0. 环境

1 台Centos7主机 部署 master KDC
2 台 Centos7主机 部署 Kerberos Client

1. Master主机安装Kerberos

yum install krb5-server krb5-libs krb5-workstation -y

1.1 配置kdc.conf

vim /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 HADOOP.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  max_renewable_life = 7d
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

说明：

• HADOOP.COM:是设定的realms。名字随意。Kerberos可以支持多个realms，一般全用大写
• master_key_type，supported_enctypes默认使用aes256-cts。由于，JAVA使用aes256-cts验证方式需要安装额外的jar包，这里暂不使用
• acl_file:标注了admin的用户权限。文件格式是
  Kerberos_principal permissions [target_principal] [restrictions]支持通配符等
• admin_keytab:KDC进行校验的keytab
• supported_enctypes:支持的校验方式。注意把aes256-cts去掉

1.2 配置krb5.conf

vim /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = HADOOP.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 clockskew = 120
 udp_preference_limit = 1
[realms]
 HADOOP.COM = {
  kdc = node-1
  admin_server = node-1
 }

[domain_realm]
 .hadoop.com = HADOOP.COM
 hadoop.com = HADOOP.COM

说明：

• [logging]：表示server端的日志的打印位置
• udp_preference_limit = 1 禁止使用udp可以防止一个Hadoop中的错误
• ticket_lifetime： 表明凭证生效的时限，一般为24小时。
• renew_lifetime： 表明凭证最长可以被延期的时限，一般为一个礼拜。当凭证过期之后，对安全认证的服务的后续访问则会失败。
• clockskew：时钟偏差是不完全符合主机系统时钟的票据时戳的容差，超过此容差将不接受此票据，单位是秒

1.3 初始化kerberos database

kdb5_util create -s -r HADOOP.COM

其中，[-s]表示生成stash file，并在其中存储master server key（krb5kdc）；还可以用[-r]来指定一个realm name —— 当krb5.conf中定义了多个realm时才是必要的。

1.4 修改database administrator的ACL权限

vim /var/kerberos/krb5kdc/kadm5.acl
#修改如下
*/admin@HADOOP.COM  *

kadm5.acl 文件更多内容可参考：kadm5.acl
想要管理 KDC 的资料库有两种方式， 一种直接在 KDC 本机上面直接执行，可以不需要密码就登入资料库管理；一种则是需要输入账号密码才能管理～这两种方式分别是：

• kadmin.local：需要在 KDC server 上面操作，无需密码即可管理资料库
• kadmin：可以在任何一台 KDC 领域的系统上面操作，但是需要输入管理员密码

1.5 启动kerberos daemons

systemctl start kadmin krb5kdc
systemctl enable kadmin krb5kdc

2. 在另外两台主机部署Kerberos Client

yum install krb5-workstation krb5-libs -y
#从master主机复制krb5.conf到这两台主机
scp /etc/krb5.conf node-2:/etc/krb5.conf
scp /etc/krb5.conf node-3:/etc/krb5.conf

3. kerberos的日常操作

先配置下root/admin密码

[root@node-1 ~]# kadmin.local
Authenticating as principal root/admin@HADOOP.COM with password.
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@HADOOP.COM; defaulting to no policy
Enter password for principal "root/admin@HADOOP.COM": 
Re-enter password for principal "root/admin@HADOOP.COM": 
Principal "root/admin@HADOOP.COM" created.
kadmin.local:  listprincs
K/M@HADOOP.COM
kadmin/admin@HADOOP.COM
kadmin/changepw@HADOOP.COM
kadmin/instance-ay8h77o0-1@HADOOP.COM
kiprop/instance-ay8h77o0-1@HADOOP.COM
krbtgt/HADOOP.COM@HADOOP.COM
root/admin@HADOOP.COM
kadmin.local:  exit

新加用户hd1：

[root@node-3 ~]# kadmin
Authenticating as principal root/admin@HADOOP.COM with password.
Password for root/admin@HADOOP.COM: 
kadmin:  addprinc hd1
WARNING: no policy specified for hd1@HADOOP.COM; defaulting to no policy
Enter password for principal "hd1@HADOOP.COM": 
Re-enter password for principal "hd1@HADOOP.COM": 
Principal "hd1@HADOOP.COM" created.
kadmin:  exit

