http:\/\/wiki.transwarp.io:8090\/pages\/viewpage.action?pageId=24588058<\/a><\/p>\n\u89e3\u51b3\u65b9\u6848<\/h3>\n
\n
\u8fd9\u91cc\u4ee5realm\u4e3aTDH\u7684\u96c6\u7fa4\u4e3a\u4f8b\uff0c\u9700\u8981\u521b\u5efa\u4e00\u4e2a test000\/tdh001@TDHBAK<\/code>\u7684principal\uff0c\u5e76\u6784\u9020\u5176keytab<\/p>\n1\u3001addprinc\u521b\u5efaprincipal<\/h4>\n# \u9996\u5148\u9700\u8981\u8fdb\u5165\u5230guardian server\u7684pod\u5185\uff0c\u6211\u4eec\u7684\u811a\u672c\u5b58\u653e\u5728\/usr\/lib\/guardian\/scripts\/kadmin.guardian\n> kubectl exec -it $(kubectl get po -o wide | grep -i guardian-server | head -1 | awk '{print $1}') bash<\/code><\/pre>\n# \u6267\u884clistprincs\u8f93\u51fa\u6240\u6709principal\u4fe1\u606f\n# -w \u540e\u9762\u7684\u5bc6\u7801\uff0c\u53ef\u4ee5\u5230manager\u6570\u636e\u5e93\u5185\u6267\u884c SELECT value FROM transwarp_manager.service_config where name='guardian.ds.root.password' \u67e5\u770b\uff0c\u5e76\u4e0d\u662fadmin\u79df\u6237\u7684\u5bc6\u7801\u54e6\n\n> \/usr\/lib\/guardian\/scripts\/kadmin.guardian -H172.22.25.71 -w123456 -P8380 -T -q \"listprincs\"<\/code><\/pre>\n\u6ce8\u610f\uff1a\u4e0b\u9762\u8fd9\u6b65\u6784\u9020principal\u7684\u65f6\u5019\uff0c-rTDHBAK\uff0c\u8fd9\u91cc\u7684realm\u662f\u4f60\u671f\u671b\u6784\u9020\u7684principal\u91cc\u9762\u7684realm\u3002<\/font><\/p>\n# \u6267\u884caddprinc\u6784\u9020principal\n> \/usr\/lib\/guardian\/scripts\/kadmin.guardian -H172.22.25.71 -w123456 -P8380 -rTDHBAK -T -q \"addprinc -pw 123456 test000\/tdh001\"<\/code><\/pre>\n\u53ef\u4ee5\u901a\u8fc7 kadmin.guardian -help<\/code> \u6216\u8005kadmin.guardian -h<\/code>\u67e5\u770b\u4f7f\u7528\u8bf4\u660e<\/p>\n -b The zookeeper parent znode for HA, guardian is default\n -d The suffix of the ds server, such as dc=tdh\n -H The host of ds server, the default is localhost\n -P The port of ds server, the default is 10389\n -p The dn used to connect to the ds server, such as\n uid=admin,ou=system\n -Q The zookeeper quorum for HA\n -q The kadmin query, must be xst, addprinc, listprincs, addent\n -r The realm of the kerberos, such as TDH\n -T Whether TLS should be used\n -w The password used to connect to the ds server<\/code><\/pre>\n# \u9a8c\u8bc1principal\u662f\u5426\u6dfb\u52a0\u6210\u529f\n> \/usr\/lib\/guardian\/scripts\/kadmin.guardian -H172.22.25.71 -w123456 -P8380 -T -q \"listprincs\" | grep 'test000\/tdh001@TDHBAK'<\/code><\/pre>\n2\u3001xst -k \u751f\u6210keytab\u6587\u4ef6<\/h4>\n
\u6ce8\u610f\uff0c-rTDH\uff0c\u8fd9\u4e2arealm\u4f7f\u7528\u7684\u662f\u4f60\u5f53\u524d\u96c6\u7fa4\u7684realm\u3002 <\/font><\/p>\n\u4e0b\u9762\u7684xst\u547d\u4ee4\u91cc\u9762\u4e0d\u9700\u8981\u5199realm\uff08\u5426\u5219\u6709\u53ef\u80fd\u62a5\u9519principal\u627e\u4e0d\u5230\uff09\uff0c\u56e0\u4e3a\u5bf9\u4e8eprincipal\u6765\u8bf4test000\/tdh001\u662f\u552f\u4e00\u7684\u3002<\/font><\/p>\n[root@jiujiu-tdh-71 scripts]# \/usr\/lib\/guardian\/scripts\/kadmin.guardian -w123456 -rTDH -T -q\"xst -k \/tmp\/test000.keytab test000\/tdh001\"\n[root@jiujiu-tdh-71 scripts]# ls \/tmp\/test000.keytab \n\/tmp\/test000.keytab\n\n# \u6821\u9a8ckeytab\u4e2d\u7684principal\u4fe1\u606f\n[root@jiujiu-tdh-71 scripts]# klist -ket \/tmp\/test000.keytab\nKeytab name: FILE:\/tmp\/test000.keytab\nKVNO Timestamp Principal\n---- ------------------- ------------------------------------------------------\n 0 10\/12\/2021 10:42:21 test000\/tdh001@TDHBAK (aes128-cts-hmac-sha1-96) \n 0 10\/12\/2021 10:42:21 test000\/tdh001@TDHBAK (aes256-cts-hmac-sha1-96) \n 0 10\/12\/2021 10:42:21 test000\/tdh001@TDHBAK (DEPRECATED:des3-hmac-sha1) \n 0 10\/12\/2021 10:42:21 test000\/tdh001@TDHBAK (DEPRECATED:des-cbc-md5) \n 0 10\/12\/2021 10:42:21 test000\/tdh001@TDHBAK (DEPRECATED:arcfour-hmac) \n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u80cc\u666f \u8d8a\u6765\u8d8a\u591a\u7684\u73b0\u573a\u9700\u6c42\u5bf9\u63a5\u5f00\u6e90\u7684\u4ea7\u54c1\uff0c\u6bd4\u5982Spark\u3001presto\u7b49\uff0c\u5982\u679c\u96c6\u7fa4\u5f00\u4e86Guardian\u5b89\u5168\uff0c\u8fd9\u4e9b ..<\/p>\n
<\/div>\n
Read more<\/a><\/p>\n","protected":false},"author":12,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[38],"tags":[],"class_list":["post-6509","post","type-post","status-publish","format-standard","hentry","category-configuration"],"acf":[],"_links":{"self":[{"href":"https:\/\/kbwp.transwarp.cn\/index.php?rest_route=\/wp\/v2\/posts\/6509","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kbwp.transwarp.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kbwp.transwarp.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kbwp.transwarp.cn\/index.php?rest_route=\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/kbwp.transwarp.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6509"}],"version-history":[{"count":4,"href":"https:\/\/kbwp.transwarp.cn\/index.php?rest_route=\/wp\/v2\/posts\/6509\/revisions"}],"predecessor-version":[{"id":17621,"href":"https:\/\/kbwp.transwarp.cn\/index.php?rest_route=\/wp\/v2\/posts\/6509\/revisions\/17621"}],"wp:attachment":[{"href":"https:\/\/kbwp.transwarp.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6509"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kbwp.transwarp.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6509"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kbwp.transwarp.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6509"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}