大数据安全系列的其它文章

https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安装kerberos

https://www.cnblogs.com/bainianminguo/p/12548334.html-----------hadoop的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12548175.html-----------zookeeper的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584732.html-----------hive的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584880.html-----------es的search-guard认证

https://www.cnblogs.com/bainianminguo/p/12639821.html-----------flink的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12639887.html-----------spark的kerberos认证

本篇博客介绍配置zookeeper的kerberos配置

一、zookeeper安装

1、解压安装包和重命名和创建数据目录

tar -zxvf /data/apache-zookeeper-3.5.5-bin.tar.gz -C /usr/local/

mv apache-zookeeper-3.5.5-bin/ zookeeper/

  

2、查看解压目录

[root@localhost zookeeper]# ll

total 36

drwxr-xr-x. 2 2002 2002  4096 Apr  9  2019 bin

drwxr-xr-x. 2 2002 2002    88 Feb 27 22:09 conf

drwxr-xr-x. 2 root root     6 Feb 27 21:48 data

drwxr-xr-x. 5 2002 2002  4096 May  3  2019 docs

drwxr-xr-x. 2 root root  4096 Feb 27 21:25 lib

-rw-r--r--. 1 2002 2002 11358 Feb 15  2019 LICENSE.txt

drwxr-xr-x. 2 root root     6 Feb 27 21:48 log

-rw-r--r--. 1 2002 2002   432 Apr  9  2019 NOTICE.txt

-rw-r--r--. 1 2002 2002  1560 May  3  2019 README.md

-rw-r--r--. 1 2002 2002  1347 Apr  2  2019 README_packaging.txt

 

3、修改配置文件

[root@localhost conf]# ll

total 16

-rw-r--r--. 1 2002 2002  535 Feb 15  2019 configuration.xsl

-rw-r--r--. 1 2002 2002 2712 Apr  2  2019 log4j.properties

-rw-r--r--. 1 root root  922 Feb 27 21:36 zoo.cfg

-rw-r--r--. 1 2002 2002  922 Feb 15  2019 zoo_sample.cfg

[root@localhost conf]#

  

# The number of milliseconds of each tick

tickTime=2000

# The number of ticks that the initial

# synchronization phase can take

initLimit=10

# The number of ticks that can pass between

# sending a request and getting an acknowledgement

syncLimit=5

# the directory where the snapshot is stored.

# do not use /tmp for storage, /tmp here is just

# example sakes.

dataDir=/usr/local/zookeeper/data

dataLogDir=/usr/local/zookeeper/log

# the port at which the clients will connect

clientPort=2181

# the maximum number of client connections.

# increase this if you need to handle more clients

#maxClientCnxns=60

#

# Be sure to read the maintenance section of the

# administrator guide before turning on autopurge.

#

# http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_maintenance

#

# The number of snapshots to retain in dataDir

#autopurge.snapRetainCount=3

# Purge task interval in hours

# Set to "0" to disable auto purge feature

#autopurge.purgeInterval=1

server.1=cluster1_host1:2888:3888

server.2=cluster1_host2:2888:3888

server.3=cluster1_host3:2888:3888

  

4、创建myid文件

[root@localhost data]# pwd

/usr/local/zookeeper/data

[root@localhost data]#

[root@localhost data]#

[root@localhost data]# ll

total 4

-rw-r--r--. 1 root root 2 Feb 27 22:10 myid

[root@localhost data]# cat myid

1

[root@localhost data]#

  

5、拷贝安装目录到其它节点

scp -r zookeeper/ root@10.8.8.33:/usr/local/

  

修改其它节点的myid文件

6、启动zk

[root@localhost bin]# ./zkServer.sh start

ZooKeeper JMX enabled by default

Using config: /usr/local/zookeeper/bin/../conf/zoo.cfg

Starting zookeeper ... STARTED

[root@localhost bin]# jps

28350 Jps

25135 QuorumPeerMain

[root@localhost bin]# ./zkServer.sh status

ZooKeeper JMX enabled by default

Using config: /usr/local/zookeeper/bin/../conf/zoo.cfg

Client port found: 2181. Client address: localhost.

