[Kerberos] How to Kerberize an Hadoop Cluster

Overview

Kerberos是一个第三方认证机制，用户和服务（known as principals）通过kerberos server (known as the Key Distribution Center, or KDC)认证彼此。KDC有三部分：

• A database of principals and their Kerberos passwords
• An Authentication Server (AS) which performs the initial authentication and isssues a TGT
• A Ticket Granting Server (TGS) that issues subsequent service tickets based on the initial TGT

User principal向AS请求认证。AS返回用用户kerberos password加密的TGT。直到ticket过期，用户都可以用该TGT向TGS申请service tickets。

由于cluster resource（hosts or services）不能每次提供password来解密TGT，他们使用keytab，一种从数据库中导出并存储在本地、包含resource principal's authentication credentials的特殊文件。

安装和配置 KDC

• 启动Kerberos 认证需要安装 KDC 服务器和必要的软件。安装KDC 的命令可以在任何机器上执行。

yum -y install krb5-server krb5-lib krb5-auth-dialog krb5-workstation

• 接着，在集群中的其他节点上安装Kerberos client和命令

yum -y install krb5-lib krb5-auth-dialog krb5-workstation

• 编辑 KDC 配置的realms，AD(active directory)

　　krb5.conf 文件包含 KDCs、admin 服务器的地址，是当前 realm 和 Kerberos 应用的默认配置，该配置将主机名映射到 Kerberos realms。krb5.conf一般在/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = HADOOP.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 HADOOP.COM = {
  kdc = node1.hadoop.com
  admin_server = node1.hadoop.com
 }

AD.COM = {
 kdc = windc.ad.com
 admin_server = windc.ad.com
}

[domain_realm]
 .hadoop.com = HADOOP.COM
 hadoop.com = HADOOP.COM
 .ad.com = AD.COM
 ad.com = AD.COM

[capaths]
 AD.COM = {
  HADOOP.COM = .
 }

realms: HADOOP_COM下的 kdc, admin_server是我们安装KDC的主机地址，AD.COM下的是 Domain Controller主机地址。

domain_realm: 提供domain name 或者主机名字到kerberos realms名字的转换。两者都必须小写。

capaths: cross-realm authentication中，不同 realms 之间需要数据库去创建authentication paths。 这部分定义存储。

• 编辑 kdc.conf，默认在 /var/Kerberos/krb5kdc/kdc.conf。包含 KDC 配置信息，包括发放 Kerberos tickets 时的默认值。

[realms]
  HADOOP.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

创建数据库和第一个administrator

• 创建 Kerberos database. -s表明将数据库的master server key存在隐藏文件stash file中

kdb5_util create -s

• 添加admin到ACL文件 (编辑 /var/kerberos/krb5kdc/kadm5.acl)

*/admin@EXAMPLE.COM *

• 创建第一个administrator. 

kadmin.local -q "addprinc <username>/admin"

• 启动 Kerberos

service krb5kdc start
service kadmin start

验证安装

# enter kadmin shell 
kadmin.local  
kadmin.local: listprincs

# enter kadmin
kadmin
kadmin: Client not found in Kerberos database 

kinit <username>/admin

klist

kadmin

其他Kerberos管理命令

• kadmin: kadmin provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs).
• kadmind
• kdb5_util: allows an administrator to perform maintenance procedures on the KDC database
• kdb5_ldap_util
• krb5kdc
• kprop
• kpropd
• kproplog
• ktutil：The ktutil command invokes a command interface from which an administrator can read, write, or edit entries in a keytab or Kerberos V4 srvtab file.
• k5srvutil
• sserver

kadmin and kadmin.local are command-line interfaces to the Kerberos V5 administration system. They provide nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC database, while kadmin performs operations using kadmind