一、集群规划
本次测试采用3台虚拟机,操作系统版本为centos7.6。
kerberos采用默认YUM源安装,版本为:1.15.1-55
Ranger版本为2.4.0 系统用户为ranger:ranger
IP地址 | 主机名 | KDC | Ranger |
192.168.121.101 | node101.cc.local | KDC master | Ranger Admin |
192.168.121.102 | node102.cc.local | KDC slaver 1级 | |
192.168.121.103 | node103.cc.local | KDC slaver 2级 | Ranger Admin MYSQL |
注意:前期安装过ranger,已创建ranger用户和ranger用户组,参考文档:Centos7 + Apache Ranger 2.4.0 部署_centos安装配置apacherangerjdbc-CSDN博客文章浏览阅读2.7k次。Apache Ranger提供一个集中式安全管理框架, 并解决授权和审计。它可以对Hadoop生态的组件如HDFS、Yarn、Hive、Hbase等进行细粒度的数据访问控制。通过操作Ranger控制台,管理员可以轻松的通过配置策略来控制用户访问权限。_centos安装配置apacherangerjdbchttps://blog.csdn.net/snipercai/article/details/132227718
二、创建Kerberos主体
1、创建主体
注意:ranger的用户名都是固定的,必须按照指定用户名创建实体
HTTP
rangeradmin
rangerlookup
rangerusersync
# kadmin -p kws/admin -w kws\!101 -q"addprinc -randkey rangeradmin/node103.cc.local"
# kadmin -p kws/admin -w kws\!101 -q"addprinc -randkey rangerlookup/node103.cc.local"
# kadmin -p kws/admin -w kws\!101 -q"addprinc -randkey rangerusersync/node103.cc.local"
# kadmin -p kws/admin -w kws\!101 -q"addprinc -randkey HTTP/node103.cc.local"
2、生成keytab文件
# kadmin -p kws/admin -wkws\!101 -q"xst -k /etc/security/keytab/ranger.keytab rangeradmin/node103.cc.local rangerlookup/node103.cc.local rangerusersync/node103.cc.local HTTP/node103.cc.local"
3、修改keytab文件权限
# chown ranger:ranger /etc/security/keytab/ranger.keytab
三、配置Rangeradmin
1、修改install.properties
修改policymgr地址,从原来的IP改为hostname,因为Kerberos认证是针对hostname
# ------- PolicyManager CONFIG ----------------
#policymgr_external_url=http://node103.cc.local:6080
修改Kerberos Config内容
#------------ Kerberos Config -----------------
spnego_principal=HTTP/node103.cc.local@CC.LOCAL
spnego_keytab=/etc/security/keytab/ranger.keytab
token_valid=30
cookie_domain=
cookie_path=/
admin_principal=rangeradmin/node103.cc.local@CC.LOCAL
admin_keytab=/etc/security/keytab/ranger.keytab
lookup_principal=rangerlookup/node103.cc.local@CC.LOCAL
lookup_keytab=/etc/security/keytab/ranger.keytab
hadoop_conf=/opt/hadoop/hadoop-3.3.4/etc/hadoop/
2、重新安装
# ./setup.sh
2024-04-24 17:53:07,536 [I] Ranger all admins default password has already been changed!!
Installation of Ranger PolicyManager Web Application is completed.
3、启动服务
# su - ranger
# ranger-admin start
四、配置RangerUsersync
1、修改install.properties
修改policymgr地址,从原来的IP改为hostname,因为Kerberos认证是针对hostname
POLICY_MGR_URL = http://node103.cc.local:6080
#Set to run in kerberos environment
usersync_principal=rangerusersync/node103.cc.local@CC.LOCAL
usersync_keytab=/etc/security/keytab/ranger.keytab
hadoop_conf=/opt/hadoop/hadoop-3.3.4/etc/hadoop/
2、重新安装
# ./setup.sh
[I] Successfully updated password of rangerusersync user
3、修改ranger-ugsync-site.xml
修改conf/ranger-ugsync-site.xml
<property>
<name>ranger.usersync.enabled</name>
<value>true</value>
</property>
4、启动服务
# su - ranger
# ranger-usersync start
五、配置HDFS-Plugin
1、修改install.properties
修改policymgr地址,从原来的IP改为hostname,因为Kerberos认证是针对hostname
POLICY_MGR_URL = http://node103.cc.local:6080
2、重新安装
# ./disable-hdfs-plugin.sh
# ./enable-hdfs-plugin.sh
3、重启HDFS服务
# start-dfs.sh
4、页面配置
Service Name hdfs_repo
Display Name hdfs_repo
Description --
Active Status Enabled
Tag Service --
Username hadoop
Password *****
Namenode URL hdfs://192.168.121.101:9000,hdfs://192.168.121.102:9000,hdfs://192.168.121.103:9000
Authorization Enabled true
Authentication Type kerberos
hadoop.security.auth_to_local DEFAULT
dfs.datanode.kerberos.principal hadoop/_HOST@CC.LOCAL
dfs.namenode.kerberos.principal hadoop/_HOST@CC.LOCAL
dfs.secondary.namenode.kerberos.principal --
RPC Protection Type authentication
Common Name for Certificate --
policy.download.auth.users hadoop
dfs.journalnode.kerberos.principal hadoop/_HOST@CC.LOCAL
六、配置Yarn-plugin
1、修改install.properties
修改policymgr地址,从原来的IP改为hostname,因为Kerberos认证是针对hostname
POLICY_MGR_URL = http://node103.cc.local:6080
2、重新安装
# ./disable-yarn-plugin.sh
# ./enable-yarn-plugin.sh
3、重启yarn服务
# start-yarn.sh
4、页面配置
Service Name yarn_repo
Display Name yarn_repo
Description --
Active Status Enabled
Tag Service --
Username hadoop
Password *****
YARN REST URL http://192.168.121.101:8088,http://192.168.121.102:8088
Authentication Type kerberos
Common Name for Certificate hadoop/_HOST@CC.LOCAL
policy.download.auth.users hadoop