0890-7.1.6-如何在CDP集群配置Kerberos高可用
本帖最后由 fc013 于 2022-9-2 18:30 编辑问题导读:
1、怎样配置Kerberos的主备节点?
2、怎样验证kadmin和kdc服务挂掉后的高可用?
3、怎样验证kdc和kadmin服务宕掉一个之后,不会影响到集群作业的运行?
1.文档编写目的
本篇文章主要介绍如何在CDP 7.1.6集群中配置Kerberos的高可用。
文档概述
1.如何在CDP7集群配置Kerberos高可用
2.验证
3.总结
测试环境
1.操作系统Redhat7.2
2.CDP7.1.6
3.使用root用户操作
2.备节点安装Kerberos服务
1.在备节点安装Kerberos服务,暂时不进行相关配置
# yum install -y krb5-server openldap-clients krb5-workstation k
3.主节点Kerberos操作
1.修改/etc/krb5.conf的配置文件,在realms配置下增加备Kerberos的配置
MACRO.COM = {
kdc = cdh1.macro.com
admin_server = cdh1.macro.com
kdc = cdh2.macro.com
admin_server = cdh2.macro.com
}
2.将修改后的配置文件同步到集群所有Kerberos客户端对应目录
# scp -rp /etc/krb5.conf 192.168.0.75:/etc/
# scp -rp /etc/krb5.conf 192.168.0.74:/etc/
3.保存配置,然后重启krb5kdc和kadmin服务
# systemctl restart krb5kdc
# systemctl restart kadmin
4.创建主从同步账号,并为账号生成Keytab文件
Kadmin.local:addprinc -randkey host/cdh1.macro.com
Kadmin.local:addprinc -randkey host/cdh2.macro.com
Kadmin.local:ktadd host/cdh1.macro.com
Kadmin.local:ktadd host/cdh2.macro.com
使用随机生成秘钥的方式创建同步账号,并使用ktadd命令生成同步账号的keytab文件,默认文件生成在/etc/krb5.keytab下,生成多个账号则在krb5.keytab基础上追加。
5.复制以下文件到备Kerberos服务器相应目录。将/etc目录下的krb5.conf和krb5.keytab文件拷贝至备Kerberos服务器的/etc目录下,将/var/kerberos/krb5kdc目录下的.k5.CLOUDERA.COM、kadm5.acl和krb5.conf文件拷贝至备Kerberos服务器的/var/kerberos/krb5kdc目录下
4.备Kerberos节点操作
1.需要申明用来同步的用户,在/var/kerberos/krb5kdc/kpropd.acl配置文件中添加对应账户,如果配置文件不存在则新增
# vim /var/kerberos/krb5kdc/kpropd.acl
host/cdh2.macro.com@MACRO.COM
host/cdh1.macro.com@MACRO.COM
2.启动kprop服务并加入系统自启动
# systemctl enable kprop
Created symlink from /etc/systemd/system/multi-user.target.wants/kprop.service to /usr/lib/systemd/system/kprop.service.
# systemctl start kprop
# systemctl status kprop
备节点上已经准备好数据传输,接下来在主节点上使用kdb5_util将Kerberos库导出,然后通过kprop命令向备节点同步数据
5.节点数据同步至备节点
1.在主节点上使用krb5_util命令导出Kerberos数据库文件
# kdb5_util dump /var/kerberos/krb5kdc/master.dump
导出成功后生成master.dump和master.dump.dump_ok两个文件
2.在主节点上使用kprop命令将master.dump文件同步至备节点
# kdb5_util dump /var/kerberos/krb5kdc/master.dump
# kprop -f /var/kerberos/krb5kdc/master.dump -d -P 754 cdh2.macro.com
32768 bytes sent.
65536 bytes sent.
69177 bytes sent.
Database propagation to cdh2.macro.com: SUCCEEDED
3.在备节点的/var/kerberos/krb5kdc目录下查看
# pwd
/var/kerberos/krb5kdc
# ll
4.在备节点上测试同步过来的数据是否能启动Kerberos服务
# systemctl start krb5kdc
# systemctl status krb5kdc
5.在备节点上验证kadmin服务是否正常
# kadmin.local
Authenticating as principal flink/admin@MACRO.COM with password.
kadmin.local:addprinc tets1
WARNING: no policy specified for tets1@MACRO.COM; defaulting to no policy
Enter password for principal "tets1@MACRO.COM":
Re-enter password for principal "tets1@MACRO.COM":
Principal "tets1@MACRO.COM" created.
kadmin.local:listprinc
6.Kill主服务的krb5kdc服务和kadmin服务进行验证
# ps -ef|grep krb5kdc
root 13391 10 11:17 ? 00:00:11 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
root 24764 257860 15:09 pts/0 00:00:00 grep --color=auto krb5kdc
# kill -9 13391
# ps -ef|grep kadmin
root 13461 10 11:17 ? 00:00:00 /usr/sbin/kadmind -P /var/run/kadmind.pid
root 25009 257860 15:09 pts/0 00:00:00 grep --color=auto kadmin
# kill -9 13461
7.在备用服务器上服务依旧正常,可以正常添加凭证
# kadmin.local
Authenticating as principal flink/admin@MACRO.COM with password.
kadmin.local:addprinc test2
WARNING: no policy specified for test2@MACRO.COM; defaulting to no policy
Enter password for principal "test2@MACRO.COM":
Re-enter password for principal "test2@MACRO.COM":
Principal "test2@MACRO.COM" created.
