\u5728TDH\u96c6\u7fa4\u4e2d\uff0cKerberos\u662fKRB5LDAP\u4e2d\u7684\u4e00\u90e8\u5206\uff0c\u4f46Kerberos\u672c\u8eab\u4f5c\u4e3a\u4e00\u4e2a\u7f51\u7edc\u8ba4\u8bc1\u534f\u8bae\u4e5f\u6709\u81ea\u5df1\u7684\u4e00\u5957\u7ba1\u7406\u7cfb\u7edf\u3002Kerberos\u6570\u636e\u5e93\u4e2d\u5b58\u653e\u4e86\u6240\u6709principal\u548c\u5bc6\u7801\/keytab\u4fe1\u606f\uff0c\u60a8\u53ef\u4ee5\u901a\u8fc7kadmin\u6216\u8005kadmin.local\u547d\u4ee4\u884c\u6765\u8fdb\u5165Kerberos\u7ba1\u7406\u7cfb\u7edf\u6765\u7ba1\u7406\u5176\u4e2d\u7684\u4fe1\u606f\uff0c\u6bd4\u5982\u6dfb\u52a0\u548c\u5220\u9664\u7528\u6237\u3001\u4fee\u6539\u7528\u6237\u5bc6\u7801\uff0c\u751f\u6210keytab\u6587\u4ef6\u7b49\u7b49\u3002
\n\u5728 TDH 5.x \u7248\u672c\u4e2d\uff0cKerberos \u6709\u4e86\u9875\u9762\u5316\u7684\u64cd\u4f5c\u65b9\u5f0f\uff08guardian-server\uff09\uff0c\u6240\u4ee5\u5728TDH 5.x \u4e4b\u540e kadmin \u548c kadmin.local \u5df2\u7ecf\u65e0\u6cd5\u4f7f\u7528\u4e86\u3002
\n\u4f46\u662f\u5728\u914d\u7f6e\u975e TDH \u5e73\u53f0\u4e0e TDH\u5e73\u53f0\u7684 Kerberos \u4e92\u4fe1\u65f6\u9700\u8981\u767b\u5f55\u5230 Kerberos \u7ba1\u7406\u7cfb\u7edf\u6765\u6dfb\u52a0 princpal\uff0c\u6240\u4ee5\u672c\u6587\u4ecb\u7ecd\u4e00\u79cd\u5728\u6ca1\u6709kadmin\u3001kadmin.local \u547d\u4ee4\u884c\u5de5\u5177\u7684TDH \u96c6\u7fa4\u4e0a\u5982\u4f55\u767b\u5f55 Kerberos \u7ba1\u7406\u7cfb\u7edf\u6765\u7ba1\u7406\u5176\u4e2d\u7684\u4fe1\u606f\uff1b
\n\u672c\u6848\u4f8b\u73af\u5883\uff1aTDH 5.2.2\u3001guardian-5.2.2<\/p>\n
\u867d\u7136\u5728 TDH 5.x \u7248\u672c\u4e2d\uff0cKerberos \u4e0d\u5728\u63d0\u4f9b kadmin \u548c kadmin.local \u547d\u4ee4\u884c\u5de5\u5177\uff0c\u4f46\u662f\u539f\u6765\u7684 kadmin \u529f\u80fd\u8fd8\u5728\uff0c\u60a8\u53ea\u9700\u8981\u5728 guardian-apacheds \u7684 container \u4e2d\u51c6\u5907\u4e00\u4e0b kadmin \u548c kadmin.local \u547d\u4ee4\u9700\u8981\u7684 jar \u5305\uff08jar \u5305\u5728 hdfs \u7684 namenode \u4e2d\u7684\/usr\/lib\/guardian-utils\/lib\/\u4e0b\uff09\uff0c\u4ee5\u53ca\u8c03\u7528 kadmin \u529f\u80fd\u7684\u4e00\u4e2a\u547d\u4ee4\u811a\u672c\u5373\u53ef\u3002<\/p>\n
$ kubectl get pods -owide |grep namenode\nhadoop-hdfs-namenode-hdfs1-3303342286-68vxs 2\/2 Running 61 24d 172.22.22.2 tdh-02\nhadoop-hdfs-namenode-hdfs1-3303342286-6h57j 2\/2 Running 63 24d 172.22.22.1 tdh-01\n$ kubectl exec -ti hadoop-hdfs-namenode-hdfs1-3303342286-68vxs bash\nDefaulting container name to hadoop-hdfs-namenode-hdfs1.\nUse 'kubectl describe pod\/hadoop-hdfs-namenode-hdfs1-3303342286-68vxs' to see all of the containers in this pod.\n$ cd \/usr\/lib\/guardian-utils\/lib\/\n$ pwd\n\/usr\/lib\/guardian-utils\/lib<\/code><\/pre>\n<\/li>\n- kadmin \u529f\u80fd\u547d\u4ee4\u811a\u672c\n
