impala添加kerberos认证上

jzy3711
92 阅读1分钟

持续创作,加速成长!这是我参与「掘金日新计划 · 10 月更文挑战」的第1天,点击查看活动详情

impala添加kerberos认证

背景

公司测试集群需要配置impala+kerberos,但是测试集群很乱,很多人用,用户还有权限比较混乱,而且是ambari HDP的集群。HDP不支持impala,所以impala是额外装的

环境

需要kerbreos安装参考这里 大数据环境:HDP-3.1.4.0 hdfs yarn hive这些都需要有 impala 4.0.0

image.png

配置

kerberos操作

1.创建kerberos Impala 服务主体,指定运行 Impala 守护程序的操作系统用户的名称、运行 impalad的每个节点的完全限定域名以及领域名称。例如:

$ kadmin
kadmin: addprinc -requires_preauth -randkey impala/impala_host.example.com@TEST.EXAMPLE.COM

实际执行

kadmin.local -q "addprinc -requires_preauth -randkey impala/slave2.am.com@AM.COM"

2.创建 HTTP 服务主体。例如:

kadmin: addprinc -randkey HTTP/impala_host.example.com@TEST.EXAMPLE.COM

实际执行

kadmin.local -q "addprinc -randkey HTTP/slave2.am.com@AM.COM"

注意:服务主体 的HTTP组件必须为大写,如上例所示。 3.keytab使用两个主体 创建文件。例如:

kadmin: xst -k impala.keytab impala/impala_host.example.com
kadmin: xst -k http.keytab HTTP/impala_host.example.com
kadmin: quit

实际执行

[root@slave2 ~]# kadmin -padmin/admin -wadmin -q"xst -k impala.keytab impala/slave2.am.com"                         Authenticating as principal admin/admin with password.
Entry for principal impala/slave2.am.com with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:impala.keytab.
.....
Entry for principal impala/slave2.am.com with kvno 3, encryption type des-cbc-md5 added to keytab WRFILE:impala.keytab.
[root@slave2 ~]# kadmin -padmin/admin -wadmin -q"xst -k http.keytab HTTP/slave2.am.com"
Authenticating as principal admin/admin with password.
Entry for principal HTTP/slave2.am.com with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:http.keytab.
Entry for principal HTTP/slave2.am.com with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:http.keytab.
Entry for principal HTTP/slave2.am.com with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:http.keytab.
Entry for principal HTTP/slave2.am.com with kvno 4, encryption type arcfour-hmac added to keytab WRFILE:http.keytab.
Entry for principal HTTP/slave2.am.com with kvno 4, encryption type camellia256-cts-cmac added to keytab WRFILE:http.keytab.
Entry for principal HTTP/slave2.am.com with kvno 4, encryption type camellia128-cts-cmac added to keytab WRFILE:http.keytab.
Entry for principal HTTP/slave2.am.com with kvno 4, encryption type des-hmac-sha1 added to keytab WRFILE:http.keytab.
Entry for principal HTTP/slave2.am.com with kvno 4, encryption type des-cbc-md5 added to keytab WRFILE:http.keytab.

4.用于ktutil读取两个 keytab 文件的内容,然后将这些内容写入新文件。例如:

$ ktutil
ktutil: rkt impala.keytab
ktutil: rkt http.keytab
ktutil: wkt impala-http.keytab
ktutil: quit

实际执行一致

avatar
文章
阅读
粉丝