Mode: leader

[root@localhost bin]#

  

二、zookeeper的kerberos配置

1、生成zk的kerberos的认证标志

kadmin.local:  addprinc zookeeper/cluster2-host1

WARNING: no policy specified for zookeeper/cluster2-host1@HADOOP.COM; defaulting to no policy

Enter password for principal "zookeeper/cluster2-host1@HADOOP.COM":

Re-enter password for principal "zookeeper/cluster2-host1@HADOOP.COM":

Principal "zookeeper/cluster2-host1@HADOOP.COM" created.

kadmin.local:  addprinc zookeeper/cluster2-host2

WARNING: no policy specified for zookeeper/cluster2-host2@HADOOP.COM; defaulting to no policy

Enter password for principal "zookeeper/cluster2-host2@HADOOP.COM":

Re-enter password for principal "zookeeper/cluster2-host2@HADOOP.COM":

Principal "zookeeper/cluster2-host2@HADOOP.COM" created.

kadmin.local:  addprinc zookeeper/cluster2-host3

WARNING: no policy specified for zookeeper/cluster2-host3@HADOOP.COM; defaulting to no policy

Enter password for principal "zookeeper/cluster2-host3@HADOOP.COM":

Re-enter password for principal "zookeeper/cluster2-host3@HADOOP.COM":

Principal "zookeeper/cluster2-host3@HADOOP.COM" created.

[root@cluster2-host1 etc]# kadmin.local

Authenticating as principal root/admin@HADOOP.COM with password.

kadmin.local:  addprinc zkcli/hadoop

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-cluster2-host1.keytab zookeeper/cluster2-host1

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/cluster2-host2

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/cluster2-host3

  

拷贝keytab到所有的节点

[root@cluster2-host1 keytab]# scp zk-server.keytab root@cluster2-host2:/usr/local/zookeeper/conf/

zk-server.keytab                                                                                                                                                                                                                            100% 1664     1.6KB/s   00:00

[root@cluster2-host1 keytab]# scp zk-server.keytab root@cluster2-host1:/usr/local/zookeeper/conf/

zk-server.keytab                                                                                                                                                                                                                            100% 1664     1.6KB/s   00:00

[root@cluster2-host1 keytab]# scp zk-server.keytab root@cluster2-host3:/usr/local/zookeeper/conf/

zk-server.keytab

  

2、修改zk的配置文件,加如下数据

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

jaasLoginRenew=3600000

kerberos.removeHostFromPrincipal=true

  

同步到其他节点

[root@cluster2-host1 keytab]# scp /usr/local/zookeeper/conf/zoo.cfg root@cluster2-host2:/usr/local/zookeeper/conf/

zoo.cfg                                                                                                                                                                                                                                     100% 1207     1.2KB/s   00:00

[root@cluster2-host1 keytab]# scp /usr/local/zookeeper/conf/zoo.cfg root@cluster2-host3:/usr/local/zookeeper/conf/

zoo.cfg

  

3、生成jaas.conf文件

Server {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab=true

  keyTab="/usr/local/zookeeper/conf/zk-server.keytab"

  storeKey=true

  useTicketCache=false

  principal="zookeeper/cluster2-host1@HADOOP.COM";

};

  

同步到其他节点,并修改节点的principal

[root@cluster2-host1 conf]# scp jaas.conf root@cluster2-host2:/usr/local/zookeeper/conf/

jaas.conf                                                                                                                                                                                                                                   100%  229     0.2KB/s   00:00

[root@cluster2-host1 conf]# scp jaas.conf root@cluster2-host3:/usr/local/zookeeper/conf/

jaas.conf

  