kadmin.local:listprincs
8.在其他客户端节点登录刚新增的用户正常
# kinit test2
Password for test2@MACRO.COM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test2@MACRO.COM
Valid starting Expires Service principal
06/01/2021 15:19:1806/02/2021 15:19:18krbtgt/MACRO.COM@MACRO.COM
renew until 06/08/2021 15:19:18
6.验证
6.1Principal Account验证
因为前面的配置安装,已经将主节点的kdc和kadmin服务挂掉,所以直接进行验证
1.进入CM>管理>安全>Kerberos凭据>导入Kerberos Account Manager凭据
2.勾选I have completed all the above steps并继续
3.设置主机为挂掉的节点并继续
4.输入Kerberos管理员账号和密码并继续
5.导入凭据正常并且集群各组件正常运行
在服务挂掉的节点进行生成Keytab操作
# kadmin.local
Authenticating as principal test2/admin@MACRO.COM with password.
kadmin.local:ktadd test2
kadmin.local: Principal test2 does not exist.
6.2在CM中进行生成Keytab操作
1.在CM中进行生成Keytab操作之前需要停止集群
2.进入CM>群集>主机界面
3.选择主节点和备节点,并点击已选定操作>重新生成Keytab
4.重新生成Keytab成功,启动各项服务并查看是否正常运行
6.3在备节点命令行进行生成Keytab操作
# kadmin.local
Authenticating as principal cm/admin@MACRO.COM with password.
kadmin.local:ktadd test2
Entry for principal test2 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal test2 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal test2 with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal test2 with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal test2 with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal test2 with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal test2 with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal test2 with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
6.4Kdc和kadmin服务宕掉一个后,是否会影响正在运行的集群作业
1.在主启动kdc和kadmin服务,备节点启动kdc
# systemctl start krb5kdc
# systemctl start kadmin
# systemctl status krb5kdc
# systemctl status kadmin
# systemctl start krb5kdc
# systemctl status krb5kdc
2.在主节点向hdfs上传文件,并在上传过程中kill掉kdc服务
# hdfs dfs -put CDH-5.16.2-1.cdh5.16.2.p0.8-el7.parcel /test/
# ps -ef|grep krb5kdc
# ps -ef|grep krb5kdc
# kill -9 9210
# ps -ef|grep krb5kdc
上传无异常返回,查看hdfs/test目录下文件是否上传成功(成功上传)
# hdfs dfs -ls /test/
3.在主节点向hdfs上传文件,并在上传过程中kill掉kadmin服务
# hdfs dfs -put cloudera-manager-daemons-5.16.2-1.cm516
# ps -ef|grep kadmin
# kill -9 18517
# ps -ef|grep kadmin
上传无异常返回,查看hdfs/test目录下文件是否上传成功(上传成功)
# hdfs dfs -ls /test/
6.5Kdc和kadmin服务宕掉一个后,是否会影响新提交的集群作业
1.Kill掉主节点等的kdc服务并启动kadmin服务
# systemctl start kadmin
# systemctl status kadmin
# ps -ef|grep krb5kdc
# kill -9 17033
# ps -ef|grep krb5kdc
# systemctl status krb5kdc
2.向hdfs提交一个上传的任务并查看是否上传成功(成功)
# hdfs dfs -put oracle-j2sdk1.7-1.7.0+update67-1.x86_64.rpm /test/
# hdfs dfs -ls /test
3.Kill掉主节点的kadmin服务并启动kdc服务
# systemctl start krb5kdc
# systemctl status krb5kdc
# ps -ef|grep kadmin
# kill -9 23523
# ps -ef|grep kadmin
4.向hdfs提交一个上传任务并查看任务是否成功上传
# hdfs dfs -put cloudera-manager-daemons-5.16.2-1.cm5162.p0.7.el7.x86_64.rpm /test/
# hdfs dfs -ls /test/
6.6于6.2/10:40宕掉主节点kdc服务,第二天查看服务是否正常
1.宕掉kdc服务
# ps -ef|grep krb5kdc
# kill -9 26831
# ps -ef|grep krb5kdc
# systemctl status krb5kdc
2.检查集群运行状况
3.集群作业测试
# hdfs dfs -put CDH-5.16.2-1.cdh5.16.2.p0.8-el7.parcel /test/
# hdfs dfs -ls /test/
7.总结
1.在集群中配置了Kerberos高可用后,kadmin和kdc服务挂掉了不会影响导入CM的principal Account操作,但是在主节点的命令行无法进行生成Keytab的操作,只能在备节点的命令行进行生成Keytab操作
2.在集群中配置了kerberos高可用后,kdc和kadmin服务宕掉一个之后,不会影响到集群作业的运行(正在运行的作业或者是新提交的作业都不受影响)
3.在集群中配置了kerberos高可用后,在宕掉主节点的kdc和kadmin服务后,对CM集群中进行生成Keytab操作,集群组件运行无异常
4.在集群中配置了kerberos高可用后,宕掉主节点的kdc服务长时间不会发生异常问题
最新经典文章,欢迎关注公众号http://www.aboutyun.com/data/attachment/forum/201903/18/215536lzpn7n3u7m7u90vm.jpg
---------------------
作者:Hadoop实操
来源:weixin
原文:0890-7.1.6-如何在CDP集群配置Kerberos高可用
页:
[1]