• 授權(quán)添加yarn賬戶?

[root@xxx ~]# kadmin.local Authenticating as principal cloudera-scm/admin@JAST.COM with password. kadmin.local: addprinc yarn@JAST.COM WARNING: no policy specified for yarn@JAST.COM; defaulting to no policy Enter password for principal "yarn@JAST.COM": Re-enter password for principal "yarn@JAST.COM": Principal "yarn@JAST.COM" created. kadmin.local: exit

• ?查看當(dāng)前系統(tǒng)使用的Kerberos賬戶

#使用的 cloudera-scm [root@xxx ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: cloudera-scm/admin@IZHONGHONG.COMValid starting Expires Service principal 2019-08-06T14:45:54 2019-08-07T14:45:54 krbtgt/JAST.COM@JAST.COMrenew until 2019-08-13T14:45:54

注意：這里?Expires 是過期時(shí)間，即我們使用kinit 授權(quán)時(shí)候是有有效期的?

有效期設(shè)置對(duì)應(yīng)配置文件? /etc/krb5.conf 中的?ticket_lifetime = 24h 參數(shù) （修改時(shí)服務(wù)端與客戶端同時(shí)修改）

• 退出授權(quán) -?kdestroy

[root@ecs-dbtest-0003 kerberos]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin/admin@JAST.COMValid starting Expires Service principal 10/17/2019 10:17:27 10/18/2019 10:17:27 krbtgt/JAST.COM@JAST.COMrenew until 10/24/2019 10:17:27 [root@ecs-dbtest-0003 kerberos]# kdestroy [root@ecs-dbtest-0003 kerberos]# klist klist: No credentials cache found (filename: /tmp/krb5cc_0)

• 使用Kerberos賬戶

[root@xxx ~]# kinit yarn #這里yarn是通過 kadmin.local addprinc yarn@JAST.COM 創(chuàng)建的 Password for yarn@JAST.COM: #這里輸入密碼

然后使用root用戶讀/寫/執(zhí)行hdfs權(quán)限即為yarn用戶

[root@xxx ~]# hdfs dfs -put index.html /tmp [root@xxx ~]# hdfs dfs -ls /tmp Found 6 items drwxrwxrwx - hdfs supergroup 0 2019-08-06 15:56 /tmp/.cloudera_health_monitoring_canary_files drwxr-xr-x - yarn supergroup 0 2019-07-17 09:37 /tmp/hadoop-yarn drwx--x--x - hbase supergroup 0 2019-07-01 13:37 /tmp/hbase-staging drwx-wx-wx - hive supergroup 0 2019-07-02 16:16 /tmp/hive -rw-r--r-- 2 yarn supergroup 2381 2019-08-06 15:57 /tmp/index.html drwxrwxrwt - mapred hadoop 0 2019-07-18 21:38 /tmp/logs

• 創(chuàng)建keytab文件

[root@xxx jast]# kadmin.local -q "xst -norandkey -k hdfs.keytab hdfs@JAST.COM" Authenticating as principal hdfs/admin@JAST.COM with password. Entry for principal hdfs@JAST.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:hdfs.keytab. Entry for principal hdfs@JAST.COM with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:hdfs.keytab. Entry for principal hdfs@JAST.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:hdfs.keytab. Entry for principal hdfs@JAST.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:hdfs.keytab. Entry for principal hdfs@JAST.COM with kvno 1, encryption type camellia256-cts-cmac added to keytab WRFILE:hdfs.keytab. Entry for principal hdfs@JAST.COM with kvno 1, encryption type camellia128-cts-cmac added to keytab WRFILE:hdfs.keytab. Entry for principal hdfs@JAST.COM with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:hdfs.keytab. Entry for principal hdfs@JAST.COM with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:hdfs.keytab.

• 命令行使用keytab?

[root@xxx jast]# kinit -kt hdfs.keytab hdfs@JAST.COM [root@xxx jast]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs@JAST.COMValid starting Expires Service principal 2019-08-07T13:35:19 2019-08-08T13:35:19 krbtgt/JAST.COM@JAST.COMrenew until 2019-08-14T13:35:19

?

