大数据安全系列的其它文章

https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安装kerberos

https://www.cnblogs.com/bainianminguo/p/12548334.html-----------hadoop的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12548175.html-----------zookeeper的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584732.html-----------hive的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584880.html-----------es的search-guard认证

https://www.cnblogs.com/bainianminguo/p/12639821.html-----------flink的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12639887.html-----------spark的kerberos认证

本篇博客介绍配置zookeeper的kerberos配置

一、zookeeper安装

1、解压安装包和重命名和创建数据目录

tar -zxvf /data/apache-zookeeper-3.5.5-bin.tar.gz -C /usr/local/

mv apache-zookeeper-3.5.5-bin/ zookeeper/

  

2、查看解压目录

[root@localhost zookeeper]# ll

total 36

drwxr-xr-x. 2 2002 2002  4096 Apr  9  2019 bin

drwxr-xr-x. 2 2002 2002    88 Feb 27 22:09 conf

drwxr-xr-x. 2 root root     6 Feb 27 21:48 data

drwxr-xr-x. 5 2002 2002  4096 May  3  2019 docs

drwxr-xr-x. 2 root root  4096 Feb 27 21:25 lib

-rw-r--r--. 1 2002 2002 11358 Feb 15  2019 LICENSE.txt

drwxr-xr-x. 2 root root     6 Feb 27 21:48 log

-rw-r--r--. 1 2002 2002   432 Apr  9  2019 NOTICE.txt

-rw-r--r--. 1 2002 2002  1560 May  3  2019 README.md

-rw-r--r--. 1 2002 2002  1347 Apr  2  2019 README_packaging.txt

 

3、修改配置文件

[root@localhost conf]# ll

total 16

-rw-r--r--. 1 2002 2002  535 Feb 15  2019 configuration.xsl

-rw-r--r--. 1 2002 2002 2712 Apr  2  2019 log4j.properties

-rw-r--r--. 1 root root  922 Feb 27 21:36 zoo.cfg

-rw-r--r--. 1 2002 2002  922 Feb 15  2019 zoo_sample.cfg

[root@localhost conf]#

  

# The number of milliseconds of each tick

tickTime=2000

# The number of ticks that the initial

# synchronization phase can take

initLimit=10

# The number of ticks that can pass between

# sending a request and getting an acknowledgement

syncLimit=5

# the directory where the snapshot is stored.

# do not use /tmp for storage, /tmp here is just

# example sakes.

dataDir=/usr/local/zookeeper/data

dataLogDir=/usr/local/zookeeper/log

# the port at which the clients will connect

clientPort=2181

# the maximum number of client connections.

# increase this if you need to handle more clients

#maxClientCnxns=60

#

# Be sure to read the maintenance section of the

# administrator guide before turning on autopurge.

#

# http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_maintenance

#

# The number of snapshots to retain in dataDir

#autopurge.snapRetainCount=3

# Purge task interval in hours

# Set to "0" to disable auto purge feature

#autopurge.purgeInterval=1

server.1=cluster1_host1:2888:3888

server.2=cluster1_host2:2888:3888

server.3=cluster1_host3:2888:3888

  

4、创建myid文件

[root@localhost data]# pwd

/usr/local/zookeeper/data

[root@localhost data]#

[root@localhost data]#

[root@localhost data]# ll

total 4

-rw-r--r--. 1 root root 2 Feb 27 22:10 myid

[root@localhost data]# cat myid

1

[root@localhost data]#

  

5、拷贝安装目录到其它节点

scp -r zookeeper/ root@10.8.8.33:/usr/local/

  

修改其它节点的myid文件

6、启动zk

[root@localhost bin]# ./zkServer.sh start

ZooKeeper JMX enabled by default

Using config: /usr/local/zookeeper/bin/../conf/zoo.cfg

Starting zookeeper ... STARTED

[root@localhost bin]# jps

28350 Jps

25135 QuorumPeerMain

[root@localhost bin]# ./zkServer.sh status

ZooKeeper JMX enabled by default

Using config: /usr/local/zookeeper/bin/../conf/zoo.cfg

Client port found: 2181. Client address: localhost.

