安装JCE

从如下下载链接下载jce_policy-8.zip文件。

https://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html

解压到$JAVA_HOME/jre/lib/security/目录。例如/usr/java/jdk1.8.0_171-amd64/jre/lib/security/

安装Kerberos

在KDC节点安装KDC Server

yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation -y

在其他节点安装krb5-devel、krb5-workstation

yum install krb5-devel krb5-workstation -y

修改krb5.conf 和 kdc.conf

他们的路径分别为：

/etc/krb5.conf
/var/kerberos/krb5kdc/kdc.conf

krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = HADOOP.COM //修改此处
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 HADOOP.COM = { //修改此处
  kdc = manager.bigdata
  admin_server = manager.bigdata
 }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

修改完成后将改文件复制到其他节点同名目录中。

kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
// 修改此处
 HADOOP.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

创建KDC数据库

/usr/sbin/kdb5_util create -r HADOOP.COM -s

修改KDC的ACL

/var/kerberos/krb5kdc/kadm5.acl:

*/admin@HADOOP.COM        *

创建kerberos principal (管理员)

su root
kadmin.local

addprinc paul/admin
ktadd -norandkey -k path/to/keytabFile.keytab paul/admin

启动KDC和Kadmin

/sbin/service krb5kdc start
/sbin/service kadmin start

通过命令认证的方式

kdestroy
# 两种认证方式，keytab和密码
kinit -k -t path/to/keytab paul/admin
kinit paul/admin

配置Ambari支持Kerberos认证

增加Kerberos认证

选择左侧菜单的Kerberos选项。

Kerberos菜单.png

再点击右侧的Enable Kerberos按钮。

Enable Kerberos

接下来在弹出的窗口选择Proceed Anyway。

Proceed Anyway

如图所示，选择Existing MIT KDC并且勾选下方3个复选框

选择Kerberos

填写如图所示的信息，点击Test KDC Connection测试是否能连通KDC Server。KDC host和Kadmin host一定要填写hostname，否则kerberos会提示找不到kadmin/manager.bigdata@HADOOP.COM这个principal。

image.png

接下来系统会安装Kerberos客户端，此步骤如果遇到其他错误，可查看/var/log/krb5kdc.log日志。

image.png

如果弹出如下对话框，填写正确的admin principal相关信息。

image.png

接下来这个配置页面全部使用默认配置。

image.png

确认KDC配置

image.png

接着一路下一步。Ambari集成Kerberos操作完毕。

参考链接

https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.0.0/authentication-with-kerberos/content/kerberos_optional_install_a_new_mit_kdc.html

https://community.hortonworks.com/questions/134851/hdp-kerberos-enable-through-ambari.html

https://community.hortonworks.com/content/supportkb/230921/error-bad-request-received-invalid-kdc-administrat.html