Kerberos high availability configuration

48.1 presentation environment

  • Kerberos is installed and integrated with CDH
  • Operating system RedHat7.2
  • EC2 user user with sudo privileges
  • Kerberos node

48.2 operation demonstration

Installing Kerberos service on standby node

<pre style="margin: 0px; padding: 0px; max-width: 100%; box-sizing: border-box !important; overflow-wrap: break-word !important; background-color: rgb(202, 230, 202);">[ec2-user@ip-186-33-21-86 ~]**$ sudo** yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation</pre>
### Note: only services are installed here, and corresponding configuration and service startup are not required.

Primary Kerberos node operation

  • Modify the configuration file of / etc/krb5.conf and add the configuration of standby Kerberos under realms configuration
  kdc = ip-186-33-22-88.ap-southeast-1.compute.internal
  admin_server = ip-186-33-22-88.ap-southeast-1.compute.internal
  kdc = ip-186-33-21-86.ap-southeast-1.compute.internal
  admin_server = ip-186-33-21-86.ap-southeast-1.compute.internal
  • Synchronize the modified / etc/krb5.conf file to the corresponding directories of all Kerberos client nodes of the cluster
  • Save the configuration and restart krb5kdc and kadmin services
[ec2-user@ip-186-33-22-88 ~]$ sudo systemctl restart krb5kdc
[ec2-user@ip-186-33-22-88 ~]$ sudo systemctl restart kadmin
  • Create a master-slave synchronization account and generate a keytab file for the account
[ec2-user@ip-186-33-22-88 ~]$ sudo kadmin.local
kadmin.local:  addprinc -randkey host/ip-186-33-22-88.ap-southeast-1.compute.internal
kadmin.local:  addprinc -randkey host/ip-186-33-21-86.ap-southeast-1.compute.internal
kadmin.local:  ktadd host/ip-186-33-22-88.ap-southeast-1.compute.internal
kadmin.local:  ktadd host/ip-186-33-21-86.ap-southeast-1.compute.internal
### Create the synchronization account by randomly generating the secret key, and use the ktadd command to generate the KeyTab file of the synchronization account. The default file is generated under / etc/krb5.keytab, and multiple accounts are added on the basis of krb5.keytab.
  • Copy the following files to the corresponding directory of the standby Kerberos server
    • Copy the krb5.conf and krb5.keytab files in the / etc directory to the / etc directory of the standby Kerberos server
    • Copy the. k5.CLOUDERA.COM, kadm5.acl and krb5.conf files in the / var/kerberos/krb5kdc directory to the / var/kerberos/krb5kdc directory of the standby Kerberos server
    • Here, due to the problem of AWS non root user permissions used by Fayson server, first copy the files to be copied to the EC2 user directory of the standby Kerberos node, and then copy the files to the corresponding directory with sudo permissions on the standby server. The following operations are performed on the standby Kerberos server
[ec2-user@ip-186-33-21-86 kerberos]$ sudo cp krb5.conf krb5.keytab /etc/
[ec2-user@ip-186-33-21-86 kerberos]$ sudo chown root:root /etc/krb5.*
[ec2-user@ip-186-33-21-86 kerberos]$ ll /etc/krb5.*
[ec2-user@ip-186-33-21-86 kerberos]$ sudo cp .k5.CLOUDERA.COM kadm5.acl kdc.conf /var/kerberos/krb5kdc/
[ec2-user@ip-186-33-21-86 kerberos]$ sudo chown root:root /var/kerberos/krb5kdc/*
[ec2-user@ip-186-33-21-86 kerberos]$ cd /var/kerberos/krb5kdc/
[ec2-user@ip-186-33-21-86 krb5kdc]$ ll -a

Standby Kerberos node operation

  • You need to declare the user for synchronization. Add the corresponding account in the / var/kerberos/krb5kdc/kpropd.acl configuration file. If the configuration file does not exist, add a new account
[ec2-user@ip-186-33-21-86 krb5kdc]$ cd /var/kerberos/krb5kdc
[ec2-user@ip-186-33-21-86 krb5kdc]$ sudo vim kpropd.acl
  • Start kprop service and join the system self startup
[ec2-user@ip-186-33-21-86 krb5kdc]$ sudo systemctl enable kprop
[ec2-user@ip-186-33-21-86 krb5kdc]$ sudo systemctl start kprop
[ec2-user@ip-186-33-21-86 krb5kdc]$ sudo systemctl status kprop
### The standby node is ready for data transmission. Next, use kdb5 on the master node_ Util exports the Kerberos library, and then synchronizes the data to the standby node through the kprop command.