創(chuàng)建keytab不同用戶，即便密碼相同，也不可共用keytab

[root@xxx jast]# kinit -kt hdfs.keytab yarn@JAST.COM kinit: Keytab contains no suitable keys for yarn@JAST.COM while getting initial credentials

?

• 合并多個(gè) keytab 為一個(gè) keytab

[root@xxx jast]# ktutil ktutil: rkt hdfs.keytab #讀取多個(gè)keytab ktutil: rkt yarn.keytab ktutil: wkt hdfs-nb.keytab #合并為一個(gè)hdfs-nb.keytab ， 即這個(gè)文件可以使用 hdfs 和yarn 的keytab ktutil: exit

在當(dāng)前目錄可以看到生成的 hdfs-nb.keytab

驗(yàn)證：

[root@xxx jast]# kinit -kt hdfs.keytab yarn@JAST.COM #使用hdfs的keytab，登錄yarn用戶，報(bào)錯(cuò) kinit: Keytab contains no suitable keys for yarn@JAST.COM while getting initial credentials [root@xxx jast]# kinit -kt hdfs-nb.keytab yarn@JAST.COM #使用合并的keytab，登錄yarn用戶，成功 [root@xxx jast]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: yarn@JAST.COMValid starting Expires Service principal 2019-08-07T13:43:06 2019-08-08T13:43:06 krbtgt/JAST.COM@JAST.COMrenew until 2019-08-14T13:43:06 [root@xxx jast]# kinit -kt hdfs-nb.keytab hdfs@JAST.COM #使用合并的keytab，登錄hdfs用戶，成功 [root@xxx jast]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hdfs@JAST.COMValid starting Expires Service principal 2019-08-07T13:44:19 2019-08-08T13:44:19 krbtgt/JAST.COM@JAST.COMrenew until 2019-08-14T13:44:19

• 查看keytab內(nèi)容

[root@xxx jast]# klist -k -e hdfs.keytab Keytab name: FILE:hdfs.keytab KVNO Principal ---- --------------------------------------------------------------------------1 hdfs@JAST.COM (aes256-cts-hmac-sha1-96) 1 hdfs@JAST.COM (aes128-cts-hmac-sha1-96) 1 hdfs@JAST.COM (des3-cbc-sha1) 1 hdfs@JAST.COM (arcfour-hmac) 1 hdfs@JAST.COM (camellia256-cts-cmac) 1 hdfs@JAST.COM (camellia128-cts-cmac) 1 hdfs@JAST.COM (des-hmac-sha1) 1 hdfs@JAST.COM (des-cbc-md5) [root@fwqml006 jast]# klist -k -e hdfs-nb.keytab Keytab name: FILE:hdfs-nb.keytab KVNO Principal ---- --------------------------------------------------------------------------1 hdfs@JAST.COM (aes256-cts-hmac-sha1-96) 1 hdfs@JAST.COM (aes128-cts-hmac-sha1-96) 1 hdfs@JAST.COM (des3-cbc-sha1) 1 hdfs@JAST.COM (arcfour-hmac) 1 hdfs@JAST.COM (camellia256-cts-cmac) 1 hdfs@JAST.COM (camellia128-cts-cmac) 1 hdfs@JAST.COM (des-hmac-sha1) 1 hdfs@JAST.COM (des-cbc-md5) 1 yarn@JAST.COM (aes256-cts-hmac-sha1-96) 1 yarn@JAST.COM (aes128-cts-hmac-sha1-96) 1 yarn@JAST.COM (des3-cbc-sha1) 1 yarn@JAST.COM (arcfour-hmac) 1 yarn@JAST.COM (camellia256-cts-cmac) 1 yarn@JAST.COM (camellia128-cts-cmac) 1 yarn@JAST.COM (des-hmac-sha1) 1 yarn@JAST.COM (des-cbc-md5)

• spark授權(quán) 啟動(dòng)指定keytab

spark-submit --principal hdfs@JAST.COM --keytab hdfs-nb.keytab --jars $(echo lib/*.jar | tr ' ' ',') --class com.jast.test.Test data-filter-1.0-SNAPSHOT.jar

?

總結(jié)

以上是生活随笔為你收集整理的Kerberos 基本命令 - 持续更新的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。