#!\/usr\/bin\/env bash\nTRANSWARP_UTILS=\/etc\/default\/transwarp-utils\nAPACHEDS=\/etc\/guardian\nJAVA=java\n[ -e \"$TRANSWARP_UTILS\" ] && source ${TRANSWARP_UTILS}\nif [ x\"$JAVA_HOME\" != x\"\" ]; then\nJAVA=$JAVA_HOME\/bin\/java\nfi\n$JAVA -Dguardian.root.logger='INFO, RFA' -cp $APACHEDS\/conf:\/usr\/lib\/guardian\/lib\/* io.transwarp.guardian.utils.KadminShell \"$@\"<\/code><\/pre>\n<\/li>\n<\/ul>\n\u64cd\u4f5c\u6b65\u9aa4<\/h3>\n\n- \u5c06 kadmin \u548c kadmin.local \u529f\u80fd\u9700\u8981\u7684 jar \u5305 cp\u81f3 guardian-apacheds \u7684 container \u4e2d
\n-1. \u5c06 hdfs \u7684 namenode \u4e2d\u7684jar \u5305\u4ee5\u53ca\u6574\u4e2a\u76ee\u5f55 cp\u81f3\u5bbf\u4e3b\u673a\u5171\u4eab\u8def\u5f84\uff1b
\n-2. \u7136\u540e\u5c06\u8be5 jar \u5305\u4ee5\u53ca\u6574\u4e2a\u76ee\u5f55\uff0cscp \u81f3 guardian-apacheds \u6240\u5728\u7684\u670d\u52a1\u5668\uff1b
\n-3. \u5c06 guardian-apacheds \u4e0a\u7684 jar \u5305\u4ee5\u53ca\u6574\u4e2a\u76ee\u5f55 cp \u81f3 guardian-apacheds \u7684 container \u5171\u4eab\u8def\u5f84\uff1b<\/li>\n - \u7f16\u5199\u5e76\u4fee\u6539kadmin \u529f\u80fd\u7684\u547d\u4ee4\u811a\u672c
\n-1. \u8fdb\u5165 guardian-apacheds \u7684 container \u4e2d\uff1b
\n-2. \u7f16\u5199 kadmin.local \u811a\u672c\u5e76\u4fee\u6539\u811a\u672c\u5185\u5bb9\u4e2d\u7684 apacheds conf \u7684\u8def\u5f84\u4e3a\u5b58\u653e jar \u7684\u8def\u5f84\uff1b<\/li>\n<\/ol>\n\u51c6\u5907\u6240\u9700 jar \u5305<\/h4>\n\n- \u5c06 hdfs \u7684 namenode \u4e2d\u7684jar \u5305\u4ee5\u53ca\u6574\u4e2a\u76ee\u5f55 cp\u81f3\u5bbf\u4e3b\u673a\u5171\u4eab\u8def\u5f84\uff1b
\n$ cp -r \/usr\/lib\/guardian-utils\/lib\/ \/var\/log\/hdfs1\/<\/code><\/strong><\/li>\n- \u7136\u540e\u5c06\u8be5 jar \u5305\u4ee5\u53ca\u6574\u4e2a\u76ee\u5f55\uff0cscp \u81f3 guardian-apacheds \u6240\u5728\u7684\u670d\u52a1\u5668\uff1b<\/li>\n
- \u5c06 guardian-apacheds \u4e0a\u7684 jar \u5305\u4ee5\u53ca\u6574\u4e2a\u76ee\u5f55 cp \u81f3 guardian-apacheds \u7684 container \u5171\u4eab\u8def\u5f84
\n$ cp -r \/var\/log\/hdfs1\/lib\/ \/var\/log\/guardian\/<\/code><\/strong><\/li>\n<\/ol>\n\u7f16\u5199 kadmin.local \u811a\u672c<\/h4>\n
\u8fdb\u5165 guardian-apacheds \u7684 container \u4e2d\u7f16\u5199 kadmin.local \u811a\u672c\uff1b<\/p>\n
$ kubectl get pods -owide|grep guardian-apacheds\nguardian-apacheds-guardian-1512033472-4x9dl 1\/1 Running 3 6h 172.22.22.2 tdh-02\nguardian-apacheds-guardian-1512033472-pwk41 1\/1 Running 0 6h 172.22.22.1 tdh-01\n$ kubectl exec -ti guardian-apacheds-guardian-1512033472-4x9dl bash<\/code><\/pre>\n\u7f16\u5199 kadmin.local \u811a\u672c\u5e76\u4fee\u6539\u811a\u672c\u5185\u5bb9\u4e2d\u7684 apacheds conf \u7684\u8def\u5f84\u4e3a\u5b58\u653e jar \u7684\u8def\u5f84\uff1b
