仅以此篇记录虚拟机linux安装zookeeper的认证配置的过程,以昨日后学习之用
本篇是为了安装kerberos对zookeeper的认证配置的过程,zookeeper的集群安装zookeeper集群的部署安装
已经涵盖不在此篇赘述。
希望读者可以通读全篇之后加上自己的理解然后参照进行配置。
本篇完全借鉴相关博主配置,在此基础上补充路径,添加配置等操作,更加详细以便日后配置学习之用,参考链接放到文章末尾。
zookeeper的kerberos配置
1.生成zk的kerberos的认证标志
1.1执行kadmin.local
kadmin.local
1.2生成票据
addprinc zookeeper/master
#密码输入1234
addprinc zookeeper/slave1
#密码输入1234
addprinc zookeeper/slave2
#密码输入1234
addprinc zkcli/hadoop
ktadd -norandkey -k /etc/security/keytab/zk-master.keytab zookeeper/master
ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/master
ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/slave1
ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/slave2
1.3拷贝keytab到所有的节点
进入/etc/security/keytab/
cd /etc/security/keytab/
scp zk-server.keytab root@master:/usr/local/zookeeper-3.4.10/conf/
scp zk-server.keytab root@slave1:/usr/local/zookeeper-3.4.10/conf/
scp zk-server.keytab root@slave2:/usr/local/zookeeper-3.4.10/conf/
2.修改zk的配置文件,加如下数据
2.1进入/usr/local/zookeeper-3.4.10/conf/
cd /usr/local/zookeeper-3.4.10/conf/
zoo.cfg
2.2添加配置
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
kerberos.rem
image.png
2.3同步到其他节点
scp /usr/local/zookeeper-3.4.10/conf/zoo.cfg root@slave1:/usr/local/zookeeper-3.4.10/conf/
scp /usr/local/zookeeper-3.4.10/conf/zoo.cfg root@slave2:/usr/local/zookeeper-3.4.10/conf/
3.生成jaas.conf文件
进入/usr/local/zookeeper-3.4.10/conf/,创建文件
cd /usr/local/zookeeper-3.4.10/conf/
touch jaas.conf
image.png
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/usr/local/zookeeper-3.4.10/conf/zk-server.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/master@HADOOP.COM";
};
4.创建client的priincipal
4.1执行kadmin.local
addprinc zkcli/master
addprinc zkcli/slave1
addprinc zkcli/slave2
ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/master
ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/slave1
ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/slave2
4.2分发keytab文件到其他节点
scp /etc/security/keytab/zk-clie.keytab root@master:/usr/local/zookeeper-3.4.10/conf/
scp /etc/security/keytab/zk-clie.keytab root@slave1:/usr/local/zookeeper-3.4.10/conf/
scp /etc/security/keytab/zk-clie.keytab root@slave2:/usr/local/zookeeper-3.4.10/conf/
5.配置client-jaas.conf文件
当前位置为 /usr/local/zookeeper-3.4.10/conf/
touch client-jaas.conf
vi client-jaas.conf
#添加以下配置,保存并退出
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/usr/local/zookeeper-3.4.10/conf/zk-clie.keytab"
storeKey=true
useTicketCache=false
principal="zkcli/master@HADOOP.COM";
};
分发到其他节点,并修改其他节点的principal
scp client-jaas.conf root@slave1:/usr/local/zookeeper-3.4.10/conf/
scp client-jaas.conf root@slave2:/usr/local/zookeeper-3.4.10/conf/
6.验证zk的kerberos
新增java.env文件
touch java.env
vi java.env
#加入下面的配置保存并退出
SERVER_JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper-3.4.10/conf/jaas.conf"
image.png
export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper-3.4.10/conf/jaas.conf"
./zkServer.sh start
#注意是所有节点都要起来
export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper-3.4.10/conf/client-jaas.conf"
echo $JVMFLAGS
./zkCli.sh -server master:2181
报错解决
问题1:./zkCli.sh -server master:2181 执行报错 #注意是所有节点都要起来
错误参考:https://github.com/UKHomeOffice/docker-zookeeper/issues/1
image.png
错误参考:https://blog.csdn.net/weixin_44388193/article/details/102797296
image.png
错误参考:ZooKeeperSaslClient 247 SASL authentication failed using login context Client
解决链接地址:https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
image.png
