大数据安全系列的其它文章

https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安装kerberos

https://www.cnblogs.com/bainianminguo/p/12548334.html-----------hadoop的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12548175.html-----------zookeeper的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584732.html-----------hive的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584880.html-----------es的search-guard认证

https://www.cnblogs.com/bainianminguo/p/12639821.html-----------flink的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12639887.html-----------spark的kerberos认证

本篇博客介绍配置zookeeper的kerberos配置

一、zookeeper安装

1、解压安装包和重命名和创建数据目录

tar -zxvf /data/apache-zookeeper-3.5.5-bin.tar.gz -C /usr/local/

mv apache-zookeeper-3.5.5-bin/ zookeeper/

  

2、查看解压目录

[root@localhost zookeeper]# ll

total 36

drwxr-xr-x. 2 2002 2002  4096 Apr  9  2019 bin

drwxr-xr-x. 2 2002 2002    88 Feb 27 22:09 conf

drwxr-xr-x. 2 root root     6 Feb 27 21:48 data

drwxr-xr-x. 5 2002 2002  4096 May  3  2019 docs

drwxr-xr-x. 2 root root  4096 Feb 27 21:25 lib

-rw-r--r--. 1 2002 2002 11358 Feb 15  2019 LICENSE.txt

drwxr-xr-x. 2 root root     6 Feb 27 21:48 log

-rw-r--r--. 1 2002 2002   432 Apr  9  2019 NOTICE.txt

-rw-r--r--. 1 2002 2002  1560 May  3  2019 README.md

-rw-r--r--. 1 2002 2002  1347 Apr  2  2019 README_packaging.txt

 

3、修改配置文件

[root@localhost conf]# ll

total 16

-rw-r--r--. 1 2002 2002  535 Feb 15  2019 configuration.xsl

-rw-r--r--. 1 2002 2002 2712 Apr  2  2019 log4j.properties

-rw-r--r--. 1 root root  922 Feb 27 21:36 zoo.cfg

-rw-r--r--. 1 2002 2002  922 Feb 15  2019 zoo_sample.cfg

[root@localhost conf]#

  

# The number of milliseconds of each tick

tickTime=2000

# The number of ticks that the initial

# synchronization phase can take

initLimit=10

# The number of ticks that can pass between

# sending a request and getting an acknowledgement

syncLimit=5

# the directory where the snapshot is stored.

# do not use /tmp for storage, /tmp here is just

# example sakes.

dataDir=/usr/local/zookeeper/data

dataLogDir=/usr/local/zookeeper/log

# the port at which the clients will connect

clientPort=2181

# the maximum number of client connections.

# increase this if you need to handle more clients

#maxClientCnxns=60

#

# Be sure to read the maintenance section of the

# administrator guide before turning on autopurge.

#

# http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_maintenance

#

# The number of snapshots to retain in dataDir

#autopurge.snapRetainCount=3

# Purge task interval in hours

# Set to "0" to disable auto purge feature

#autopurge.purgeInterval=1

server.1=cluster1_host1:2888:3888

server.2=cluster1_host2:2888:3888

server.3=cluster1_host3:2888:3888

  

4、创建myid文件

[root@localhost data]# pwd

/usr/local/zookeeper/data

[root@localhost data]#

[root@localhost data]#

[root@localhost data]# ll

total 4

-rw-r--r--. 1 root root 2 Feb 27 22:10 myid

[root@localhost data]# cat myid

1

[root@localhost data]#

  

5、拷贝安装目录到其它节点

scp -r zookeeper/ root@10.8.8.33:/usr/local/

  

修改其它节点的myid文件

6、启动zk

[root@localhost bin]# ./zkServer.sh start

ZooKeeper JMX enabled by default

Using config: /usr/local/zookeeper/bin/../conf/zoo.cfg

Starting zookeeper ... STARTED

[root@localhost bin]# jps

28350 Jps

25135 QuorumPeerMain

[root@localhost bin]# ./zkServer.sh status

ZooKeeper JMX enabled by default

Using config: /usr/local/zookeeper/bin/../conf/zoo.cfg

Client port found: 2181. Client address: localhost.

