CDH6.3.2 配置LDAP+kerberos
本文主要记录 cdhhadoop集群集成 ldap 的过程,这里 ldap 安装的是 OpenLDAP 。LDAP 用来做账号管理,Kerberos作为认证。授权一般由Sentry来决定的。集群包括7个节点,每个节点的ip、主机名和部署的组件分配如下:192.168.0.200 master Kerberos KDC 、OpenLDAP192.168.0.201 slave1 kerberos c
1.kerberos搭建简单不重复了。重点ldap和使用
2、部署与安装LDAP
使用包管理器安装openldap
yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel migrationtools krb5-server-ldap
在客户端安装
yum -y install openldap-clients sssd authconfig nss-pam-ldapd
检查安装的版本
root:~/ # slapd -VV
@(#) $OpenLDAP: slapd 2.4.44 (Jan 29 2019 17:42:45) $
mockbuild@x86-01.bsys.centos.org:/builddir/build/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
设置openldap管理员的密码
root:slapd.d/ # slappasswd -s 123456
{SSHA}+duStt12ZYbTUbwhpEAaVMIMQH506UIt
修改管理员信息和把管理员的密码写入配置文件
cd /etc/openldap/slapd.d/cn=config
root:cn=config/ # cat olcDatabase=\{2\}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 a830970a
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
#修改此处的域名
olcSuffix: dc=testlab,dc=com
#修改此处的管理员账号为root,以及域名为testlab
olcRootDN: cn=root,dc=testlab,dc=com
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 43a7f8d8-d134-1038-8bab-2907e6126c53
creatorsName: cn=config
createTimestamp: 20190302124137Z
entryCSN: 20190302124137.438297Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190302124137Z
#在最后加上管理员密码信息
olcRootPW: {SSHA}+duStt12ZYbTUbwhpEAaVMIMQH506UIt
修改olcDatabase={1}monitor.ldif中的管理员信息以及域名
cd /etc/openldap/slapd.d/cn=config
root:cn=config/ # cat olcDatabase=\{1\}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 e26d6fe9
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
#修改此处的管理员姓名和域名dc
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=root,dc=testlab,dc=com" read by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 43a7f0ae-d134-1038-8baa-2907e6126c53
creatorsName: cn=config
createTimestamp: 20190302124137Z
entryCSN: 20190302124137.438086Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20190302124137Z
验证openldap基本配置是否有问题
root:cn=config/ # slaptest -u
5c7a7cd8 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif"
5c7a7cd8 ldif_read_file: checksum error on "/etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif"
config file testing succeeded
设置服务自启以及启动slapd服务
root:cn=config/ # systemctl enable slapd
Created symlink from /etc/systemd/system/multi-user.target.wants/slapd.service to /usr/lib/systemd/system/slapd.service.
root:cn=config/ # systemctl start slapd
root:cn=config/ # systemctl status slapd
● slapd.service - OpenLDAP Server Daemon
Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-03-02 20:57:48 CST; 8s ago
Docs: man:slapd
man:slapd-config
man:slapd-hdb
man:slapd-mdb
检查openldap服务进程是否开启
端口默认是389
root:cn=config/ # netstat -antup | grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2451/slapd
tcp6 0 0 :::389 :::* LISTEN 2451/slapd
配置openldap数据库
root:cn=config/ # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
root:cn=config/ # chown ldap:ldap -R /var/lib/ldap
root:cn=config/ # chmod 700 -R /var/lib/ldap
root:cn=config/ # ls -l /var/lib/ldap/
total 324
-rwx------ 1 ldap ldap 2048 Mar 2 20:57 alock
-rwx------ 1 ldap ldap 262144 Mar 2 20:57 __db.001
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 __db.002
-rwx------ 1 ldap ldap 49152 Mar 2 20:57 __db.003
-rwx------ 1 ldap ldap 845 Mar 2 20:59 DB_CONFIG
-rwx------ 1 ldap ldap 8192 Mar 2 20:57 dn2id.bdb
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 id2entry.bdb
-rwx------ 1 ldap ldap 10485760 Mar 2 20:57 log.0000000001
导入openldap存储信息的格式schema
root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"
root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
root:cn=config/ # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
修改生成ldif文件的脚本
修改这几处
root:cn=config/ # cat /usr/share/migrationtools/migrate_common.ph | egrep 'DEFAULT_MAIL_DOMAIN|DEFAULT_BASE|EXTENDED_SCHEMA' | head -3
$DEFAULT_MAIL_DOMAIN = "testlab.com";
$DEFAULT_BASE = "dc=testlab,dc=com";
$EXTENDED_SCHEMA = 1;
添加系统用户及用户组用于后期导入openldap.这一步是测试用的 具体要不要看你的需求
root:cn=config/ # groupadd ldapgroup1
root:cn=config/ # groupadd ldapgroup2
root:cn=config/ # useradd -g ldapgroup1 ldapuser1
root:cn=config/ # useradd -g ldapgroup2 ldapuser2
root:cn=config/ # echo "123456" | passwd --stdin ldapuser1
Changing password for user ldapuser1.
