This is the fifth day of my participation in the November Gwen Challenge. Check out the details: The last Gwen Challenge 2021
preface
Recently, I have been in contact with a lot of students in Shucang, which is a knowledge point of literacy. Kerberos authentication is a solution for big data permission authentication. So what is Kerberos?
Kerberos profile
Kerberos is a computer network authorization protocol used to securely authenticate personal communications over insecure networks. The word for the Massachusetts institute of technology for the agreement to develop a set of computer software, the software design using CS architecture, and can be mutual authentication, the client and the server can authenticate to each other, can be used to prevent eavesdropping, prevent replay attack, protect data integrity, etc, is a kind of application the symmetric key body of key management system
Basic Concepts of Kerberos
KDC: Key distribution center that manages ticket issuance and records authorization 2.Realm: Principal: Each time a user or service is added, a principal is added to the KDC. The principal is in the form of the principal name/instance name @domain name 4. Main name: The main name can be a user name or a service name, indicating that the main name is used to provide various network services, such as HDFS, YARN, and Hive
Kerberos Authentication Principle
Deployment case based on Kerberos security authentication
1. The Kerberos deployment
1.1 installation
The Kerberos primary node installs the service
yum install krb5-server -y
1.2 Configuration Files
Three configuration files for the KDC server
All nodes in the cluster have this file and its contents are synchronized
/etc/krb5.conf
# KDC configuration on primary server
/var/kerberos/krb5kdc/kdc.conf
The ability to add and remove principals from the Kerberos database without direct access to the KDC console requires additional configuration
/var/kerberos/krb5kdc/kadm5.acl
Copy the code
-
Modify/etc/krb5. Conf
-
Modify the/var/kerberos/krb5kdc/KDC. Conf
-
Create/var/kerberos/krb5kdc/kadm5. The acl
1.4 Creating a Kerberos Database
/var/kerberos/krb5kdc if you need to rebuild the database, delete the principal files in this directory
kdb5_util create -r EXAMPLE.COM -s
Copy the code
-r Specifies the configured realm name
The cpu-consuming command such as cat /dev/vda > /dev/urandom can speed up the collection of random numbers. The command is created in the /var/kerberos/krb5kdc/ directory The principal database
1.5 Starting the Service
chkconfig --level 35 krb5kdc on
chkconfig --level 35 kadmin on
systemctl start krb5kdc
systemctl start kadmin
Copy the code
1.6 Creating a Kerberos Administrator
Set password to root
kadmin.local -q "addprinc admin/admin"
Copy the code
The second part of the principal’s name is admin, then the Principal has administrative Privileges and this account will be used by CDH to generate principals of other users/services
1.7 test kerberos
# List all authenticated Kerberos users, the Principals
kadmin.local -q "list_principals"
Add authentication user, need to enter password
kadmin.local -q "addprinc dy"
Use this user to log in and obtain identity authentication. You need to enter a password
kinit dy
Check the authentication information of the current user
ticket klist
# update ticket
kinit -R
Destroy the current ticket
kdestroy
# Delete an authentication user
kadmin.local -q "delprinc dy"
Copy the code