Mode: leader

[root@localhost bin]#

  

二、zookeeper的kerberos配置

1、生成zk的kerberos的认证标志

kadmin.local:  addprinc zookeeper/cluster2-host1

WARNING: no policy specified for zookeeper/cluster2-host1@HADOOP.COM; defaulting to no policy

Enter password for principal "zookeeper/cluster2-host1@HADOOP.COM":

Re-enter password for principal "zookeeper/cluster2-host1@HADOOP.COM":

Principal "zookeeper/cluster2-host1@HADOOP.COM" created.

kadmin.local:  addprinc zookeeper/cluster2-host2

WARNING: no policy specified for zookeeper/cluster2-host2@HADOOP.COM; defaulting to no policy

Enter password for principal "zookeeper/cluster2-host2@HADOOP.COM":

Re-enter password for principal "zookeeper/cluster2-host2@HADOOP.COM":

Principal "zookeeper/cluster2-host2@HADOOP.COM" created.

kadmin.local:  addprinc zookeeper/cluster2-host3

WARNING: no policy specified for zookeeper/cluster2-host3@HADOOP.COM; defaulting to no policy

Enter password for principal "zookeeper/cluster2-host3@HADOOP.COM":

Re-enter password for principal "zookeeper/cluster2-host3@HADOOP.COM":

Principal "zookeeper/cluster2-host3@HADOOP.COM" created.

[root@cluster2-host1 etc]# kadmin.local

Authenticating as principal root/admin@HADOOP.COM with password.

kadmin.local:  addprinc zkcli/hadoop

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-cluster2-host1.keytab zookeeper/cluster2-host1

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/cluster2-host2

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/cluster2-host3

  

拷贝keytab到所有的节点

[root@cluster2-host1 keytab]# scp zk-server.keytab root@cluster2-host2:/usr/local/zookeeper/conf/

zk-server.keytab                                                                                                                                                                                                                            100% 1664     1.6KB/s   00:00

[root@cluster2-host1 keytab]# scp zk-server.keytab root@cluster2-host1:/usr/local/zookeeper/conf/

zk-server.keytab                                                                                                                                                                                                                            100% 1664     1.6KB/s   00:00

[root@cluster2-host1 keytab]# scp zk-server.keytab root@cluster2-host3:/usr/local/zookeeper/conf/

zk-server.keytab

  

2、修改zk的配置文件,加如下数据

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

jaasLoginRenew=3600000

kerberos.removeHostFromPrincipal=true

  

同步到其他节点

[root@cluster2-host1 keytab]# scp /usr/local/zookeeper/conf/zoo.cfg root@cluster2-host2:/usr/local/zookeeper/conf/

zoo.cfg                                                                                                                                                                                                                                     100% 1207     1.2KB/s   00:00

[root@cluster2-host1 keytab]# scp /usr/local/zookeeper/conf/zoo.cfg root@cluster2-host3:/usr/local/zookeeper/conf/

zoo.cfg

  

3、生成jaas.conf文件

Server {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab=true

  keyTab="/usr/local/zookeeper/conf/zk-server.keytab"

  storeKey=true

  useTicketCache=false

  principal="zookeeper/cluster2-host1@HADOOP.COM";

};

  

同步到其他节点,并修改节点的principal

[root@cluster2-host1 conf]# scp jaas.conf root@cluster2-host2:/usr/local/zookeeper/conf/

jaas.conf                                                                                                                                                                                                                                   100%  229     0.2KB/s   00:00

[root@cluster2-host1 conf]# scp jaas.conf root@cluster2-host3:/usr/local/zookeeper/conf/

jaas.conf

  

4、创建client的priincipal

kadmin.local:  addprinc zkcli/cluster2-host1

kadmin.local:  addprinc zkcli/cluster2-host2

kadmin.local:  addprinc zkcli/cluster2-host3

  