\n\u9700\u8981\u5c06\u811a\u672c\u6700\u540e\u4e00\u884c\u7684 $APACHEDS\/conf:\/usr\/lib\/guardian\/lib\/*<\/code><\/strong>\u4fee\u6539\u6210\u5b58\u653e jar \u5305\u7684\u8def\u5f84\uff1b
\n\u672c\u6848\u4f8b\u4fee\u6539\u4e3a $APACHEDS\/conf:\/var\/log\/guardian\/lib\/<\/code><\/strong>\uff0c\u5e76\u7ed9\u8be5\u811a\u672c\u6587\u4ef6\u8d4b\u4e88\u53ef\u6267\u884c\u6743\u9650chmod +x \/bin\/kadmin.local<\/code><\/strong>\uff1b<\/p>\n$ vi \/bin\/kadmin.local\n#!\/usr\/bin\/env bash\n\nTRANSWARP_UTILS=\/etc\/default\/transwarp-utils\nAPACHEDS=\/etc\/guardian\nJAVA=java\n\n[ -e \"$TRANSWARP_UTILS\" ] && source ${TRANSWARP_UTILS}\n\nif [ x\"$JAVA_HOME\" != x\"\" ]; then\n JAVA=$JAVA_HOME\/bin\/java\nfi\n\n$JAVA -Dguardian.root.logger='INFO, RFA' -cp $APACHEDS\/conf:\/var\/log\/guardian\/lib\/* io.transwarp.guardian.utils.KadminShell \"$@\"\n\n$ chmod +x \/bin\/kadmin.local <\/code><\/pre>\n\u6267\u884c kadmin.local \u9a8c\u8bc1<\/h4>\n
kadmin.local -p uid=admin,ou=system -w $ds_pw -q "listprincs"
\n\u5176\u4e2d\uff1a<\/p>\n
\n- -p\u53c2\u6570\u8868\u793a\u8fde\u63a5ApacheDS\u670d\u52a1\u7684\u7528\u6237\uff0c\u8fd9\u91cc\u662f\u56fa\u5b9a\u5199\u6cd5\uff0c\u5982\u679c\u4e0d\u6307\u5b9a\u9ed8\u8ba4\u662f\u5c31\u662f\u4f60\u5b89\u88c5Guardian\u65f6\u7684admin\u7528\u6237\uff1b<\/li>\n
- -w\u53c2\u6570\uff08$ds_pw\uff09\u8868\u793a\u8fde\u63a5ApacheDS\u670d\u52a1\u7684\u5bc6\u7801\uff08\u5c31\u662f\u4f60\u5b89\u88c5Guardian\u65f6\u7684OpenLDAP Manager\u5bc6\u7801\uff0c\u9ed8\u8ba4\u662fadmin\uff0c\u5e76\u975eGuardian admin\u5bc6\u7801\uff0c\u67e5\u770b\u65b9\u6cd5\uff1agrep ‘^admin.pw’ \/etc\/guardian\/conf\/fortress.properties\uff09\uff1b<\/li>\n
- -q\u53c2\u6570\u8868\u793a\u9700\u8981\u6267\u884c\u7684\u64cd\u4f5c\uff0c\u7528\u5f15\u53f7\u5f15\u8d77\u6765\uff0c\u5177\u4f53\u652f\u6301\u54ea\u4e9b\u64cd\u4f5c\u53ca\u5176\u5bf9\u5e94\u7528\u6cd5\u53ef\u4ee5kadmin.local -h\u67e5\u770b\uff1b<\/li>\n<\/ul>\n
$ kadmin.local -w 123456 -q \"listprincs\"\nadmin@TDH\ntdt\/tdh-02@TDH\ntdt\/tdh-01@TDH\nhive\/tdh-01@TDH\nkafka\/tdh-01@TDH\nzookeeper@TDH\nhdfs@TDH\nhttpfs@TDH\nhdfs\/tdh-01@TDH\nkrbtgt\/TDH@TDH\nyarn@TDH\nmapred@TDH\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u6982\u8981\u63cf\u8ff0 \u5728TDH\u96c6\u7fa4\u4e2d\uff0cKerberos\u662fKRB5LDAP\u4e2d\u7684\u4e00\u90e8\u5206\uff0c\u4f46Kerberos\u672c\u8eab\u4f5c\u4e3a\u4e00\u4e2a\u7f51\u7edc\u8ba4\u8bc1 ..<\/p>\n