接前文,在安装完Kerberos之后,Flink仍然需要Hadoop集群使用SASL认证,关于SASL的相关内容,可以自行进行查阅,这里只介绍安装方式。
1. 安装openssl
在之前配置好Kerberos Master KDC的机器,安装openssl:
yum install openssl
2. 生成keystore和truststore文件
依次执行以下的命令,执行中需要设置一个不少于6位的密码,这里设置的密码为hadoop。执行完成后,会在当前目录生成keystore和truststore文件。
$ openssl req -new -x509 -keyout test_ca_key -out test_ca_cert -days 9999 -subj '/C=CN/ST=beijing/L=beijing/O=hadoop/OU=hadoop/CN=hadoop.com'
Generating a 2048 bit RSA private key
.........................+++
.........................................................................................+++
writing new private key to 'test_ca_key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
$ keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=hadoop.com, OU=hadoop, O=hadoop, L=beijing, ST=beijing, C=cn"
Enter keystore password:
Re-enter new password:
Enter key password for <localhost>
(RETURN if same as keystore password):
Re-enter new password:
$ keytool -keystore truststore -alias CARoot -import -file test_ca_cert
Enter keystore password:
Re-enter new password:
Owner: CN=hadoop.com, OU=hadoop, O=hadoop, L=beijing, ST=beijing, C=CN
Issuer: CN=hadoop.com, OU=hadoop, O=hadoop, L=beijing, ST=beijing, C=CN
Serial number: f60b93dc251f2239
Valid from: Fri Jun 21 02:52:51 EDT 2019 until: Mon Nov 05 01:52:51 EST 2046
Certificate fingerprints:
MD5: CA:8B:6B:A5:6F:3B:E4:A2:30:25:26:1F:B0:45:9F:66
SHA1: 09:2C:07:0F:18:3C:95:BB:27:0C:5B:B8:D5:12:B4:EC:5A:16:69:72
SHA256: DB:C4:22:2F:E2:C9:0A:A0:B9:03:51:DA:21:9A:8F:E2:EE:A9:4F:35:1B:F4:53:E2:EC:4E:86:4C:C6:46:BD:C5
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: DE DF 33 F3 77 C1 2B FE C1 42 BB 25 52 D8 F0 BA ..3.w.+..B.%R...
0010: FE BF DF 6A ...j
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DE DF 33 F3 77 C1 2B FE C1 42 BB 25 52 D8 F0 BA ..3.w.+..B.%R...
0010: FE BF DF 6A ...j
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
$ keytool -certreq -alias localhost -keystore keystore -file cert
Enter keystore password:
# 注意这里的passin参数,pass:{hadoop},{}里修改为实际的密码。
$ openssl x509 -req -CA test_ca_cert -CAkey test_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial -passin pass:hadoop
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=hadoop/OU=hadoop/CN=hadoop.com
Getting CA Private Key
$ keytool -keystore keystore -alias CARoot -import -file test_ca_cert
Enter keystore password:
Owner: CN=hadoop.com, OU=hadoop, O=hadoop, L=beijing, ST=beijing, C=CN
Issuer: CN=hadoop.com, OU=hadoop, O=hadoop, L=beijing, ST=beijing, C=CN
Serial number: f60b93dc251f2239
Valid from: Fri Jun 21 02:52:51 EDT 2019 until: Mon Nov 05 01:52:51 EST 2046
Certificate fingerprints:
MD5: CA:8B:6B:A5:6F:3B:E4:A2:30:25:26:1F:B0:45:9F:66
SHA1: 09:2C:07:0F:18:3C:95:BB:27:0C:5B:B8:D5:12:B4:EC:5A:16:69:72
SHA256: DB:C4:22:2F:E2:C9:0A:A0:B9:03:51:DA:21:9A:8F:E2:EE:A9:4F:35:1B:F4:53:E2:EC:4E:86:4C:C6:46:BD:C5
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: DE DF 33 F3 77 C1 2B FE C1 42 BB 25 52 D8 F0 BA ..3.w.+..B.%R...
0010: FE BF DF 6A ...j
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DE DF 33 F3 77 C1 2B FE C1 42 BB 25 52 D8 F0 BA ..3.w.+..B.%R...
0010: FE BF DF 6A ...j
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
$ keytool -keystore keystore -alias localhost -import -file cert_signed
Enter keystore password:
Certificate reply was installed in keystore
3. 总结
以上生成的SASL的truststore和keystore文件,之后会拷贝到其他Hadoop部署的机器上,后面会继续介绍。
网友评论