Kerberos高可用

文章目录

1.备节点安装Kerberos服务

cdh001(192.168.159.100)已经装好了主Kerberos服务
现在在cdh002(191.168.159.101)安装备Kerberos服务
先安装服务,暂不做配置

[root@cdh002 ~]# yum install -y krb5-server openldap-clients krb5-workstation krb5-libs

2. 修改主节点配置

  1. 修改cdh001机器/etc/krb5.conf的配置文件,在realms配置下增加备Kerberos的配置
[realms]
 DEJIN.COM = {
  kdc = cdh001
  admin_server = cdh001
  kdc = cdh002
  admin_server = cdh002
}

Kerberos高可用

  1. 将修改后的/etc/krb5.conf文件同步到集群的所有Kerberos客户端节点相应目录
[root@cdh001 ~]# pscp -h /node.list /etc/krb5.conf /etc/
[1] 17:17:11 [SUCCESS] root@192.168.159.101:22
[2] 17:17:11 [SUCCESS] root@192.168.159.102:22
[3] 17:17:11 [SUCCESS] root@192.168.159.100:22
  1. 保存配置,然后重启krb5kdc和kadmin服务
[root@cdh001 ~]# systemctl restart krb5kdc
[root@cdh001 ~]# systemctl restart kadmin
  1. 创建主从同步账号,并为账号生成keytab文件
kadmin.local
kadmin.local:  addprinc -randkey host/cdh001
kadmin.local:  addprinc -randkey host/cdh002
kadmin.local:  ktadd host/cdh001
kadmin.local:  ktadd host/cdh002
[root@cdh001 ~]# kadmin.local
Authenticating as principal root/admin@DEJIN.COM with password.
kadmin.local:  addprinc -randkey host/cdh001
WARNING: no policy specified for host/cdh001@DEJIN.COM; defaulting to no policy
Principal "host/cdh001@DEJIN.COM" created.
kadmin.local:  addprinc -randkey host/cdh002
WARNING: no policy specified for host/cdh002@DEJIN.COM; defaulting to no policy
Principal "host/cdh002@DEJIN.COM" created.
kadmin.local:  ktadd host/cdh001
Entry for principal host/cdh001 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  ktadd host/cdh002
Entry for principal host/cdh002 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local:  

使用随机生成秘钥的方式创建同步账号,并使用ktadd命令生成同步账号的keytab文件,默认文件生成在/etc/krb5.keytab下,生成多个账号则在krb5.keytab基础上追加。

  1. 复制以下文件到备Kerberos服务器相应目录
/etc/krb5.conf 
/etc/krb5.keytab
/var/kerberos/krb5kdc/.k5.DEJIN.COM 
/var/kerberos/krb5kdc/kadm5.acl 
/var/kerberos/krb5kdc/kdc.conf
[root@cdh001 ~]# scp  /etc/krb5.conf /etc/krb5.keytab cdh002:/etc/
[root@cdh001 ~]# cd /var/kerberos/krb5kdc
[root@cdh001 krb5kdc]# scp .k5.DEJIN.COM kadm5.acl kdc.conf cdh002:/var/kerberos/krb5kdc/ 

3. 备节点配置

  1. 需要申明用来同步的用户,在/var/kerberos/krb5kdc/kpropd.acl配置文件中添加对应账户,如果配置文件不存在则新增
[root@cdh002 ~]# cat /var/kerberos/krb5kdc/kpropd.acl
host/cdh001@DEJIN.COM
host/cdh002@DEJIN.COM
  1. 启动kprop服务并加入系统自启动
[root@cdh002 ~]# systemctl enable kprop
Created symlink from /etc/systemd/system/multi-user.target.wants/kprop.service to /usr/lib/systemd/system/kprop.service.
[root@cdh002 ~]# systemctl start kprop
[root@cdh002 ~]# systemctl status kprop
● kprop.service - Kerberos 5 Propagation
   Loaded: loaded (/usr/lib/systemd/system/kprop.service; enabled; vendor preset: disabled)
   Active: active (running) since 日 2020-12-27 17:47:03 CST; 10s ago
  Process: 20906 ExecStart=/usr/sbin/_kpropd $KPROPD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 20911 (kpropd)
    Tasks: 1
   CGroup: /system.slice/kprop.service
           └─20911 /usr/sbin/kpropd

12月 27 17:47:03 cdh002 systemd[1]: Starting Kerberos 5 Propagation...
12月 27 17:47:03 cdh002 systemd[1]: Started Kerberos 5 Propagation.

备节点上已经准备好数据传输。接下来在主节点上使用kdb5_util将Kerberos库导出,然后通过kprop命令向备节点同步数据。

4. 节点数据同步至备节点

  1. 在主节点上使用kdb5_util命令导出Kerberos数据库文件
[root@cdh001 krb5kdc]# kdb5_util dump /var/kerberos/krb5kdc/master.dump

Kerberos高可用
导出成功后生成master.dump和master.dump.dump_ok两个文件。

  1. 在主节点上使用kprop命令将master.dump文件同步至备节点
[root@cdh001 krb5kdc]# kprop -f /var/kerberos/krb5kdc/master.dump -d -P 754 cdh002
32768 bytes sent.
40455 bytes sent.
Database propagation to cdh002: SUCCEEDED