passwd: all authentication tokens updated successfully.
root:cn=config/ # echo "123456" | passwd --stdin ldapuser2
Changing password for user ldapuser2.
passwd: all authentication tokens updated successfully.
提取用户以及用户组属性
root:cn=config/ # grep ":10[0-9][0-9]" /etc/passwd | grep ldap > /root/users
root:cn=config/ # grep ":10[0-9][0-9]" /etc/group | grep ldap > /root/groups
生成openldap用户以及用户组属性
root:cn=config/ # /usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif
root:cn=config/ # /usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif
root:cn=config/ # cat /root/groups.ldif
dn: uid=ldapgroup1,ou=People,dc=testlab,dc=com
uid: ldapgroup1
cn: ldapgroup1
sn: ldapgroup1
mail: ldapgroup1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
uidNumber: 1002
gidNumber:
homeDirectory:
dn: uid=ldapgroup2,ou=People,dc=testlab,dc=com
uid: ldapgroup2
cn: ldapgroup2
sn: ldapgroup2
mail: ldapgroup2@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {crypt}x
uidNumber: 1003
gidNumber:
homeDirectory:
root:cn=config/ # cat /root/users.ldif [21:14:17]
dn: uid=ldapuser1,ou=People,dc=testlab,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$5PAZUtNU$CY/YcSKd1ajiCUb4u3SSNz4QIn04Og0PJosV/FDVNSCuUHWC6xETWi9DxT5UrM.ac2GM.i1PpyZ6/DmJiiQVH1
shadowLastChange: 17957
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldapuser1
dn: uid=ldapuser2,ou=People,dc=testlab,dc=com
uid: ldapuser2
cn: ldapuser2
sn: ldapuser2
mail: ldapuser2@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$HVzIvzSv$ovEbVz16WN2G.Dyvo3nIikHcERzVLOqg4xp0VpmjKpFoP9ZfxjrjGJfr478lw2kqYzJz2p.LmqY4kk0Cghb5b0
shadowLastChange: 17957
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
homeDirectory: /home/ldapuser2
配置openldap基础的数据库
cat > /root/base.ldif << EOF
dn: dc=testlab,dc=com
o: testlab com
dc: testlab
objectClass: top
objectClass: dcObject
objectclass: organization
dn: cn=root,dc=testlab,dc=com
cn: root
objectClass: organizationalRole
description: Directory Manager
dn: ou=People,dc=testlab,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=testlab,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
EOF
如果执行有报错的话先确认是不是什么地方有奇怪的空格
如果导入有问题再次导入报已经存在的话可以把
/var/lib/ldap
下面的文件都删掉 留下DB_CONFIG 这些就是ldap的数据文件 重启会再次生成
导入数据库结构到openldap
oot:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/base.ldif
-w就是你slappasswd 那里输入的密码
adding new entry "dc=testlab,dc=com"
adding new entry "cn=root,dc=testlab,dc=com"
adding new entry "ou=People,dc=testlab,dc=com"
adding new entry "ou=Group,dc=testlab,dc=com"
执行成功就像这样
导入用户和组信息数据到Openldap
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/users.ldif
adding new entry "uid=ldapuser1,ou=People,dc=testlab,dc=com"
