CDH实操--配置Kerberos服务高可用(一)
前置条件
1.主Kerberos已安装并与CDH集成
2.备节点安装Kerberos服务
yum -y install krb5-server krb5-libs krb5-auth-dialog krb5-workstation
注意:此处只安装服务,暂不做相应配置及启动服务。
3.主Kerberos节点操作
1.修改/etc/krb5.conf的配置文件,在realms配置下增加备Kerberos的配置
2.将修改后的/etc/krb5.conf文件同步到集群的所有Kerberos客户端节点相应目录
3.保存配置,然后重启krb5kdc和kadmin服务
systemctl restart krb5kdc systemctl restart kadmin
4.创建主从同步账号,并为账号生成keytab文件
kadmin.local -q "addprinc -randkey host/cm01.pbwear.com@PBWEAR.COM" kadmin.local -q "addprinc -randkey host/cm02.pbwear.com@PBWEAR.COM" kadmin.local -q "ktadd host/cm01.pbwear.com@PBWEAR.COM" kadmin.local -q "ktadd host/cm02.pbwear.com@PBWEAR.COM"
使用随机生成秘钥的方式创建同步账号,并使用ktadd命令生成同步账号的keytab文件,默认文件生成在/etc/krb5.keytab下,生成多个账号则在krb5.keytab基础上追加.
5.复制以下文件到备Kerberos服务器相应目录
(1)将/etc目录下的krb5.conf和krb5.keytab文件拷贝至备Kerberos服务器的/etc目录下
(2)将/var/kerberos/krb5kdc目录下的.k5.CLOUDERA.COM、kadm5.acl和kdc.conf文件拷贝至备Kerberos服务器的/var/kerberos/krb5kdc目录
root@cm01.pbwear.com:/root>scp -P 60094 -rp /etc/krb5.keytab cm02.pbwear.com:/etc/ root@cm01.pbwear.com:/var/kerberos/krb5kdc>scp -rp -P 60094 .k5.PBWEAR.COM kadm5.acl kdc.conf cm02.pbwear.com:/var/kerberos/krb5kdc
4.备Kerberos节点操作
1.需要申明用来同步的用户,在/var/kerberos/krb5kdc/kpropd.acl配置文件中添加对应账户,如果配置文件不存在则新增
root@cm02.pbwear.com:/var/kerberos/krb5kdc>cat kpropd.acl host/cm01.pbwear.com@PBWEAR.COM host/cm02.pbwear.com@PBWEAR.COM root@cm02.pbwear.com:/var/kerberos/krb5kdc>
2.启动kprop服务并加入系统自启动
systemctl enable kprop systemctl start kprop
5.主节点数据同步至备节点
1.在主节点上使用kdb5_util命令导出Kerberos数据库文件
root@cm01.pbwear.com:/var/kerberos/krb5kdc>kdb5_util dump /var/kerberos/krb5kdc/master.dump
导出成功后生成master.dump和master.dump.dump_ok两个文件。
2.在主节点上使用kprop命令将master.dump文件同步至备节点
root@cm01.pbwear.com:/var/kerberos/krb5kdc>kprop -f /var/kerberos/krb5kdc/master.dump -d -P 754 cm02.pbwear.com 32768 bytes sent. 47445 bytes sent. Database propagation to cm02.pbwear.com: SUCCEEDED root@cm01.pbwear.com:/var/kerberos/krb5kdc>
有如上图标识则表示数据同步成功。
3.在备节点的/var/kerberos/krb5kdc目录下查看
在备节点的/var/kerberos/krb5kdc目录下增加了如上图标识的文件。
6.配置主节点crontab任务定时同步数据
root@cm01.pbwear.com:/var/kerberos/krb5kdc>cat kprop_sync.sh #!/bin/bash DUMP="/var/kerberos/krb5kdc/master.dump" PORT=754 SLAVE="cm02.pbwear.com" TIMESTAMP=`date` echo "Start at $TIMESTAMP" /usr/sbin/kdb5_util dump $DUMP echo `/usr/sbin/kprop -f $DUMP -d -P $PORT $SLAVE` root@cm01.pbwear.com:/var/kerberos/krb5kdc>
配置定时同步任务:
*/3 * * * * /usr/bin/sh /var/kerberos/krb5kdc/kprop_sync.sh >/var/kerberos/krb5kdc/lastupdate
