标签:
Most Hadoop clusters adopt Kerberos as the authentication protocol
yum -y install krb5-server krb5-lib krb5-auth-dialog krb5-workstation
yum -y install krb5-lib krb5-auth-dialog krb5-workstation
krb5.conf 文件包含 KDCs、admin 服务器的地址,是当前 realm 和 Kerberos 应用的默认配置,该配置将主机名映射到 Kerberos realms。krb5.conf一般在/etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = HADOOP.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] HADOOP.COM = { kdc = node1.hadoop.com admin_server = node1.hadoop.com } AD.COM = { kdc = windc.ad.com admin_server = windc.ad.com } [domain_realm] .hadoop.com = HADOOP.COM hadoop.com = HADOOP.COM .ad.com = AD.COM ad.com = AD.COM [capaths] AD.COM = { HADOOP.COM = . }
realms: HADOOP_COM下的 kdc, admin_server是我们安装KDC的主机地址,AD.COM下的是 Domain Controller主机地址。
domain_realm: 提供domain name 或者主机名字到kerberos realms名字的转换。两者都必须小写。
capaths: cross-realm authentication中,不同 realms 之间需要数据库去创建authentication paths。 这部分定义存储。
[realms] HADOOP.COM = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
Kerberos How to Kerberize an Hadoop Cluster
标签:
原文地址:http://www.cnblogs.com/qingwen/p/5011134.html