备节点上查看

[root@cdh002 krb5kdc]# ll
总用量 96
-rw------- 1 root root 40455 12月 27 18:31 from_master
-rw------- 1 root root    20 12月 27 18:23 kadm5.acl
-rw------- 1 root root   482 12月 27 18:23 kdc.conf
-rw-r--r-- 1 root root    44 12月 27 18:29 kpropd.acl
-rw------- 1 root root 36864 12月 27 18:31 principal
-rw------- 1 root root  8192 12月 27 18:31 principal.kadm5
-rw------- 1 root root     0 12月 27 18:31 principal.kadm5.lock
-rw------- 1 root root     0 12月 27 18:31 principal.ok

5. 节点数据同步至备节点

  1. 在备节点上测试同步过来的数据是否能启动Kerberos,krb5kdc服务
[root@cdh002 krb5kdc]# systemctl start krb5kdc
[root@cdh002 krb5kdc]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
   Active: active (running) since 日 2020-12-27 18:36:06 CST; 9s ago
  Process: 9810 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 9817 (krb5kdc)
    Tasks: 1
   CGroup: /system.slice/krb5kdc.service
           └─9817 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid

12月 27 18:36:06 cdh002 systemd[1]: Starting Kerberos 5 KDC...
12月 27 18:36:06 cdh002 systemd[1]: Started Kerberos 5 KDC.
[root@cdh002 krb5kdc]# kadmin.local
Authenticating as principal dejin/admin@DEJIN.COM with password.
kadmin.local:  listprincs
HTTP/cdh001@DEJIN.COM
HTTP/cdh002@DEJIN.COM
HTTP/cdh003@DEJIN.COM
K/M@DEJIN.COM
admin/admin@DEJIN.COM
cloudera-scm/admin@DEJIN.COM
dejin@DEJIN.COM
hbase/cdh001@DEJIN.COM
hbase/cdh002@DEJIN.COM
hbase/cdh003@DEJIN.COM
hdfs/cdh001@DEJIN.COM
  1. 在备节点上验证kadmin服务是否正常
kadmin.local:  addprinc test
WARNING: no policy specified for test@DEJIN.COM; defaulting to no policy
Enter password for principal "test@DEJIN.COM": 
Re-enter password for principal "test@DEJIN.COM": 
Principal "test@DEJIN.COM" created.
  1. kill主服务的krb5kdc服务和kadmin 服务进行验证
[root@cdh001 krb5kdc]# ps -ef |grep krb5
root     119669      1  0 18:17 ?        00:00:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
root     125422 100883  0 18:41 pts/2    00:00:00 grep --color=auto krb5
[root@cdh001 krb5kdc]# kill -9 119669
[root@cdh001 krb5kdc]# ps -ef | grep kadmin
root     119695      1  0 18:17 ?        00:00:00 /usr/sbin/kadmind -P /var/run/kadmind.pid
root     125686 100883  0 18:42 pts/2    00:00:00 grep --color=auto kadmin
[root@cdh001 krb5kdc]# kill -9 119695
  1. 在备用服务器上服务依旧正常,可以正常添加凭证
[root@cdh002 krb5kdc]# kadmin.local
Authenticating as principal dejin/admin@DEJIN.COM with password.
kadmin.local:  addprinc test2
WARNING: no policy specified for test2@DEJIN.COM; defaulting to no policy
Enter password for principal "test2@DEJIN.COM": 
Re-enter password for principal "test2@DEJIN.COM": 
Principal "test2@DEJIN.COM" created.
kadmin.local:  listprincs
HTTP/cdh001@DEJIN.COM
HTTP/cdh002@DEJIN.COM
HTTP/cdh003@DEJIN.COM
K/M@DEJIN.COM
admin/admin@DEJIN.COM
  1. 并且在其他客户端节点初始化刚新增的凭证正常
[root@cdh003 ~]# kinit test2
Password for test2@DEJIN.COM: 
[root@cdh003 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test2@DEJIN.COM

Valid starting       Expires              Service principal
2020-12-27T18:50:56  2020-12-28T18:50:56  krbtgt/DEJIN.COM@DEJIN.COM
        renew until 2021-01-03T18:50:56

6. 配置主节点crontab任务定时同步数据

  1. 编写同步脚本
[root@cdh001 krb5kdc]# vim /var/kerberos/krb5kdc/kprop_sync.sh 
#!/bin/bash
DUMP=/var/kerberos/krb5kdc/master.dump
PORT=754
SLAVE="cdh002"
TIMESTAMP=`date`
echo "Start at $TIMESTAMP"
sudo kdb5_util dump $DUMP
sudo kprop -f $DUMP -d -P $PORT $SLAVE
  1. 赋予kprop_sync.sh脚本可执行权限,并测试
[root@cdh001 krb5kdc]# chmod 700 /var/kerberos/krb5kdc/kprop_sync.sh 
[root@cdh001 krb5kdc]# sh /var/kerberos/krb5kdc/kprop_sync.sh  
Start at 2020年 12月 27日 星期日 19:06:55 CST
32768 bytes sent.
41520 bytes sent.
Database propagation to cdh002: SUCCEEDED
  1. 配置crontab任务
    crontab的使用链接
[root@cdh001 ~]# crontab -e
0 * * * * root/var/kerberos/krb5kdc/kprop_sync.sh >/var/kerberos/krb5kdc/lastupdate

以上命令表示每小时的第0分钟执行kprop_sync.sh,并将输出写到lastupdate文件
退出并保存,启动服务并设置开机启动

[root@cdh001 ~]# systemctl enable crond
[root@cdh001 ~]# systemctl start crond
上一篇:python中的代码编码格式转换问题


下一篇:用于Secure Hbase的Java客户端