4、创建client的priincipal

kadmin.local:  addprinc zkcli/cluster2-host1

kadmin.local:  addprinc zkcli/cluster2-host2

kadmin.local:  addprinc zkcli/cluster2-host3

  

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/cluster2-host1

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/cluster2-host2

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/cluster2-host3

  

分发keytab文件到其他节点

[root@cluster2-host1 conf]# scp /etc/security/keytab/zk-clie.keytab root@cluster2-host1:/usr/local/zookeeper/conf/

zk-clie.keytab                                                                                                                                                                                                                              100% 1580     1.5KB/s   00:00

[root@cluster2-host1 conf]# scp /etc/security/keytab/zk-clie.keytab root@cluster2-host2:/usr/local/zookeeper/conf/

zk-clie.keytab                                                                                                                                                                                                                              100% 1580     1.5KB/s   00:00

[root@cluster2-host1 conf]# scp /etc/security/keytab/zk-clie.keytab root@cluster2-host3:/usr/local/zookeeper/conf/

zk-clie.keytab

  

5、配置client-jaas.conf文件

[root@cluster2-host1 conf]# cat client-jaas.conf

Client {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab=true

  keyTab="/usr/local/zookeeper/conf/zk-clie.keytab"

  storeKey=true

  useTicketCache=false

  principal="zkcli/cluster2-host1@HADOOP.COM";

};

  

分发到其他节点,并修改其他节点的principal

[root@cluster2-host1 conf]# scp client-jaas.conf root@cluster2-host2:/usr/local/zookeeper/conf/

client-jaas.conf                                                                                                                                                                                                                            100%  222     0.2KB/s   00:00

[root@cluster2-host1 conf]# scp client-jaas.conf root@cluster2-host3:/usr/local/zookeeper/conf/

client-jaas.conf

  

6、验证zk的kerberos

严格按照下面的顺序验证

[root@cluster2-host1 bin]# export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/conf/jaas.conf"

[root@cluster2-host1 bin]# ./zkServer.sh start

ZooKeeper JMX enabled by default

Using config: /usr/local/zookeeper/bin/../conf/zoo.cfg

Starting zookeeper ... STARTED

[root@cluster2-host1 bin]# export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/conf/client-jaas.conf"

[root@cluster2-host1 bin]#

[root@cluster2-host1 bin]#

[root@cluster2-host1 bin]# echo $JVMFLAGS

-Djava.security.auth.login.config=/usr/local/zookeeper/conf/client-jaas.conf

[root@cluster2-host1 bin]# ./zkCli.sh -server cluster2-host1:2181

[zk: cluster2-host1:2181(CONNECTED) 2] create /abcd "abcdata"

Created /abcd

[zk: cluster2-host1:2181(CONNECTED) 3] ls /

[abc, abcd, zookeeper]

[zk: cluster2-host1:2181(CONNECTED) 4] getAcl /abcd

'world,'anyone

: cdrwa

[zk: cluster2-host1:2181(CONNECTED) 5]

  

同时启动zk的client,也会login successfull的日志,大家可以注意留意下

kerberos系列之zookeeper的认证配置的更多相关文章

  1. kerberos系列之hdfs&yarn认证配置

    一.安装hadoop 1.解压安装包重命名安装目录 [root@cluster2_host1 data]# tar -zxvf hadoop-2.7.1.tar.gz -C /usr/local/ [ ...

  2. API网关Kong系列(四)认证配置

    目前根据业务需要先介绍2种认证插件:Key Authentication 及 HMAC-SHA1 认证  Key Authentication 向API添加密钥身份验证(也称为API密钥). 然后,消 ...

  3. kerberos系列之hive认证配置

    大数据安全系列之hive的kerberos认证配置,其它系列链接如下 https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安 ...

  4. zookeeper acl认证机制及dubbo、kafka集成、zooviewer/idea zk插件配置

    ZooKeeper的ACL机制 zookeeper通过ACL机制控制znode节点的访问权限. 首先介绍下znode的5种操作权限:CREATE.READ.WRITE.DELETE.ADMIN 也就是 ...

