为kafka开启kerberos

主节点安装

yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation

cat /etc/krb5.conf

Configuration snippets may be placed in this directory as wellincludedir /etc/krb5.conf.d/[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = HADOOP.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false# default_realm = EXAMPLE.COM# default_ccache_name = KEYRING:persistent:%{uid}[realms] HADOOP.COM = {  kdc = bigdata-cdh01.kfk.com  admin_server = bigdata-cdh01.kfk.com }[domain_realm] .bigdata-cdh01.kfk.com = HADOOP.COM bigdata-cdh01.kfk.com = HADOOP.COM

cat /var/kerberos/krb5kdc/kadm5.acl

*/[email protected]  *

cat /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88[realms] HADOOP.COM = {  #master_key_type = aes256-cts  max_renewable_life= 7d 0h 0m 0s  acl_file = /var/kerberos/krb5kdc/kadm5.acl  dict_file = /usr/share/dict/words  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }

创建kerberos数据库

kdb5_util create -r HADOOP.COM -s

创建kerberos管理账号

将kerberos服务添加为开机启动

systemctl enable krb5kdcsystemctl enable kadminsystemctl start krb5kdcsystemctl start kadmin

测试管理员账号

为节点安装客户端

yum -y install  krb5-libs krb5-auth-dialog krb5-workstation

在主节点上安装额外的包

yum -y install openldap-clients

将krb5.conf文件拷贝到所有kerberos客户端（批量拷贝）

#!/bin/bashfor i in `cat node.list`do scp -r $2 $i:$3donesh scp.sh node.list /etc/krb5.conf /etc/

启动kerberos

为kafka开启kerberos


krb5的一些命令

列出账号          kadmin.local -q "listprincs"删除账号          kadmin.local -q 'delete_principal hdfs/[email protected]'创建账号指定密码  kadmin.local -q "addprinc  hdfs/bigdata-cdh01.kfk.com@[email protected]" 随机生成密码      kadmin.local -q "addprinc  -randkey  hdfs/[email protected]"  导出票据          kadmin.local -q "xst -k hdfs.keytab hdfs/[email protected]"登录              kinit -k -t hdfs.keytab hdfs/[email protected]查看过期时间      kadmin.local -q 'getprinc  krbtgt/[email protected]'修改时间          kadmin.local -q 'modprinc -maxrenewlife "7d" krbtgt/[email protected]'查看keytab内容    klist -e -k -t  zookeeper.keytab不修改密码导出    kadmin.local -q 'xst -k hdfs.keytab -norandkey hdfs/[email protected]'退出登录          kdestroy