分享

hadoop【2.7.1】安全模说明【上】

pig2 发表于 2015-12-13 19:13:48 [显示全部楼层] 回帖奖励 阅读模式 关闭右栏 0 7885
本帖最后由 pig2 于 2015-12-26 18:03 编辑
问题导读



1.什么是Kerberos Principal?
2.Hadoop守护进程是否使用不同的用户?
3.各个守护进程keytab 文件各有什么特点?区别在什么地方?




说明
本文档介绍了如何配置验证Hadoop的安全模式。默认hadoop运行在非安全模式下,没有实际的身份验证要求。使用hadoop服务,每一个用户和服务都需要Kerberos身份验证。Hadoop的安全功能,包括身份验证,服务级授权,Web控制台认证和数据保密。
身份验证(http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/SecureMode.html#Authentication)
服务级授权(http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/ServiceLevelAuth.html)
Web控制台认证(http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/HttpAuthentication.html)
数据保密(http://hadoop.apache.org/docs/r2.7.1/hadoop-project-dist/hadoop-common/SecureMode.html#Data_confidentiality)


身份认证

终端用户帐户
当打开服务级别授权,终端用户使用hadoop安全模式需要Kerberos身份验证。最简单的方式认证是使用kinit Kerberos命令
【注释:kinit 命令:

用途
获得或更新 Kerberos 票据授权票据(ticket-granting ticket)。

描述
kinit 命令获得或更新 Kerberos 票据授权票据。如果不在命令行上指定一个票据标志,则使用由在 Kerberos 配置文件(kdc.conf )中的 [kdcdefault] 和 [realms] 指定的密钥分发中心(KDC)选项。




Hadoop守护进程用户帐户
确保HDFS和YARN守护进程运行不同的Unix用户,例如hdfs 和 yarn.同样确保MapReduce JobHistory server运行不同的用户比如mapred。
建议让它们共享Unix组,比如hadoop。详细查看 “Mapping from user to group”

User:Group
Daemons
hdfs:hadoop
NameNode, Secondary NameNode, JournalNode, DataNode
yarn:hadoop
ResourceManager, NodeManager
mapred:hadoop
MapReduce JobHistory Server

Kerberos Principal   hadoop守护进程和用户
运行hadoop守护进程服务在安全模式下, Kerberos principals是需要的。每个服务读取身份认证信息保存在keytab文件【有相应的权限】HTTP web-consoles服务于来自不同的RPC的 sprincipal【原文:HTTP web-consoles should be served by principal different from RPC’s one.】
下面部分给出了Hadoop服务凭证的例子。

注释:
【Kerberos协议术语解释【此部分是为帮助理解额外附加内容】
Principal:在Kerberos中,Principal是参加认证的基本实体。一般来说有两种,一种用来表示Kerberos数据库中的用户, 另一种用来代表某一特定主机,也就是说Principal是用来表示客户端和服务端身份的实体, Principal的格式采用ASN.1标准,即Abstract Syntax Notation One,来准确定义),Principal是由三个部分组成:名字(name),实例(instance),REALM(域)。比如一个标准的 Kerberos的用户是:name/instance@REALM 。
Name:第一部分。在代表客户方的情况,它是一个用户名;在代表主机的情况,它是写成host。
Instance:第二部分。对name的进一步描述,例如name所在的主机名或name的类型等,可省略。它与第一部分之间用‘ / ’分隔,但是作为主机的描述时写成host/Instance。
Realm:第三部分。是Kerberos在管理上的划分,在 KDC中所负责的一个域数据库称作为Realm。这个数据库中存放有该网络范围内的所有Principal和它们的密钥,数据库的内容被Kerberos 的认证服务器AS和票据授权服务器TGS所使用。Realm通常是永远是大写的字符,并且在大多数Kerberos系统的配置中,一般Realm和该网络环境的DNS域是一致的。与第二部分之间用‘@’分隔,缺省为本地的Realm。


HDFS
NameNode keytab 文件,在NameNode主机,应该是下面样子
[mw_shl_code=bash,true]$ klist -e -k -t /etc/security/keytab/nn.service.keytab
Keytab name: FILE:/etc/security/keytab/nn.service.keytab
KVNO Timestamp Principal
4 07/18/11 21:08:09 nn/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 nn/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 nn/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)[/mw_shl_code]

Secondary NameNode keytab 文件,应该是下面样子
[mw_shl_code=bash,true]$ klist -e -k -t /etc/security/keytab/sn.service.keytab
Keytab name: FILE:/etc/security/keytab/sn.service.keytab
KVNO Timestamp Principal
4 07/18/11 21:08:09 sn/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 sn/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 sn/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)[/mw_shl_code]

DataNode   keytab 文件,应该是下面样子
[mw_shl_code=bash,true]$ klist -e -k -t /etc/security/keytab/dn.service.keytab
Keytab name: FILE:/etc/security/keytab/dn.service.keytab
KVNO Timestamp Principal
4 07/18/11 21:08:09 dn/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 dn/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 dn/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)[/mw_shl_code]

YARN

ResourceManager    keytab 文件,在ResourceManager客户端,应该是下面样子

[mw_shl_code=bash,true]$ klist -e -k -t /etc/security/keytab/rm.service.keytab
Keytab name: FILE:/etc/security/keytab/rm.service.keytab
KVNO Timestamp Principal
4 07/18/11 21:08:09 rm/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 rm/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 rm/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)[/mw_shl_code]

NodeManager    keytab 文件,在每个客户端,应该是下面样子
[mw_shl_code=bash,true]$ klist -e -k -t /etc/security/keytab/nm.service.keytab
Keytab name: FILE:/etc/security/keytab/nm.service.keytab
KVNO Timestamp Principal
4 07/18/11 21:08:09 nm/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 nm/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 nm/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)[/mw_shl_code]

MapReduce JobHistory Server

MapReduce JobHistory Server  keytab 文件,应该是下面样子
[mw_shl_code=bash,true]$ klist -e -k -t /etc/security/keytab/jhs.service.keytab
Keytab name: FILE:/etc/security/keytab/jhs.service.keytab
KVNO Timestamp Principal
4 07/18/11 21:08:09 jhs/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 jhs/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 jhs/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-256 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (AES-128 CTS mode with 96-bit SHA-1 HMAC)
4 07/18/11 21:08:09 host/full.qualified.domain.name@REALM.TLD (ArcFour with HMAC/md5)[/mw_shl_code]










没找到任何评论,期待你打破沉寂

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

关闭

推荐上一条 /2 下一条