  5. 【Zookeeper系列】ZooKeeper安装配置(转)

    原文链接:https://www.cnblogs.com/sunddenly/p/4018459.html 一.Zookeeper的搭建方式 Zookeeper安装方式有三种,单机模式和集群模式以及伪 ...

  6. 分布式服务Dubbo+Zookeeper安全认证

    前言 由于之前的服务都是在内网,Zookeeper集群配置都是走的内网IP,外网不开放相关端口.最近由于业务升级,购置了阿里云的服务,需要对外开放Zookeeper服务. 问题 Zookeeper+d ...

  7. 【Zookeeper系列】ZooKeeper机制架构(转)

    原文链接:https://www.cnblogs.com/sunddenly/p/4133784.html 一.ZooKeeper权限管理机制 1.1 权限管理ACL(Access Control L ...

  8. [大数据] zookeeper 安装和配置

    ZooKeeper是一个分布式的,开放源码的分布式应用程序协调服务,是Google的Chubby一个开源的实现,是Hadoop和Hbase的重要组件.它是一个为分布式应用提供一致性服务的软件,提供的功 ...

  9. zookeeper编程入门系列之zookeeper实现分布式进程监控和分布式共享锁(图文详解)

    本博文的主要内容有 一.zookeeper编程入门系列之利用zookeeper的临时节点的特性来监控程序是否还在运行   二.zookeeper编程入门系列之zookeeper实现分布式进程监控 三. ...

随机推荐

  1. MOOC(2)-Django开发get、post请求,返回json数据

    1.对get请求直接返回参数 如果请求多个参数,也只能返回一个参数,这里只返回了username参数 如果想要返回多个参数值,可以返回json格式数据 2.对get请求返回json数据 # views ...

  2. SpringMVC学习笔记三:Controller的返回值

    springMVC的返回值有ModelAndView,String,void,Object类型 项目目录树: 该项目是在前面项目的基础上修改的,这里的pom.xml文件需要加入使用到的包,应为@Res ...

  3. R内的gsub()函数

    今天遇到了一个问题就是,如果数据里面有逗号,那么如何转换他们.就像下面的这样: > exercise9_1$地区生产总值 [1] 16,251.93 11,307.28 24,515.76 11 ...

  4. Python实现线程交替打印字符串

    import threading con = threading.Condition() word = u"12345上山打老虎" def work(): global word ...

  5. 吴裕雄--天生自然KITTEN编程:一箭穿心

  6. 苹果又要召回iPhone 7!这到底是要闹哪样?

    7!这到底是要闹哪样?" title="苹果又要召回iPhone 7!这到底是要闹哪样?"> 现在的苹果虽然刚刚收获了史上最赚钱的一个季度--营收和利润均创下史上最 ...

  7. 有关PHP的可变函数

    事情的起因是这样子的,最近看到一道题,问的是 <?php $_POST['a']($_POST['b']);?> 这句代码有什么问题,答案很明显因为PHP的可变函数这个特性,导致了任意代码 ...

  8. MySQL show命令的用法

    show tables或show tables from database_name; // 显示当前数据库中所有表的名称 show databases; // 显示mysql中所有数据库的名称 sh ...

  9. Vue源码之数据驱动(个人向)

    #1.大致流程 # 2.具体流程 数据驱动 New VUE Where:src/core/instance/index.js Do: 1.使用Function实现Vue类 2.调用_init 初始化V ...

  10. Spring Boot 2.x基础教程:使用 ECharts 绘制各种华丽的数据图表

    上一节我们介绍了如何在Spring Boot中使用模板引擎Thymeleaf开发Web应用的基础.接下来,我们介绍一下后端开发经常会遇到的一个场景:可视化图表. 通常,这类需求在客户端应用中不太会用到 ...