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/cluster2-host1

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/cluster2-host2

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/cluster2-host3

  

分发keytab文件到其他节点

[root@cluster2-host1 conf]# scp /etc/security/keytab/zk-clie.keytab root@cluster2-host1:/usr/local/zookeeper/conf/

zk-clie.keytab                                                                                                                                                                                                                              100% 1580     1.5KB/s   00:00

[root@cluster2-host1 conf]# scp /etc/security/keytab/zk-clie.keytab root@cluster2-host2:/usr/local/zookeeper/conf/

zk-clie.keytab                                                                                                                                                                                                                              100% 1580     1.5KB/s   00:00

[root@cluster2-host1 conf]# scp /etc/security/keytab/zk-clie.keytab root@cluster2-host3:/usr/local/zookeeper/conf/

zk-clie.keytab

  

5、配置client-jaas.conf文件

[root@cluster2-host1 conf]# cat client-jaas.conf

Client {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab=true

  keyTab="/usr/local/zookeeper/conf/zk-clie.keytab"

  storeKey=true

  useTicketCache=false

  principal="zkcli/cluster2-host1@HADOOP.COM";

};

  

分发到其他节点,并修改其他节点的principal

[root@cluster2-host1 conf]# scp client-jaas.conf root@cluster2-host2:/usr/local/zookeeper/conf/

client-jaas.conf                                                                                                                                                                                                                            100%  222     0.2KB/s   00:00

[root@cluster2-host1 conf]# scp client-jaas.conf root@cluster2-host3:/usr/local/zookeeper/conf/

client-jaas.conf

  

6、验证zk的kerberos

严格按照下面的顺序验证

[root@cluster2-host1 bin]# export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/conf/jaas.conf"

[root@cluster2-host1 bin]# ./zkServer.sh start

ZooKeeper JMX enabled by default

Using config: /usr/local/zookeeper/bin/../conf/zoo.cfg

Starting zookeeper ... STARTED

[root@cluster2-host1 bin]# export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/conf/client-jaas.conf"

[root@cluster2-host1 bin]#

[root@cluster2-host1 bin]#

[root@cluster2-host1 bin]# echo $JVMFLAGS

-Djava.security.auth.login.config=/usr/local/zookeeper/conf/client-jaas.conf

[root@cluster2-host1 bin]# ./zkCli.sh -server cluster2-host1:2181

[zk: cluster2-host1:2181(CONNECTED) 2] create /abcd "abcdata"

Created /abcd

[zk: cluster2-host1:2181(CONNECTED) 3] ls /

[abc, abcd, zookeeper]

[zk: cluster2-host1:2181(CONNECTED) 4] getAcl /abcd

'world,'anyone

: cdrwa

[zk: cluster2-host1:2181(CONNECTED) 5]

  

同时启动zk的client,也会login successfull的日志,大家可以注意留意下

kerberos系列之zookeeper的认证配置的更多相关文章

  1. kerberos系列之hdfs&yarn认证配置

    一.安装hadoop 1.解压安装包重命名安装目录 [root@cluster2_host1 data]# tar -zxvf hadoop-2.7.1.tar.gz -C /usr/local/ [ ...

  2. API网关Kong系列(四)认证配置

    目前根据业务需要先介绍2种认证插件:Key Authentication 及 HMAC-SHA1 认证  Key Authentication 向API添加密钥身份验证(也称为API密钥). 然后,消 ...

  3. kerberos系列之hive认证配置

    大数据安全系列之hive的kerberos认证配置,其它系列链接如下 https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安 ...

  4. zookeeper acl认证机制及dubbo、kafka集成、zooviewer/idea zk插件配置

    ZooKeeper的ACL机制 zookeeper通过ACL机制控制znode节点的访问权限. 首先介绍下znode的5种操作权限:CREATE.READ.WRITE.DELETE.ADMIN 也就是 ...

  5. 【Zookeeper系列】ZooKeeper安装配置(转)

    原文链接:https://www.cnblogs.com/sunddenly/p/4018459.html 一.Zookeeper的搭建方式 Zookeeper安装方式有三种,单机模式和集群模式以及伪 ...

