作者:櫰木
按照上文中hadoop集群规划进行安装。
1 HADOOP集群安装
在hd1.dtstack.com主机root权限下安装hadoop集群
- 解压
[root@hd1.dtstack.com software]# tar -zvxf hadoop-3.2.4.tar.gz -C /opt/
[root@hd1.dtstack.com software]# chown -R hdfs:hadoop /opt/hadoop-3.2.4
[root@hd1.dtstack.com software]# ln -s /opt/hadoop-3.2.4 /opt/hadoop
2 HADOOP Kerberos主体
| 服务 | 所在主机 | 主体格式(Principal) | keytab文件 |
|---|---|---|---|
| NameNode | hd1.dtstack.com、hd2.dtstack.com | hdfs/_HOST@DTSTACK.COM | /etc/security/keytab/hdfs…keytab |
| DataNode | hd3.dtstack.com、hadoop04、hadoop05 | hdfs/_HOST@DTSTACK.COM | /etc/security/keytab/hdfs…keytab |
| JournalNode | hd1.dtstack.com、hd2.dtstack.com、hd3.dtstack.com | hdfs/_HOST@DTSTACK.COM | /etc/security/keytab/hdfs.keytab |
| Web UI | hd1.dtstack.com、hd2.dtstack.com、hd3.dtstack.com | HTTP/_HOST@DTSTACK.COM | |
| /etc/security/keytab/hdfs.keytab | |||
| JobHistory Server | hd1.dtstack.com、hd2.dtstack.com | yarn/_HOST@DTSTACK.COM | /etc/security/keytab/yarn…keytab |
| ResourceManager | hd1.dtstack.com、hd2.dtstack.com | yarn/_HOST@DTSTACK.COM | /etc/security/keytab/yarn.service.keytab |
| NodeManager | hd3.dtstack.com | yarn/_HOST@DTSTACK.COM | /etc/security/keytab/yarn…keytab |
说明:
- 创建主体命令见上面kerberos票据创建
- _HOST表示配置文件变量,在实际使用过程会自动替换成主机名,如hd1.dtstack.com
- Keytab文件名每台主机文件名一样,但文件内容不一样,主要区别是主机名
- Keytab文件创建完成后分发到对应主机,且权限修改成600,权限修改命令如下:
chown -R root:hadoop /etc/security/keytab/
chmod 660 /etc/security/keytab/*
按照kerberos票据创建进行票据主体创建和keytab文件创建以及分发到对应主机目录上
生成keytab文件
bash /root/bigdata/getkeytabs.sh /etc/security/keytab/hdfs.keytab hdfs
由于页面需要http的principal,给hdfs的keytab添加httpprincipal
bash /root/bigdata/getkeytabs.sh /etc/security/keytab/hdfs.keytab HTTP
bash /root/bigdata/getkeytabs.sh /etc/security/keytab/yarn.keytab yarn
bash /root/bigdata/getkeytabs.sh /etc/security/keytab/yarn.keytab HTTP
3、 HDFS使用HTTPS安全传输协议配置
在hd1.dtstack.com主机root权限下执行
- 添加生成脚本
[root@hd1.dtstack.com hadoop]# cd /opt/hadoop/
[root@hd1.dtstack.com hadoop]# cd bin/ && vi on.sh
#!/bin/bash
path1=/opt/hadoop/bin
hosts="hd1.dtstack.com hd3.dtstack.com hd2.dtstack.com"
echo "===========begine install ca ==========="
sh $path1/ca_install.sh
echo "===========finish install ca ==========="
echo "===========begine install https ==========="
for host in $hosts
do
ssh -t $host "$path1/keystore.sh"
done
echo "===========finish install https ==========="
添加ca脚本
vi ca_install.sh
#! /bin/bash
path=/data/kerberos/hdfs_ca
#集群中安装https
hostnamess="hd1.dtstack.com hd3.dtstack.com hd2.dtstack.com"
passwords=abc123
hostname1=`hostname`
#ca证书创建,只需要在一个节点上创建
function make_CA(){
hostnames=$hostnamess
password=$passwords
echo 'make_CA begin ...'
