大数据安全系列的其它文章

https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安装kerberos

https://www.cnblogs.com/bainianminguo/p/12548334.html-----------hadoop的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12548175.html-----------zookeeper的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584732.html-----------hive的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12584880.html-----------es的search-guard认证

https://www.cnblogs.com/bainianminguo/p/12639821.html-----------flink的kerberos认证

https://www.cnblogs.com/bainianminguo/p/12639887.html-----------spark的kerberos认证

本篇博客介绍配置zookeeper的kerberos配置

一、zookeeper安装

1、解压安装包和重命名和创建数据目录

tar -zxvf /data/apache-zookeeper-3.5.5-bin.tar.gz -C /usr/local/

mv apache-zookeeper-3.5.5-bin/ zookeeper/

  

2、查看解压目录

[root@localhost zookeeper]# ll

total 36

drwxr-xr-x. 2 2002 2002  4096 Apr  9  2019 bin

drwxr-xr-x. 2 2002 2002    88 Feb 27 22:09 conf

drwxr-xr-x. 2 root root     6 Feb 27 21:48 data

drwxr-xr-x. 5 2002 2002  4096 May  3  2019 docs

drwxr-xr-x. 2 root root  4096 Feb 27 21:25 lib

-rw-r--r--. 1 2002 2002 11358 Feb 15  2019 LICENSE.txt

drwxr-xr-x. 2 root root     6 Feb 27 21:48 log

-rw-r--r--. 1 2002 2002   432 Apr  9  2019 NOTICE.txt

-rw-r--r--. 1 2002 2002  1560 May  3  2019 README.md

-rw-r--r--. 1 2002 2002  1347 Apr  2  2019 README_packaging.txt

 

3、修改配置文件

[root@localhost conf]# ll

total 16

-rw-r--r--. 1 2002 2002  535 Feb 15  2019 configuration.xsl

-rw-r--r--. 1 2002 2002 2712 Apr  2  2019 log4j.properties

-rw-r--r--. 1 root root  922 Feb 27 21:36 zoo.cfg

-rw-r--r--. 1 2002 2002  922 Feb 15  2019 zoo_sample.cfg

[root@localhost conf]#

  

# The number of milliseconds of each tick

tickTime=2000

# The number of ticks that the initial

# synchronization phase can take

initLimit=10

# The number of ticks that can pass between

# sending a request and getting an acknowledgement

syncLimit=5

# the directory where the snapshot is stored.

# do not use /tmp for storage, /tmp here is just

# example sakes.

dataDir=/usr/local/zookeeper/data

dataLogDir=/usr/local/zookeeper/log

# the port at which the clients will connect

clientPort=2181

# the maximum number of client connections.

# increase this if you need to handle more clients

#maxClientCnxns=60

#

# Be sure to read the maintenance section of the

# administrator guide before turning on autopurge.

#

# http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_maintenance

#

# The number of snapshots to retain in dataDir

#autopurge.snapRetainCount=3

# Purge task interval in hours

# Set to "0" to disable auto purge feature

#autopurge.purgeInterval=1

server.1=cluster1_host1:2888:3888

server.2=cluster1_host2:2888:3888

server.3=cluster1_host3:2888:3888

  

4、创建myid文件

[root@localhost data]# pwd

/usr/local/zookeeper/data

[root@localhost data]#

[root@localhost data]#

[root@localhost data]# ll

total 4

-rw-r--r--. 1 root root 2 Feb 27 22:10 myid

[root@localhost data]# cat myid

1

[root@localhost data]#

  

5、拷贝安装目录到其它节点

scp -r zookeeper/ root@10.8.8.33:/usr/local/

  

修改其它节点的myid文件

6、启动zk

[root@localhost bin]# ./zkServer.sh start

ZooKeeper JMX enabled by default

Using config: /usr/local/zookeeper/bin/../conf/zoo.cfg

Starting zookeeper ... STARTED

[root@localhost bin]# jps

28350 Jps

25135 QuorumPeerMain

[root@localhost bin]# ./zkServer.sh status

ZooKeeper JMX enabled by default

Using config: /usr/local/zookeeper/bin/../conf/zoo.cfg

Client port found: 2181. Client address: localhost.

