在Ambari上添加Kerberos

一、准备阶段

1.下载jce并解压
jce下载地址：http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

[root@manager ~]# lsjce_policy-8.zip[root@manager ~]# unzip -o -j -q jce_policy-8.zip -d /usr/local/jdk/jre/lib/security/

2.安装krb5

[root@manager ~]# yum install -y krb5-libs krb5-workstation

3.修改配置文件

[root@manager ~]# cat /etc/krb5.conf# Configuration snippets may be placed in this directory as wellincludedir /etc/krb5.conf.d/[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = KRB.COM #修改为认证域 default_ccache_name = KEYRING:persistent:%{uid}[realms] KRB.COM = {  kdc = 192.168.10.131 #KDC的地址  admin_server = 192.168.10.131 #kadmin服务地址 }[domain_realm]

#以上需要在服务端和客户端都配置，可以在服务端配置好以后使用scp拷贝。

4.在服务端安装krb5-server

[root@manager ~]# yum install -y krb5-server

5.修改服务端的配置文件

[root@manager ~]# cat /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88[realms] KRB.COM = {  #master_key_type = aes256-cts  acl_file = /var/kerberos/krb5kdc/kadm5.acl  dict_file = /usr/share/dict/words  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }

二、配置阶段

1.创建kerberos数据库

[root@manager ~]# kdb5_util create -s -r KRB.COMLoading random dataInitializing database '/var/kerberos/krb5kdc/principal' for realm 'KRB.COM',master key name 'K/M@KRB.COM'You will be prompted for the database Master Password.It is important that you NOT FORGET this password.Enter KDC database master key: Re-enter KDC database master key to verify: 

2.创建管理员

[root@manager ~]# kadmin.local -q "addprinc admin/admin"Authenticating as principal root/admin@KRB.COM with password.WARNING: no policy specified for admin/admin@KRB.COM; defaulting to no policyEnter password for principal "admin/admin@KRB.COM": Re-enter password for principal "admin/admin@KRB.COM": Principal "admin/admin@KRB.COM" created.

3.给管理员账户添加acl权限

[root@manager ~]# cat /var/kerberos/krb5kdc/kadm5.acl */admin@KRB.COM *

4.启动服务和设置开机自启

[root@manager ~]# systemctl start krb5kdc[root@manager ~]# systemctl start kadmin[root@manager ~]# systemctl enable krb5kdc[root@manager ~]# systemctl enable kadmin

5.在客户端测试连接

[root@vm1 ~]# kadmin -p admin/adminAuthenticating as principal admin/admin with password.Password for admin/admin@KRB.COM: kadmin:  listprincs K/M@KRB.COMadmin/admin@KRB.COMkadmin/admin@KRB.COMkadmin/changepw@KRB.COMkadmin/manager@KRB.COMkiprop/manager@KRB.COMkrbtgt/KRB.COM@KRB.COMkadmin:  quit

6.重新启动ambari-server

[root@manager ~]# ambari-server restart

三、 在Ambari上添加kerberos

1.开启Kerberos

2.选择MIT

3.输入KDC和Kadmin相关信息

4.安装和测试

5.配置文件设置

6.等待停止其他服务

7.添加完成

8.等待开启服务

9.完成