  6. 分布式服务Dubbo+Zookeeper安全认证

    前言 由于之前的服务都是在内网,Zookeeper集群配置都是走的内网IP,外网不开放相关端口.最近由于业务升级,购置了阿里云的服务,需要对外开放Zookeeper服务. 问题 Zookeeper+d ...

  7. 【Zookeeper系列】ZooKeeper机制架构(转)

    原文链接:https://www.cnblogs.com/sunddenly/p/4133784.html 一.ZooKeeper权限管理机制 1.1 权限管理ACL(Access Control L ...

  8. [大数据] zookeeper 安装和配置

    ZooKeeper是一个分布式的,开放源码的分布式应用程序协调服务,是Google的Chubby一个开源的实现,是Hadoop和Hbase的重要组件.它是一个为分布式应用提供一致性服务的软件,提供的功 ...

  9. zookeeper编程入门系列之zookeeper实现分布式进程监控和分布式共享锁(图文详解)

    本博文的主要内容有 一.zookeeper编程入门系列之利用zookeeper的临时节点的特性来监控程序是否还在运行   二.zookeeper编程入门系列之zookeeper实现分布式进程监控 三. ...

随机推荐

  1. Win32 计时器

    计时器精确吗? 计时器并不精确.有两个原因: 原因一:Windows计时器是硬件和ROM BIOS架构下之计时器一种相对简单的扩充.回到Windows以前的MS-DOS程序写作环境下,应用程式能够通过 ...

  2. basecalling|vector mark|Assembly的难题|

    生物信息学 染色体可以据染色图谱判断染色体号码,1-22号染色体依次变短,它们影响机体发育,23号染色体决定性别.肿瘤是由于遗传密码变异造成的.因此,遗传密码的解读非常重要,但是因为遗传密码长度非常长 ...

  3. nodejs日常总结

    1.node -v 查看当前node版本 2.npm root -g 查看npm安装路径(还有通过npm安装的vue-cli的路径) 默认: /usr/local/lib/node_modules r ...

  4. springboot oauth 鉴权之——授权码authorization_code鉴权

    近期一直在研究鉴权方面的各种案例,这几天有空,写一波总结及经验. 第一步:什么是 OAuth鉴权 OAuth2是工业标准的授权协议.OAuth2取代了在2006创建的原始OAuthTM协议所做的工作. ...

  5. C++求解N阶幻方

    由一道数学题的联想然后根据网上的做法瞎jb乱打了一下,居然对了代码精心附上了注释,有兴趣的童鞋可以看一看..不说了,上代码!(自认为结构很清晰易懂) 1234567891011121314151617 ...

  6. 使用 KM 处理 HHKB 方向键

    对于上了 HHKB 这条贼船的人来说,刚开始使用起来最大的别扭可能就是没有方向键的问题了. 最早的我使用 Karabiner 来解决,里边有一些内置的组合可以替代方向键,我用 control + hj ...

  7. 什么是SNAT

    SNAT是源地址转换,其作用是将ip数据包的源地址转换成另外一个地址,可能有人觉得奇怪,好好的为什么要进行ip地址转换啊,为了弄懂这个问题,我们要看一下局域网用户上公网的原理,假设内网主机A(192. ...

  8. Redis(1)——5种基本数据结构

    一.Redis 简介 "Redis is an open source (BSD licensed), in-memory data structure store, used as a d ...

  9. C++走向远洋——41(深复制体验,3,)

    */ * Copyright (c) 2016,烟台大学计算机与控制工程学院 * All rights reserved. * 文件名:text.cpp * 作者:常轩 * 微信公众号:Worldhe ...

  10. 国产数据库适配publiccms开源项目

    金仓数据库适配 操作说明: 一.在程序的所有实体层添加schema=”public”(这里的public是根据数据库定义的模式) 二.切换数据库,修改配置文件cms.properties里面的cms. ...