172.29.0.24 hadoop08 7.3. 修改配置文件
1、/etc/krb5.conf [root@hadoop01 ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = hadoop01 admin_server = hadoop01 } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
7.4. 创建Kerberos数据库
[root@hadoop01 ~]# kdb5_util create -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'EXAMPLE.COM', master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
7.5. 启动 KDC
[root@hadoop01 ~]# service krb5kdc start 正在启动 Kerberos 5 KDC:[确定] [root@hadoop01 ~]# service kadmin start 正在启动 Kerberos 5 Admin Server:[确定]
7.6. 设置KDC自启动
[root@hadoop01 ~]# chkconfig krb5kdc on [root@hadoop01 ~]# chkconfig kadmin on
7.7. 创建Kerberos管理员
[root@hadoop01 ~]# kadmin.local -q \Authenticating as principal root/admin@EXAMPLE.COM with password. WARNING: no policy specified for admin/admin@EXAMPLE.COM; defaulting to no policy Enter password for principal \ Re-enter password for principal \ Principal \ 7.8. 重启KDC
[root@hadoop01 ~]# service kadmin restart 停止 Kerberos 5 Admin Server:[确定] 正在启动 Kerberos 5 Admin Server:[确定]
7.9. 安装JCE
JCE(Java Cryptography Extension)是一组包,它们提供用于加密、密钥生成和协商以及 Message Authentication Code(MAC)算法的框架和实现。 它提供对对称、不对称、块和流密码的加密支持,它还支持安全流和密封的对象。它不对外出口,用它开发完成封装后将无法调用。 补充2:
If you are using Oracle JDK, you must distribute and install the JCE on all hosts in the cluster, including the Ambari Server. Be sure to restart Ambari Server after installng the JCE. If you are using OpenJDK, some distributions of the OpenJDK come with unlimited strength JCE automatically and therefore, installation of JCE is not required. For Oracle JDK 1.8:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
For Oracle JDK 1.7:
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html 12.将下载的JCE解压并覆盖$JAVA_HOME/jre/lib/security/目录下的文件(所有节点) [root@hadoop-db ~]# unzip UnlimitedJCEPolicyJDK7.zip Archive: UnlimitedJCEPolicyJDK7.zip creating: UnlimitedJCEPolicy/
inflating: UnlimitedJCEPolicy/US_export_policy.jar inflating: UnlimitedJCEPolicy/local_policy.jar inflating: UnlimitedJCEPolicy/README.txt [root@hadoop-db ~]# cd UnlimitedJCEPolicy [root@hadoop-db UnlimitedJCEPolicy]# ll 总用量 16
-rw-rw-r-- 1 root root 2500 6月 1 2011 local_policy.jar -rw-r--r-- 1 root root 7289 6月 1 2011 README.txt
-rw-rw-r-- 1 root root 2487 6月 1 2011 US_export_policy.jar
[root@hadoop-db UnlimitedJCEPolicy]# cp *.jar /opt/java/jre/lib/security/ cp:是否覆盖\? y
cp:是否覆盖\? y [root@hadoop-db UnlimitedJCEPolicy]# cd /opt/java/jre/lib/security/ [root@hadoop-db security]# ll 总用量 136
-rw-r--r-- 1 root root 3890 9月 30 09:55 blacklist -rw-r--r-- 1 root root 92776 9月 30 09:55 cacerts
-rw-r--r-- 1 root root 158 9月 30 09:55 javafx.policy -rw-r--r-- 1 root root 2593 9月 30 09:55 java.policy -rw-r--r-- 1 root root 17838 9月 30 09:55 java.security -rw-r--r-- 1 root root 98 9月 30 09:55 javaws.policy -rw-r--r-- 1 root root 2500 12月 7 17:01 local_policy.jar -rw-r--r-- 1 root root 0 9月 30 09:55 trusted.libraries -rw-r--r-- 1 root root 2487 12月 7 17:01 US_export_policy.jar
#替换其它节点的JCE
[root@hadoop-db security]# scp *.jar hadoop01:/opt/java/jre/lib/security/
local_policy.jar 100% 2500 2.4KB/s 00:00
US_export_policy.jar 100% 2487 2.4KB/s 00:00
[root@hadoop-db security]# scp *.jar ws1dn1:/opt/java/jre/lib/security/ The authenticity of host 'ws1dn1 (192.168.1.61)' can't be established. RSA key fingerprint is b4:59:18:46:76:2e:27:e2:2c:5b:36:9b:49:b8:72:7b. Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ws1dn1,192.168.1.61' (RSA) to the list of known hosts.
local_policy.jar 100% 2500 2.4KB/s 00:00
US_export_policy.jar 100% 2487 2.4KB/s 00:00
[root@hadoop-db security]# scp *.jar ws1dn2:/opt/java/jre/lib/security/ The authenticity of host 'ws1dn2 (192.168.1.62)' can't be established. RSA key fingerprint is 45:47:8e:56:08:66:2b:23:a6:a6:f1:09:14:8a:64:91. Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ws1dn2,192.168.1.62' (RSA) to the list of known hosts.
local_policy.jar 100% 2500 2.4KB/s 00:00
US_export_policy.jar 100% 2487 2.4KB/s 00:00
[root@hadoop-db security]# scp *.jar ws1dn3:/opt/java/jre/lib/security/ The authenticity of host 'ws1dn3 (192.168.1.63)' can't be established. RSA key fingerprint is 02:5c:3b:ce:20:f1:27:f9:6e:ca:f9:95:f6:66:84:6f. Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ws1dn3,192.168.1.63' (RSA) to the list of known hosts.
local_policy.jar 100% 2500 2.4KB/s 00:00 US_export_policy.jar
7.10. 重启Ambari-Server 7.11. 开始安装向导
输入以上创建的KDC信息
点击下一步
测试
下一步,不修改任何东西