Mode: leader

[root@localhost bin]#

  

二、zookeeper的kerberos配置

1、生成zk的kerberos的认证标志

kadmin.local:  addprinc zookeeper/cluster2-host1

WARNING: no policy specified for zookeeper/cluster2-host1@HADOOP.COM; defaulting to no policy

Enter password for principal "zookeeper/cluster2-host1@HADOOP.COM":

Re-enter password for principal "zookeeper/cluster2-host1@HADOOP.COM":

Principal "zookeeper/cluster2-host1@HADOOP.COM" created.

kadmin.local:  addprinc zookeeper/cluster2-host2

WARNING: no policy specified for zookeeper/cluster2-host2@HADOOP.COM; defaulting to no policy

Enter password for principal "zookeeper/cluster2-host2@HADOOP.COM":

Re-enter password for principal "zookeeper/cluster2-host2@HADOOP.COM":

Principal "zookeeper/cluster2-host2@HADOOP.COM" created.

kadmin.local:  addprinc zookeeper/cluster2-host3

WARNING: no policy specified for zookeeper/cluster2-host3@HADOOP.COM; defaulting to no policy

Enter password for principal "zookeeper/cluster2-host3@HADOOP.COM":

Re-enter password for principal "zookeeper/cluster2-host3@HADOOP.COM":

Principal "zookeeper/cluster2-host3@HADOOP.COM" created.

[root@cluster2-host1 etc]# kadmin.local

Authenticating as principal root/admin@HADOOP.COM with password.

kadmin.local:  addprinc zkcli/hadoop

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-cluster2-host1.keytab zookeeper/cluster2-host1

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/cluster2-host2

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-server.keytab zookeeper/cluster2-host3

  

拷贝keytab到所有的节点

[root@cluster2-host1 keytab]# scp zk-server.keytab root@cluster2-host2:/usr/local/zookeeper/conf/

zk-server.keytab                                                                                                                                                                                                                            100% 1664     1.6KB/s   00:00

[root@cluster2-host1 keytab]# scp zk-server.keytab root@cluster2-host1:/usr/local/zookeeper/conf/

zk-server.keytab                                                                                                                                                                                                                            100% 1664     1.6KB/s   00:00

[root@cluster2-host1 keytab]# scp zk-server.keytab root@cluster2-host3:/usr/local/zookeeper/conf/

zk-server.keytab

  

2、修改zk的配置文件,加如下数据

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider

jaasLoginRenew=3600000

kerberos.removeHostFromPrincipal=true

  

同步到其他节点

[root@cluster2-host1 keytab]# scp /usr/local/zookeeper/conf/zoo.cfg root@cluster2-host2:/usr/local/zookeeper/conf/

zoo.cfg                                                                                                                                                                                                                                     100% 1207     1.2KB/s   00:00

[root@cluster2-host1 keytab]# scp /usr/local/zookeeper/conf/zoo.cfg root@cluster2-host3:/usr/local/zookeeper/conf/

zoo.cfg

  

3、生成jaas.conf文件

Server {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab=true

  keyTab="/usr/local/zookeeper/conf/zk-server.keytab"

  storeKey=true

  useTicketCache=false

  principal="zookeeper/cluster2-host1@HADOOP.COM";

};

  

同步到其他节点,并修改节点的principal

[root@cluster2-host1 conf]# scp jaas.conf root@cluster2-host2:/usr/local/zookeeper/conf/

jaas.conf                                                                                                                                                                                                                                   100%  229     0.2KB/s   00:00

[root@cluster2-host1 conf]# scp jaas.conf root@cluster2-host3:/usr/local/zookeeper/conf/

jaas.conf

  

4、创建client的priincipal

kadmin.local:  addprinc zkcli/cluster2-host1

kadmin.local:  addprinc zkcli/cluster2-host2

kadmin.local:  addprinc zkcli/cluster2-host3

  

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/cluster2-host1

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/cluster2-host2

kadmin.local:  ktadd -norandkey -k /etc/security/keytab/zk-clie.keytab zkcli/cluster2-host3

  