Mode: leader

[root@localhost bin]#

  

二、zookeeper的kerberos配置

1、生成zk的kerberos的认证标志

kadmin.local:  addprinc zookeeper/cluster2-host1

WARNING: no policy specified for zookeeper/cluster2-host1@HADOOP.COM; defaulting to no policy

Enter password for principal "zookeeper/cluster2-host1@HADOOP.COM":

Re-enter password for principal "zookeeper/cluster2-host1@HADOOP.COM":

Principal "zookeeper/cluster2-host1@HADOOP.COM" created.

kadmin.local:  addprinc zookeeper/cluster2-host2

WARNING: no policy specified for zookeeper/cluster2-host2@HADOOP.COM; defaulting to no policy

Enter password for principal "zookeeper/cluster2-host2@HADOOP.COM":

Re-enter password for principal "zookeeper/cluster2-host2@HADOOP.COM":

Principal "zookeeper/cluster2-host2@HADOOP.COM" created.

kadmin.local:  addprinc zookeeper/cluster2-host3

WARNING: no policy specified for zookeeper/cluster2-host3@HADOOP.COM; defaulting to no policy

Enter password for principal "zookeeper/cluster2-host3@HADOOP.COM":

Re-enter password for principal "zookeeper/cluster2-host3@HADOOP.COM":

Principal "zookeeper/cluster2-host3@HADOOP.COM" created.

[root@cluster2-host1 etc]# kadmin.local

Authenticating as principal root/admin@HADOOP.COM with password.

kadmin.local:  addprinc zkcli/hadoop

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-cluster2-host1.keytab zookeeper/cluster2-host1

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/cluster2-host2

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/cluster2-host3

  

拷贝keytab到所有的节点

[root@cluster2-host1 keytab]# scp zk-server.keytab root@cluster2-host2:/usr/local/zookeeper/conf/

zk-server.keytab                                                                                                                                                                                                                            100% 1664     1.6KB/s   00:00

[root@cluster2-host1 keytab]# scp zk-server.keytab root@cluster2-host1:/usr/local/zookeeper/conf/

zk-server.keytab                                                                                                                                                                                                                            100% 1664     1.6KB/s   00:00

[root@cluster2-host1 keytab]# scp zk-server.keytab root@cluster2-host3:/usr/local/zookeeper/conf/

zk-server.keytab

  

2、修改zk的配置文件,加如下数据

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

jaasLoginRenew=3600000

kerberos.removeHostFromPrincipal=true

  

同步到其他节点

[root@cluster2-host1 keytab]# scp /usr/local/zookeeper/conf/zoo.cfg root@cluster2-host2:/usr/local/zookeeper/conf/

zoo.cfg                                                                                                                                                                                                                                     100% 1207     1.2KB/s   00:00

[root@cluster2-host1 keytab]# scp /usr/local/zookeeper/conf/zoo.cfg root@cluster2-host3:/usr/local/zookeeper/conf/

zoo.cfg

  

3、生成jaas.conf文件

Server {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab=true

  keyTab="/usr/local/zookeeper/conf/zk-server.keytab"

  storeKey=true

  useTicketCache=false

  principal="zookeeper/cluster2-host1@HADOOP.COM";

};

  

同步到其他节点,并修改节点的principal

[root@cluster2-host1 conf]# scp jaas.conf root@cluster2-host2:/usr/local/zookeeper/conf/

jaas.conf                                                                                                                                                                                                                                   100%  229     0.2KB/s   00:00

[root@cluster2-host1 conf]# scp jaas.conf root@cluster2-host3:/usr/local/zookeeper/conf/

jaas.conf

  

4、创建client的priincipal

kadmin.local:  addprinc zkcli/cluster2-host1

kadmin.local:  addprinc zkcli/cluster2-host2

kadmin.local:  addprinc zkcli/cluster2-host3

  