adding new entry "uid=ldapuser2,ou=People,dc=testlab,dc=com"
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/groups.ldif
adding new entry "uid=ldapgroup1,ou=People,dc=testlab,dc=com"
adding new entry "uid=ldapgroup2,ou=People,dc=testlab,dc=com"
查看数据库文件
root:cn=config/ # ls -l /var/lib/ldap
total 488
-rwx------ 1 ldap ldap 2048 Mar 2 20:57 alock
-rw------- 1 ldap ldap 8192 Mar 2 21:22 cn.bdb
-rwx------ 1 ldap ldap 262144 Mar 2 21:24 __db.001
-rwx------ 1 ldap ldap 32768 Mar 2 21:24 __db.002
-rwx------ 1 ldap ldap 93592 Mar 2 21:24 __db.003
-rwx------ 1 ldap ldap 845 Mar 2 20:59 DB_CONFIG
-rwx------ 1 ldap ldap 8192 Mar 2 20:57 dn2id.bdb
-rwx------ 1 ldap ldap 32768 Mar 2 20:57 id2entry.bdb
-rwx------ 1 ldap ldap 10485760 Mar 2 21:24 log.0000000001
-rw------- 1 ldap ldap 8192 Mar 2 21:24 mail.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:22 objectClass.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:22 ou.bdb
-rw------- 1 ldap ldap 8192 Mar 2 21:24 sn.bdb
查看openldap信息
r
oot:cn=config/ # ldapsearch -x -b "dc=testlab,dc=com" -H "ldap://127.0.0.1"
过滤查询信息
root:cn=config/ # ldapsearch -LLL -x -D "cn=root,dc=testlab,dc=com" -w "123456" -b "dc=testlab,dc=com" "uid=ldapuser1"
dn: uid=ldapuser1,ou=People,dc=testlab,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQ2JDVQQVpVdE5VJENZL1ljU0tkMWFqaUNVYjR1M1NTTno0UUluMDR
PZzBQSm9zVi9GRFZOU0N1VUhXQzZ4RVRXaTlEeFQ1VXJNLmFjMkdNLmkxUHB5WjYvRG1KaWlRVkgx
shadowLastChange: 17957
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1002
gidNumber: 1002
homeDirectory: /home/ldapuser1
root:cn=config/ # ldapsearch -LLL -x -D "cn=root,dc=testlab,dc=com" -w "123456" -b "dc=testlab,dc=com" "uid=ldapgroup1"
dn: uid=ldapgroup1,ou=People,dc=testlab,dc=com
uid: ldapgroup1
cn: ldapgroup1
sn: ldapgroup1
mail: ldapgroup1@testlab.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: e2NyeXB0fXg=
uidNumber: 1002
gidNumber: 1002
homeDirectory:
开启openldap日志访问功能
cat >> /etc/rsyslog.conf << "EOF"
local4.* /var/log/slapd.log
EOF
重启rsyslog和slapd服务
systemctl restart rsyslog
systemctl restart slapd
tail -f /var/log/slapd.log
如果有修改默认openldap运行端口(除非冲突 一般不需要,记得把上面的初始配置注释而不是删掉,免得没有后悔药)
vim /etc/sysconfig/slapd
SLAPD_URLS=”ldapi://0.0.0.0:4567/ ldap://0.0.0.0:4567/”
查询openldap信息
ldapsearch -LLL -x -D 'cn=root,dc=testlab,dc=com' -w "123456" -H ldap://0.0.0.0:4567/ -b 'dc=testlab,dc=com' 'uid=ldapuser1'
千难万难把openldap服务给运行起来了,但这只是第一步
3、结合kerberos和CDH
注意:Cloudera文档中描述,hive的LDAP是Kerberos的替代,不能同时启用,如果同时启用将会出现以下异常:
Hue界面中无法连接Hive,错误提示:Bad status: 3 (Unsupported mechanism type GSSAPI)
beeline中使用Kerberos认证出现同上的错误
Hive同时开启Kerberos和LDAP,登录Hue时,出现如下图所示错误:
有以上情况时,将LDAP的配置移除即可解决。
