kdc 互信
环境:
29.3.203.53(sysops00065017) 部署KDC Namnode Datanode,KDC负责TESTA.COM域的认证
29.3.203.54(sysops00065018) 部署KDC Namnode Datanode,KDC负责TESTB.COM域的认证
确保两台机器能互相使用主机名ping通
一、
两台kdc都添加krbtgt/TESTA.COM@TESTB.COM和krbtgt/TESTB.COM@TESTA.COM
如果在TESTA.COM访问TESTB.COM上的服务,需要krbtgt/TESTB.COM@TESTA.COM
二、修改krb5.conf(红色为需要修改的地方)
TESTA.COM 29.3.203.53(sysops00065017)
[realms]
TESTA.COM = {
kdc = sysops00065017
admin_server = sysops00065017
master_kdc = sysops00065017
default_domain = .TESTA.COM
}
TESTB.COM = {
kdc = sysops00065018
admin_server = sysops00065018
master_kdc = sysops00065018
default_domain = .TESTB.COM
}
[domain_realm]
.testa.com = TESTA.COM
testa.com = TESTA.COM
.testb.com = TESTB.COM
testb.com = TESTB.COM
sysops00065017 = TESTA.COM
sysops00065018 = TESTB.COM
[capaths]
TESTA.COM = {
TESTB.COM = .
}
TESTB.COM 29.3.203.54(sysops00065018)
[realms]
TESTA.COM = {
kdc = sysops00065017
admin_server = sysops00065017
master_kdc = sysops00065017
default_domain = .TESTA.COM
}
TESTB.COM = {
kdc = sysops00065018
admin_server = sysops00065018
master_kdc = sysops00065018
default_domain = .TESTB.COM
}
[domain_realm]
.testb.com = TESTB.COM
testb.com = TESTB.COM
.testa.com = TESTA.COM
testa.com = TESTA.COM
sysops00065017 = TESTA.COM
sysops00065018 = TESTB.COM
[capaths]
TESTB.COM = {
TESTA.COM = .
}
三、修改core-site.xml(两个域都要配置)
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[1:$1@$0](^.*@TESTA\.COM$)s/^(.*)@TESTA\.COM$/$1/g
RULE:[2:$1@$0](^.*@TESTA\.COM$)s/^(.*)@TESTA\.COM$/$1/g
RULE:[1:$1@$0](^.*@TESTB\.COM$)s/^(.*)@TESTB\.COM$/$1/g
RULE:[2:$1@$0](^.*@TESTB\.COM$)s/^(.*)@TESTB\.COM$/$1/g
DEFAULT
</value>
</property>
四、修改hdfs-site.xml(两个域都要配置)
<property>
<name>dfs.namenode.kerberos.principal.pattern</name>
<value>*</value>
</property>
五、 重启Namdnode\KDC服务
六、 测试
TESTA上使用hdfs/sysops00065017@TESTA.COM访问两个集群的文件:
其中TESTA的KDC日志显示
Aug 15 15:49:51 SYSOPS00065017 krb5kdc[9868](info): TGS_REQ (2 etypes {16 23}) 29.3.203.53: ISSUE: authtime 1565855227, etypes {rep=16 tkt=16 ses=16}, hdfs/sysops00065017@TESTA.COM for krbtgt/TESTB.COM@TESTA.COM
TESTB的KDC日志显示
Aug 15 15:49:50 SYSOPS00065018 krb5kdc[26655](info): TGS_REQ (2 etypes {16 23}) 29.3.203.53: ISSUE: authtime 1565855227, etypes {rep=16 tkt=16 ses=16}, hdfs/sysops00065017@TESTA.COM for hdfs/sysops00065018@TESTB.COM
TESTB上使用hdfs/sysops00065018@TESTB.COM访问两个集群的文件:
其中TESTA的KDC日志显示
Aug 15 15:51:02 SYSOPS00065017 krb5kdc[9868](info): TGS_REQ (2 etypes {16 23}) 29.3.203.54: ISSUE: authtime 1565774273, etypes {rep=16 tkt=16 ses=16}, hdfs/sysops00065018@TESTB.COM for hdfs/sysops00065017@TESTA.COM
TESTB的KDC日志显示
Aug 15 15:51:01 SYSOPS00065018 krb5kdc[26655](info): TGS_REQ (2 etypes {16 23}) 29.3.203.54: ISSUE: authtime 1565774273, etypes {rep=16 tkt=16 ses=16}, hdfs/sysops00065018@TESTB.COM for krbtgt/TESTA.COM@TESTB.COM
最新文章
- python实现从生成器中取固定角标的元素
- poj2485 kruskal与prim
- linux环境下安装jdk
- 基于.NET平台常用的框架整理【转】
- 调用JavaScript
- JVM参数(一)JVM类型以及编译器模式
- iOS学习——iOS原生实现二维码扫描
- 【一天一道LeetCode】#74. Search a 2D Matrix
- 搭建IIS并配置网站之旅
- 11.Flask钩子函数
- spring boot 2.0 neo4j 使用
- SnowFlake学习
- 【Java】Android EditText开发的一个容易忽略的坑
- 【20171123】【GITC精华演讲】贝业新兄弟李济宏:如何做到企业信息化建设的加减乘除
- RDLC报表刷新问题
- 【转】HTTP学习---TCP和UDP协议的区别与应用
- 显示 隐藏DIV的技巧
- 什么是UML?分哪两类?
- android 控制POS机图文打印(二)
- libcurl 支持openssl 但不能访问https