cd $path
#删除之前可能产生的过期CA证书
rm -rf $path/hdfs_ca*
#其中一台上生成CA,密码全部为abc123
/usr/bin/expect <<-EOF
set timeout 10
spawn openssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days 9999 -subj /C=CN/ST=zhejiang/L=hangzhou/O=dtstack/OU=dtstack/CN=$hostname1
expect {
"*phrase*" {send "$password\r"; exp_continue}
"*phrase*" { send "$password\r"; exp_continue}
}
EOF
#将生成的CA证书hdfs_ca_key、hdfs_ca_cert分发到其他节点上
for host in $hostnames;
do
echo "copy hadoop CA to $host:$path"
ssh root@$host "mkdir -p /data/kerberos/hdfs_ca"
scp hdfs_ca_* $host:$path
done
#rm -rf hdfs_ca*
echo 'make_CA end ...'
}
make_CA
添加keystore脚本
vi keystore.sh
#! /bin/bash
path=/data/kerberos/hdfs_ca
#集群中安装https keystore
hostnamess="hadoop01.dtstack.com hadoop03.dtstack.com hadoop02.dtstack.com"
passwords=abc123
current_hostnames="`hostname`"
export.UTF-8
function make_certificate(){
current_hostname=$current_hostnames
password=$passwords
cd $path
#keytool需要使用java环境
source /etc/profile
#生成keystore
#name="CN=$current_hostname, OU=dtstack, O=dtstack, L=hangzhou, ST=zhejiang, C=CN"
/usr/bin/expect <<-EOF
spawn keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=$current_hostname, OU=dtstack, O=dtstack, L=hangzhou, ST=zhejiang, C=CN"
expect {
"*password*" {send "$password\r"; exp_continue}
"*password*" {send "$password\r"; exp_continue}
"*password*" {send "$password\r"; exp_continue}
"*password*" {send "$password\r"; exp_continue}
}
EOF
#添加CA到truststore
/usr/bin/expect <<-EOF
spawn keytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert
expect {
"*password*" {send "$password\r"; exp_continue}
"*password*" {send "$password\r"; exp_continue}
"*certificate*" {send "yes\r"; exp_continue}
}
EOF
#从keystore中导出cert
/usr/bin/expect <<-EOF
spawn keytool -certreq -alias localhost -keystore keystore -file cert
expect {
"*password*" {send "$password\r"; exp_continue}
}
EOF
#用CA对cert签名
/usr/bin/expect <<-EOF
spawn openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial
expect {
"*phrase*" {send "$password\r"; exp_continue}
}
EOF
#将CA的cert和用CA签名之后的cert导入keystore
/usr/bin/expect <<-EOF
spawn keytool -keystore keystore -alias CARoot -import -file hdfs_ca_cert
expect {
"*password*" {send "$password\r"; exp_continue}
"*certificate*" {send "yes\r"; exp_continue}
}
EOF
/usr/bin/expect <<-EOF
spawn keytool -keystore keystore -alias localhost -import -file cert_signed
expect {
"*password*" {send "$password\r"; exp_continue}
}
EOF
#将最终keystore,trustores放入合适的目录,并加上后缀jks
#rm -rf /etc/security/https && mkdir -p /etc/security/https
#chmod 755 /etc/security/https
echo "install keystore、truststore to /data/kerberos/hdfs_ca/..."
cp $path/keystore $path/keystore.jks
cp $path/truststore $path/truststore.jks
}
echo "[+] execute hlk_each_host_install_https.sh begin ..."
echo "hostnames:$hostnames"
echo "current_hostname:$current_hostname"
#每个节点获取CA证书签照
make_certificate
echo "[+] execute hlk_each_host_install_https.sh end ..."
将脚本分发到每个节点的/opt/hadoop/bin/目录下,同时修改脚本权限
4、生成对应https证书(只需要在一个节点执行即可)
mkdir -p /data/kerberos/hdfs_ca
cd /opt/hadoop/bin/
bash on.sh
更多技术信息请查看云掣官网https://yunche.pro/?t=yrgw
