid starting       Expires              Service principal
11/05/2020 14:29:23  11/06/2020 14:29:23  krbtgt/EXAMPLE.COM@EXAMPLE.COM
  renew until 11/12/2020 14:29:23

Note: if you need to authenticate in a non interactive environment, such as in code, you can generate a key file through the following command and specify the path of the key file in the code. It should be noted that after the key file is generated, the password will become invalid.

kadmin.local -q "xst -k /path/to/your/keytab/admin.keytab hdfs/hdfs@EXAMPLE.COM"

3. Access HDFS

Before certification

$ hadoop fs -ls /
 
20/11/05 14:28:28 WARN ipc.Client: Exception encountered while connecting to the server : org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]
ls: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessCont

After certification

$ hadoop fs -ls /
Found 2 items
 
drwxrwxrwt   - hdfs    supergroup          0 2020-11-02 15:52 /tmp
drwxr-xr-x   - hdfs    supergroup          0 2020-11-03 09:23 /user

4. Visit Hive

(1) hive client

Before certification

$ hive
 
Exception in thread "main" java.lang.RuntimeException: java.io.IOException: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]; Host Details : local host is: "hadoop102.example.com/172.26.131.1"; destination host is: "hadoop102.example.com":8020; 
  at org.apache.hadoop.hive.ql.session.SessionState.start(SessionState.java:604)
  at org.apache.hadoop.hive.ql.session.SessionState.beginStart(SessionState.java:545)

After certification

$ hive
 
WARNING: Hive CLI is deprecated and migration to Beeline is recommended.
hive>

(2) beeline client

Note: after Kerberos is enabled, the principal information of hiveserver2 needs to be added to the jdbc url, as follows:

Before certification

$ beeline -u " jdbc:hive2://hadoop102.example.com:10000/;principal=hive/hadoop102.example.com@EXAMPLE.COM"
 
Connecting to jdbc:hive2://hadoop102.example.com:10000/;principal=hive/hadoop102.example.com@EXAMPLE.COM
20/11/05 14:42:57 [main]: ERROR transport.TSaslTransport: SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed
  at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:2

After certification

$ beeline -u " jdbc:hive2://hadoop102.example.com:10000/;principal=hive/hadoop102.example.com@EXAMPLE.COM"
 
Connecting to jdbc:hive2://hadoop102.example.com:10000/;principal=hive/hadoop102.example.com@EXAMPLE.COM
Connected to: Apache Hive (version 2.1.1-cdh6.3.2)
Driver: Hive JDBC (version 2.1.1-cdh6.3.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 2.1.1-cdh6.3.2 by Apache Hive
0: jdbc:hive2://hadoop102.example.com:10000/>

reference resources: https://blog.csdn.net/ytp552200ytp/article/details/109643832 https://www.cnblogs.com/yinzhengjie/articles/10483362.html

Posted on Thu, 11 Nov 2021 03:33:03 -0500 by ignace

Hot Tags

©2023 Programmer Help