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/cluster2-host1

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/cluster2-host2

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/cluster2-host3

  

分发keytab文件到其他节点

[root@cluster2-host1 conf]# scp /etc/security/keytab/zk-clie.keytab root@cluster2-host1:/usr/local/zookeeper/conf/

zk-clie.keytab                                                                                                                                                                                                                              100% 1580     1.5KB/s   00:00

[root@cluster2-host1 conf]# scp /etc/security/keytab/zk-clie.keytab root@cluster2-host2:/usr/local/zookeeper/conf/

zk-clie.keytab                                                                                                                                                                                                                              100% 1580     1.5KB/s   00:00

[root@cluster2-host1 conf]# scp /etc/security/keytab/zk-clie.keytab root@cluster2-host3:/usr/local/zookeeper/conf/

zk-clie.keytab

  

5、配置client-jaas.conf文件

[root@cluster2-host1 conf]# cat client-jaas.conf

Client {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab=true

  keyTab="/usr/local/zookeeper/conf/zk-clie.keytab"

  storeKey=true

  useTicketCache=false

  principal="zkcli/cluster2-host1@HADOOP.COM";

};

  

分发到其他节点,并修改其他节点的principal

[root@cluster2-host1 conf]# scp client-jaas.conf root@cluster2-host2:/usr/local/zookeeper/conf/

client-jaas.conf                                                                                                                                                                                                                            100%  222     0.2KB/s   00:00

[root@cluster2-host1 conf]# scp client-jaas.conf root@cluster2-host3:/usr/local/zookeeper/conf/

client-jaas.conf

  

6、验证zk的kerberos

严格按照下面的顺序验证

[root@cluster2-host1 bin]# export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/conf/jaas.conf"

[root@cluster2-host1 bin]# ./zkServer.sh start

ZooKeeper JMX enabled by default

Using config: /usr/local/zookeeper/bin/../conf/zoo.cfg

Starting zookeeper ... STARTED

[root@cluster2-host1 bin]# export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/conf/client-jaas.conf"

[root@cluster2-host1 bin]#

[root@cluster2-host1 bin]#

[root@cluster2-host1 bin]# echo $JVMFLAGS

-Djava.security.auth.login.config=/usr/local/zookeeper/conf/client-jaas.conf

[root@cluster2-host1 bin]# ./zkCli.sh -server cluster2-host1:2181

[zk: cluster2-host1:2181(CONNECTED) 2] create /abcd "abcdata"

Created /abcd

[zk: cluster2-host1:2181(CONNECTED) 3] ls /

[abc, abcd, zookeeper]

[zk: cluster2-host1:2181(CONNECTED) 4] getAcl /abcd

'world,'anyone

: cdrwa

[zk: cluster2-host1:2181(CONNECTED) 5]

  

同时启动zk的client,也会login successfull的日志,大家可以注意留意下

kerberos系列之zookeeper的认证配置的更多相关文章

  1. kerberos系列之hdfs&yarn认证配置

    一.安装hadoop 1.解压安装包重命名安装目录 [root@cluster2_host1 data]# tar -zxvf hadoop-2.7.1.tar.gz -C /usr/local/ [ ...

  2. API网关Kong系列(四)认证配置

    目前根据业务需要先介绍2种认证插件:Key Authentication 及 HMAC-SHA1 认证  Key Authentication 向API添加密钥身份验证(也称为API密钥). 然后,消 ...

  3. kerberos系列之hive认证配置

    大数据安全系列之hive的kerberos认证配置,其它系列链接如下 https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安 ...

  4. zookeeper acl认证机制及dubbo、kafka集成、zooviewer/idea zk插件配置

    ZooKeeper的ACL机制 zookeeper通过ACL机制控制znode节点的访问权限. 首先介绍下znode的5种操作权限:CREATE.READ.WRITE.DELETE.ADMIN 也就是 ...