Kerberos和LDAP的区别:
如果使用 Kerberos 身份验证,Thrift 客户端和 HiveServer2 以及 HiveServer2 和安全 HDFS 之间都支持身份验证
如果使用 LDAP 身份验证,仅在 Thrift 客户端和 HiveServer2 之间支持身份验证
不过在实际操作中发现是可以共存的。可能是因为版本的关系?总之6版本可以
基本和impala差不多 注意baseDN这里要少一个UID
hue也要同步修改
为了使 Kerberos 能够绑定到 OpenLDAP 服务器,创建一个管理员用户和一个 principal,并生成 keytab 文件,设置该文件的权限为 LDAP 服务运行用户可读( LDAP 服务运行用户一般为 ldap)
kadmin.local -q "addprinc ldapadmin/master.wc.com@EXAMPLE.COM"
kadmin.local -q "addprinc -randkey ldapadmin/master.wc.com@EXAMPLE.COM"
kadmin.local -q "ktadd -k /etc/openldap/ldapmaster.keytab ldapadmin/master.wc.com@EXAMPLE.COM"
chown ldap:ldap /etc/openldap/ldapmaster.keytab
chmod 640 /etc/openldap/ldapmaster.keytab
这个key需要加上server节点的主机名
ktadd 后面的-k 指定把 key 存放在一个本地文件中。
使用 ldapadmin 用户测试:
kinit ldapadmin
系统会提示输入密码,如果一切正常,那么会安静的返回。实际上,你已经通过了kerberos的身份验证,且获得了一个Service TGT(Ticket-Granting Ticket). Service TGT的意义是, 在一段时间内,你都可以用此TGT去请求某些service,比如ldap service,而不需要再次通过kerberos的认证。
确保 LDAP 启动时使用上一步中创建的keytab文件
在 /etc/sysconfig/ldap 增加 KRB5_KTNAME 配置:
export KRB5_KTNAME=/etc/openldap/ldapmaster.keytab
在/etc/sysconfig/slapd 修改 KRB5_KTNAME 配置:
打开注释
KRB5_KTNAME="FILE:/etc/openldap/ldapmaster.keytab"
重启 slapd 服务
生成一个新用户给impala用
root:cn=config/ # cat /etc/passwd | grep impala > /root/users
root:cn=config/ # cat /etc/group | grep hive > /root/groups
impala是hive这个用户组的
root:cn=config/ # /usr/share/migrationtools/migrate_passwd.pl /root/users > /root/users.ldif
root:cn=config/ # /usr/share/migrationtools/migrate_group.pl /root/groups > /root/groups.ldif
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/users.ldif
root:cn=config/ # ldapadd -x -w "123456" -D "cn=root,dc=testlab,dc=com" -f /root/groups.ldif
现在你已经有了impala这个用户 设置一下密码
ldappasswd -x -D "cn=root,dc=testlab,dc=com" -W -S "uid=impala,ou=people,dc=testlab,dc=com"
配置一下ldap的web ui
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum install php55w.x86_64 php55w-cli.x86_64 php55w-common.x86_64 php55w-gd.x86_64 php55w-ldap.x86_64 php55w-mbstring.x86_64 php55w-mcrypt.x86_64 php55w-mysql.x86_64 php55w-pdo.x86_64 --skip-broken
yum install -y phpldapadmin
打开 /etc/phpldapadmin/config.php
添加cn sn
519行
$servers->setValue('unique','attrs',array('mail','uid','uidNumber','cn','sn'));
打开/etc/httpd/conf.d/phpldapadmin.conf
Require local
替换为
Require all granted
其他不用改
启动httpd
systemctl start httpd
systemctl enable httpd
访问 ip/phpldapadmin
用root或者别的你创建的帐号登录
登录之后检查一下impala的密码
确认一下 有毛病的话重新设置一下密码
然后加到cdh中去
修改这四处
ldap://master.example.com:389/
ou=people,dc=example,dc=com
-ldap_passwords_in_clear_ok
重启impala
回到命令行进行测试
kdestroy # 确保没有用原来的kerberos
impala-shell -i master.example.com:25003 -l -u impala --auth_creds_ok_in_clear
可以正常登录就是成功了
更多推荐
所有评论(0)