分发keytab文件到其他节点

[root@cluster2-host1 conf]# scp /etc/security/keytab/zk-clie.keytab root@cluster2-host1:/usr/local/zookeeper/conf/

zk-clie.keytab                                                                                                                                                                                                                              100% 1580     1.5KB/s   00:00

[root@cluster2-host1 conf]# scp /etc/security/keytab/zk-clie.keytab root@cluster2-host2:/usr/local/zookeeper/conf/

zk-clie.keytab                                                                                                                                                                                                                              100% 1580     1.5KB/s   00:00

[root@cluster2-host1 conf]# scp /etc/security/keytab/zk-clie.keytab root@cluster2-host3:/usr/local/zookeeper/conf/

zk-clie.keytab

  

5、配置client-jaas.conf文件

[root@cluster2-host1 conf]# cat client-jaas.conf

Client {

  com.sun.security.auth.module.Krb5LoginModule required

  useKeyTab=true

  keyTab="/usr/local/zookeeper/conf/zk-clie.keytab"

  storeKey=true

  useTicketCache=false

  principal="zkcli/cluster2-host1@HADOOP.COM";

};

  

分发到其他节点,并修改其他节点的principal

[root@cluster2-host1 conf]# scp client-jaas.conf root@cluster2-host2:/usr/local/zookeeper/conf/

client-jaas.conf                                                                                                                                                                                                                            100%  222     0.2KB/s   00:00

[root@cluster2-host1 conf]# scp client-jaas.conf root@cluster2-host3:/usr/local/zookeeper/conf/

client-jaas.conf

  

6、验证zk的kerberos

严格按照下面的顺序验证

[root@cluster2-host1 bin]# export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/conf/jaas.conf"

[root@cluster2-host1 bin]# ./zkServer.sh start

ZooKeeper JMX enabled by default

Using config: /usr/local/zookeeper/bin/../conf/zoo.cfg

Starting zookeeper ... STARTED

[root@cluster2-host1 bin]# export JVMFLAGS="-Djava.security.auth.login.config=/usr/local/zookeeper/conf/client-jaas.conf"

[root@cluster2-host1 bin]#

[root@cluster2-host1 bin]#

[root@cluster2-host1 bin]# echo $JVMFLAGS

-Djava.security.auth.login.config=/usr/local/zookeeper/conf/client-jaas.conf

[root@cluster2-host1 bin]# ./zkCli.sh -server cluster2-host1:2181

[zk: cluster2-host1:2181(CONNECTED) 2] create /abcd "abcdata"

Created /abcd

[zk: cluster2-host1:2181(CONNECTED) 3] ls /

[abc, abcd, zookeeper]

[zk: cluster2-host1:2181(CONNECTED) 4] getAcl /abcd

'world,'anyone

: cdrwa

[zk: cluster2-host1:2181(CONNECTED) 5]

  

同时启动zk的client,也会login successfull的日志,大家可以注意留意下

kerberos系列之zookeeper的认证配置的更多相关文章

  1. kerberos系列之hdfs&yarn认证配置

    一.安装hadoop 1.解压安装包重命名安装目录 [root@cluster2_host1 data]# tar -zxvf hadoop-2.7.1.tar.gz -C /usr/local/ [ ...

  2. API网关Kong系列(四)认证配置

    目前根据业务需要先介绍2种认证插件:Key Authentication 及 HMAC-SHA1 认证  Key Authentication 向API添加密钥身份验证(也称为API密钥). 然后,消 ...

  3. kerberos系列之hive认证配置

    大数据安全系列之hive的kerberos认证配置,其它系列链接如下 https://www.cnblogs.com/bainianminguo/p/12548076.html-----------安 ...

  4. zookeeper acl认证机制及dubbo、kafka集成、zooviewer/idea zk插件配置

    ZooKeeper的ACL机制 zookeeper通过ACL机制控制znode节点的访问权限. 首先介绍下znode的5种操作权限:CREATE.READ.WRITE.DELETE.ADMIN 也就是 ...

  5. 【Zookeeper系列】ZooKeeper安装配置(转)

    原文链接:https://www.cnblogs.com/sunddenly/p/4018459.html 一.Zookeeper的搭建方式 Zookeeper安装方式有三种,单机模式和集群模式以及伪 ...