  5. 【Zookeeper系列】ZooKeeper安装配置(转)

    原文链接:https://www.cnblogs.com/sunddenly/p/4018459.html 一.Zookeeper的搭建方式 Zookeeper安装方式有三种,单机模式和集群模式以及伪 ...

  6. 分布式服务Dubbo+Zookeeper安全认证

    前言 由于之前的服务都是在内网,Zookeeper集群配置都是走的内网IP,外网不开放相关端口.最近由于业务升级,购置了阿里云的服务,需要对外开放Zookeeper服务. 问题 Zookeeper+d ...

  7. 【Zookeeper系列】ZooKeeper机制架构(转)

    原文链接:https://www.cnblogs.com/sunddenly/p/4133784.html 一.ZooKeeper权限管理机制 1.1 权限管理ACL(Access Control L ...

  8. [大数据] zookeeper 安装和配置

    ZooKeeper是一个分布式的,开放源码的分布式应用程序协调服务,是Google的Chubby一个开源的实现,是Hadoop和Hbase的重要组件.它是一个为分布式应用提供一致性服务的软件,提供的功 ...

  9. zookeeper编程入门系列之zookeeper实现分布式进程监控和分布式共享锁(图文详解)

    本博文的主要内容有 一.zookeeper编程入门系列之利用zookeeper的临时节点的特性来监控程序是否还在运行   二.zookeeper编程入门系列之zookeeper实现分布式进程监控 三. ...

随机推荐

  1. 关于文件下载Header设置

    常见的媒体格式类型如下: text/html : HTML格式text/plain :纯文本格式 text/xml : XML格式image/gif :gif图片格式 image/jpeg :jpg图 ...

  2. 将js进行到底:node学习3

    node重要API之NET--TCP编程之旅 废话:最近去了一趟上海会了会一个程序员朋友,途径SNH48握手会,说好我就去看看,没想到握手了王诗蒙,掉入巨坑:塞纳河.回来后边听着<春夏秋冬> ...

  3. C++如何保留2位小数输出

    cout<<setiosflags(ios::);//需要头文件#include <iomanip> 然后再输出实数类型变量即可以保留2位小数输出了,当然你要保留三位小数,se ...

  4. first-child和first-of-type

    我想实现的效果:将第一个article字体颜色设置为红色 123456 <div? <h1>logo</h1> <article>article1</a ...

  5. C++走向远洋——54(项目一2、分数类的重载、取倒数)

    */ * Copyright (c) 2016,烟台大学计算机与控制工程学院 * All rights reserved. * 文件名:text.cpp * 作者:常轩 * 微信公众号:Worldhe ...

  6. Tornado 简述

    前言 python 旗下,群英荟萃,豪杰并起.单是用于 web 开发的,就有 webpy.web2py.bottle.pyramid.zope2.flask.tornado.django 等等,不一而 ...

  7. 华为的Java面试题,仅供参考。

    IP地址的编码分为哪俩部分? IP地址由两部分组成,网络号和主机号.不过是要和“子网掩码”按位与上之后才能区分哪些是网络位哪些是主机位. 2.用户输入M,N值,从1至N开始顺序循环数数,每数到M输出该 ...

  8. Roma - Facebook工具链大一统

    什么是roma roma,中文名罗马,是Facebook的rn团队的产出,是一个试验性质的javascript工具链,集编译,linter,格式化,打包,测试等等于一体.目标是成为一个处理javasc ...

  9. Windows 使用激活服务器激活操作步骤

    最近装了win10企业版系统,总结下激活步骤,激活后是正版,半年后需要重新激活,不介意的小伙伴可以试试,这不是重点,重点是企业版超级clean...... 服务器激活系统步骤,打开cmd或者xshel ...

  10. 处理 Vue 单页面 SEO 的另一种思路

    vue-meta-info 官方地址: https://github.com/monkeyWang... (设置vue 单页面meta info信息,如果需要单页面SEO,可以和 prerender- ...