Hadoop kerberos security配置
export HADOOP_OPTS="$HADOOP_OPTS -DKERBEROS_DOMAIN=you-kerberos-domain.com"
?2.1?core-site.xml
在core-site.xml中配置如下参数。 ?
<property><name>hadoop.security.authorization</name><value>true</value><description>Is service-level authorization enabled?</description></property><property><name>hadoop.rpc.protection</name><value>privacy</value><description>Possible values are authentication (no integrity, privacy)</description></property><property><name>hadoop.security.authentication</name><value>kerberos</value><description>Possible values are simple (no authentication), and kerberos</description></property>
?
2.2?hdfs-site.xml
在hdfs-site.xml中配置如下参数。 ?
<property><name>dfs.https.address</name><value>namenodeHost:50470</value></property><property><name>dfs.https.port</name><value>50470</value></property><property><name>dfs.block.access.token.enable</name><value>true</value></property><property><name>dfs.namenode.keytab.file</name><value>/home/hadoop/hadoop/conf/hadoop.keytab</value></property><property><name>dfs.namenode.kerberos.principal</name><value>hadoop/_HOST@${KERBEROS_DOMAIN}</value></property><property><name>dfs.namenode.kerberos.https.principal</name><value>host/_HOST@${KERBEROS_DOMAIN}</value></property><property><name>dfs.datanode.data.dir.perm</name><value>755</value><description>Permissions for the directories on on the local filesystem wherethe DFS data node store its blocks. The permissions can either be octal orsymbolic.</description></property><property><name>dfs.datanode.address</name><value>0.0.0.0:1004</value></property><property><name>dfs.datanode.http.address</name><value>0.0.0.0:1006</value></property><property><name>dfs.datanode.keytab.file</name><value>/home/hadoop/hadoop/conf/hadoop.keytab</value></property><property><name>dfs.datanode.kerberos.principal</name><value>hadoop/_HOST@${KERBEROS_DOMAIN}</value></property><property><name>dfs.datanode.kerberos.https.principal</name><value>host/_HOST@${KERBEROS_DOMAIN}</value></property>?
2.3?mapred-site.xml
在mapred-site.xml中配置如下参数。
<property><name>mapreduce.jobtracker.kerberos.principal</name><value>hadoop/_HOST@${KERBEROS_DOMAIN}</value></property><property><name>mapreduce.jobtracker.kerberos.https.principal</name><value>host/_HOST@${KERBEROS_DOMAIN}</value></property><property><name>mapreduce.jobtracker.keytab.file</name><value>/home/hadoop/hadoop/conf/hadoop.keytab</value></property><property><name>mapreduce.tasktracker.kerberos.principal</name><value>hadoop/_HOST@${KERBEROS_DOMAIN}</value></property><property><name>mapreduce.tasktracker.kerberos.https.principal</name><value>host/_HOST@${KERBEROS_DOMAIN}</value></property><property><name>mapreduce.tasktracker.keytab.file</name><value>/home/hadoop/hadoop/conf/hadoop.keytab</value></property><property><name>mapred.task.tracker.task-controller</name><value>org.apache.hadoop.mapred.DefaultTaskController</value></property><property><name>mapreduce.tasktracker.group</name><value>hadoop</value></property>?
2.4?hadoop Startup Commandhadoop@_HOST:~\$ ~hadoop/hadoop/bin/hadoop-daemon.sh start namenoderoot@_HOST:~\# ~hadoop/hadoop/bin/hadoop-daemon.sh start datanodehadoop@_HOST:~\$ ~hadoop/hadoop/bin/hadoop-daemon.sh start jobtrackerhadoop@_HOST:~\$ ~hadoop/hadoop/bin/hadoop-daemon.sh start tasktracker
?
2.5?Hadoop 1.0.3 fair-scheduler Kerberos Authentication Bug(when Job Submited)
?这个bug解决得比较曲折。在官方的bug网站上已经有了相应的bug fix。找出了最终的原因是executorService的一种机制:ExecutorService可以产生若干个线程,但是不会同时生成(也就是说按需生成),因此在应该产生的时候就没有kerberos的相应的认证信息了。 请参考MAPREDUCE-4451 ?fairscheduler fail to init job with kerberos authentication configured。
?
3. Secure HBase Kerberos Configuration
在配置之前需要在hbase_env.sh里面配置一个java属性变量:
export HBASE_OPTS="$HBASE_OPTS -DKERBEROS_DOMAIN=you-kerberos-domain.com"
3.1?hbase-site.xml<property><name>hbase.regionserver.kerberos.principal</name><value>hbase/_HOST@${KERBEROS_DOMAIN}</value></property><property><name>hbase.regionserver.keytab.file</name><value>/home/hbase/hbase/conf/hdfs.keytab</value></property><property><name>hbase.master.kerberos.principal</name><value>hbase/_HOST@${KERBEROS_DOMAIN}</value></property><property><name>hbase.master.keytab.file</name><value>/home/hbase/hbase/conf/hdfs.keytab</value></property><property><name>hbase.security.authentication</name><value>kerberos</value></property><property><name>hbase.security.authorization</name><value>true</value></property><property><name>hbase.rpc.engine</name><value>org.apache.hadoop.hbase.ipc.SecureRpcEngine</value></property><property><name>hbase.rpc.protection</name><value>privacy</value></property>
?
3.2?Secure HBase Startup Commandhbase@_HOST:~\$ ~hbase/hbase/bin/hbase-daemon.sh start masterhbase@_HOST:~\$ ~hbase/hbase/bin/hbase-daemon.sh start regionserver
?
3.3?HBase Security Coprocessor Configuration<property><name>hbase.coprocessor.master.classes</name><value>org.apache.hadoop.hbase.security.access.AccessController</value></property><property><name>hbase.coprocessor.region.classes</name><value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hba</property>
?
3.4?HTable Security Command
hbase提供了三个安全控制表使用权限的命令:
- user_permissiongrantrevoke