The primary node synchronizes the data to the standby node

  • Using kdb5 on the primary node_ The util command exports the Kerberos database file
[ec2-user@ip-186-33-22-88 krb5kdc]$ sudo kdb5_util dump /var/kerberos/krb5kdc/master.dump
### After successful export, master.dump and master.dump.dump are generated_ OK, two files.
  • Use the kprop command on the primary node to synchronize the master.dump file to the standby node
[ec2-user@ip-186-33-22-88 krb5kdc]$ sudo kprop -f /var/kerberos/krb5kdc/master.dump -d -P 754 ip-186-33-21-86.ap-southeast-1.compute.internal
32768 bytes sent.
60543 bytes sent.
Database propagation to ip-186-33-21-86.ap-southeast-1.compute.internal: SUCCEEDED
[ec2-user@ip-186-33-22-88 krb5kdc]$ 
  • View in the / var/kerberos/krb5kdc directory of the standby node
[ec2-user@ip-186-33-21-86 krb5kdc]$ pwd
[ec2-user@ip-186-33-21-86 krb5kdc]$ ll
total 132
-rw------- 1 root root 60543 Nov 14 10:36 from_master
-rw------- 1 root root    23 Nov 14 10:15 kadm5.acl
-rw------- 1 root root   486 Nov 14 10:15 kdc.conf
-rw-r--r-- 1 root root   132 Nov 14 10:23 kpropd.acl
-rw------- 1 root root 53248 Nov 14 10:36 principal
-rw------- 1 root root  8192 Nov 14 10:36 principal.kadm5
-rw------- 1 root root     0 Nov 14 10:36 principal.kadm5.lock
-rw------- 1 root root     0 Nov 14 10:36 principal.ok
[ec2-user@ip-186-33-21-86 krb5kdc]$ 
  • Test whether the passed data can start the Kerberos service on the standby node
  • First stop the kprop service, back up and delete the kpropd.acl file, and then start the krb5kdc and kadmin services
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo systemctl stop kprop
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo mv /var/kerberos/krb5kdc/kpropd.acl/var/kerberos/krb5kdc/kpropd.acl.bak
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo systemctl start krb5kdc
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo systemctl start kadmin
  • Modify the / etc/krb5.conf file of the standby server and add kdc and kadmin_ Change the server to the standby server address and test whether kinit is normal
[ec2-user@ip-186-33-21-86 krb5kdc]$kinit fayson
Password for fayson@CLOUDERA.COM:
[ec2-user@ip-186-33-21-86 krb5kdc]$klist
Ticket cache:FILE:/tmp/krb5cc_1000
Default principal:fayson@CLOUDERA.COM

Valid starting       Expires              Service principal
11/14/2017 10:47:11  11/15/2017 10:47:11  krbtgt/CLOUDERA.COM@CLOUDERA.COM
        renew until 11/21/201710:47:11
[ec2-user@ip-186-33-21-86 krb5kdc]$ 
  • After the test is completed, restore the / etc/krb5.conf and kpropd.acl files and start the kprop service
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo systemctl stop krb5kdc
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo systemctl stop kadmin
[ec2-user@ip-186-33-21-86 krb5kdc]$
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo mv /var/kerberos/krb5kdc/kpropd.acl.bak kpropd.acl
[ec2-user@ip-186-33-21-86 krb5kdc]$sudo systemctl start kprop

Configure the master node crontab task to synchronize data regularly

  • Synchronization script
[ec2-user@ip-186-33-22-88 krb5kdc]$pwd
[ec2-user@ip-186-33-22-88 krb5kdc]$ sudovim
echo "Start at $TIMESTAMP"
sudo kdb5_utildump $DUMP
sudo kprop -f $DUMP-d -P $PORT $SLAVE
  • Give script executable permissions and test
[ec2-user@ip-186-33-22-88 krb5kdc]$sudo chmod 700 /var/kerberos/krb5kdc/
[ec2-user@ip-186-33-22-88 krb5kdc]$sudo sh /var/kerberos/krb5kdc/ 
  • Configure crontab tasks
[ec2-user@ip-186-33-22-88 krb5kdc]$sudo crontab -e
0 * * * * root/var/kerberos/krb5kdc/ >/var/kerberos/krb5kdc/lastupdate
  • Exit and save, start the service and set up startup
[ec2-user@ip-186-33-22-88 krb5kdc]$sudo systemctl enable crond
[ec2-user@ip-186-33-22-88 krb5kdc]$sudo systemctl start crond

Big data video recommendation:
Big data voice recommendation:
Application of enterprise big data technology
Recommendation system for big data machine learning cases
natural language processing
Big data foundation
Artificial intelligence: introduction to deep learning to mastery

Tags: Linux Operation & Maintenance CentOS Hadoop CDH

Posted on Thu, 23 Sep 2021 20:21:31 -0400 by atdawgie