  6. 分布式服务Dubbo+Zookeeper安全认证

    前言 由于之前的服务都是在内网,Zookeeper集群配置都是走的内网IP,外网不开放相关端口.最近由于业务升级,购置了阿里云的服务,需要对外开放Zookeeper服务. 问题 Zookeeper+d ...

  7. 【Zookeeper系列】ZooKeeper机制架构(转)

    原文链接:https://www.cnblogs.com/sunddenly/p/4133784.html 一.ZooKeeper权限管理机制 1.1 权限管理ACL(Access Control L ...

  8. [大数据] zookeeper 安装和配置

    ZooKeeper是一个分布式的,开放源码的分布式应用程序协调服务,是Google的Chubby一个开源的实现,是Hadoop和Hbase的重要组件.它是一个为分布式应用提供一致性服务的软件,提供的功 ...

  9. zookeeper编程入门系列之zookeeper实现分布式进程监控和分布式共享锁(图文详解)

    本博文的主要内容有 一.zookeeper编程入门系列之利用zookeeper的临时节点的特性来监控程序是否还在运行   二.zookeeper编程入门系列之zookeeper实现分布式进程监控 三. ...

随机推荐

  1. 吴裕雄--天生自然 R语言开发学习:中级绘图(续二)

    #------------------------------------------------------------------------------------# # R in Action ...

  2. 深入理解Tomcat(12)拾遗

    前言 如何使用? 源码解读 总结 前言 Tomcat为了提高性能,在接受到socket传入的字节之后并不会马上进行编码转换,而是保持byte[]的方式,在用到的时候再进行转换.在tomcat的实现中, ...

  3. iOS 客户端与服务端做时间同步

    需求 我们做客户端的时候,有时会需要对客户端与服务器的时间进行同步,比如抢购活动.倒计时等.这时我们要考虑如何准备地与服务器的时间进行同步,同时防止用户本地的时间有误差时导致的问题. 分析 描述 为了 ...

  4. 康威定律(Conway's law)

    系统是设计该系统的组织结构的映射. Conway's law 最初是Conway在1967年发表的论文<How Do Committees Invent?>,然后 Fred Brooks ...

  5. python中使用paramiko模块并实现远程连接服务器执行上传下载

    paramiko模块 paramiko是用python语言写的一个模块,遵循SSH2协议,支持以加密和认证的方式,进行远程服务器的连接. 因此,如果需要使用SSH从一个平台连接到另外一个平台,进行一系 ...

  6. [置顶] 利用Python 提醒实验室同学值日(自动发送邮件)

    前言: 在实验室里一直存在着一个问题,就是老是有人忘记提醒下一个人值日,然后值日就被迫中断了.毕竟良好的        卫生环境需要大家一起来维护的!没办法只能想出一些小对策了. 解决思路: 首先,我 ...

  7. Web Scraper 高级用法——抓取属性信息 | 简易数据分析 16

    这是简易数据分析系列的第 16 篇文章. 这期课程我们讲一个用的较少的 Web Scraper 功能--抓取属性信息. 网页在展示信息的时候,除了我们看到的内容,其实还有很多隐藏的信息.我们拿豆瓣电影 ...

  8. 第二章 表与指针Pro SQL Server Internal (Dmitri Korotkev)

    聚集索引 聚集索引就是表中数据的物理顺序,它是按照聚集索引分类的.表只能定义一个聚集索引. 如果你要在一个有数据的堆表中创建一个聚集索引,如2-5所示,第一步要做的就是SQL服务器创建另一个根据聚集索 ...

  9. 网页入侵最后一道防线:CSP内容安全策略

    首先,什么是最后一道防线?网页入侵都有一个过程,简单来说,就是1.代码注入,2.代码执行. 对于黑客来说,代码注入后并不代表就万事大吉了,因为此时代码只是安静地躺在受害者的服务器里,什么坏事都没干呢! ...

  10. 《第31天:JQuery - 轮播图》

    源码下载地址:链接:https://pan.baidu.com/s/16K9I... 提取码:0ua2 写这篇文章,当做是对自已这一天的一个总结.写轮播图要准备的东西:三张尺寸大小一样的图片.分为三个 ...