注：输入？，可以查看所有命令的用法

kadmin.local:  ?
Available kadmin.local requests:

add_principal, addprinc, ank
                         Add principal
delete_principal, delprinc
                         Delete principal
modify_principal, modprinc
                         Modify principal
rename_principal, renprinc
                         Rename principal
change_password, cpw     Change password
get_principal, getprinc  Get principal
list_principals, listprincs, get_principals, getprincs
                         List principals
add_policy, addpol       Add policy
modify_policy, modpol    Modify policy

用hd1登录：

[root@node-3 ~]# kinit hd1
Password for hd1@HADOOP.COM: 
[root@node-3 ~]# klist
# 查看已授权列表
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hd1@HADOOP.COM

Valid starting       Expires              Service principal
07/12/2018 17:27:32  07/13/2018 17:27:32  krbtgt/HADOOP.COM@HADOOP.COM
    renew until 07/19/2018 17:27:32

删除当前的认证的缓存

[root@node-3 ~]# kdestroy

强制更新ticket

kinit -R

使用keytab

生成keytab

kadmin.local -q "xst  -k keytab/hd1.keytab  hd1@HADOOP.COM"
or
kadmin -q "xst  -k keytab/hd1.keytab  hd1@HADOOP.COM"

注意：生成keytab后，密码被修改了，无法再用之前输入密码登录了
如果想要密码不变，需要按照以下方式做，必须是kadmin.local

[root@node-1 ~]# kadmin.local -q "xst -k keytab/hd6.keytab -norandkey hd6@HADOOP.COM"

否则

[root@node-3 ~]# kadmin -q "xst -k keytab/hd6.keytab -norandkey hd6@HADOOP.COM"
Authenticating as principal root/admin@HADOOP.COM with password.
Password for root/admin@HADOOP.COM: 
kadmin: Operation requires ``extract-keys'' privilege while changing hd6@HADOOP.COM's key

[root@node-3 ~]# kinit hd1
Password for hd1@HADOOP.COM: 
kinit: Password incorrect while getting initial credentials

登录

[root@node-3 ~]# kinit -kt keytab/hd3.keytab hd3
[root@node-3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hd3@HADOOP.COM

Valid starting       Expires              Service principal
07/12/2018 18:24:43  07/13/2018 18:24:43  krbtgt/HADOOP.COM@HADOOP.COM
    renew until 07/19/2018 18:24:43

合并keytab文件

[root@node-3 ~]# ktutil
ktutil:  ?
Available ktutil requests:

clear_list, clear        Clear the current keylist.
read_kt, rkt             Read a krb5 keytab into the current keylist.
read_st, rst             Read a krb4 srvtab into the current keylist.
write_kt, wkt            Write the current keylist to a krb5 keytab.
write_st, wst            Write the current keylist to a krb4 srvtab.
add_entry, addent        Add an entry to the current keylist.
delete_entry, delent     Delete an entry from the current keylist.
list, l                  List the current keylist.
list_requests, lr, ?     List available requests.
quit, exit, q            Exit program.
ktutil:  rkt keytab/hd2.keytab
ktutil:  rkt keytab/hd3.keytab 
ktutil:  wkt keytab/hd23.keytab
ktutil:  exit

#使用合并后的keytab登录
[root@node-3 ~]# kinit -kt keytab/hd23.keytab hd3
[root@node-3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hd3@HADOOP.COM

Valid starting       Expires              Service principal
07/12/2018 18:30:27  07/13/2018 18:30:27  krbtgt/HADOOP.COM@HADOOP.COM
    renew until 07/19/2018 18:30:27

可以查看keytab文件内容

[root@node-3 ~]# klist -ket  keytab/hd23.keytab 
Keytab name: FILE:keytab/hd23.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 07/12/2018 18:28:33 hd2@HADOOP.COM (aes128-cts-hmac-sha1-96) 
   2 07/12/2018 18:28:33 hd2@HADOOP.COM (des3-cbc-sha1) 
   2 07/12/2018 18:28:33 hd2@HADOOP.COM (arcfour-hmac) 
   2 07/12/2018 18:28:33 hd2@HADOOP.COM (camellia256-cts-cmac) 
   2 07/12/2018 18:28:33 hd2@HADOOP.COM (camellia128-cts-cmac) 
   2 07/12/2018 18:28:33 hd2@HADOOP.COM (des-hmac-sha1) 
   2 07/12/2018 18:28:33 hd2@HADOOP.COM (des-cbc-md5) 
   2 07/12/2018 18:28:33 hd3@HADOOP.COM (aes128-cts-hmac-sha1-96) 
   2 07/12/2018 18:28:33 hd3@HADOOP.COM (des3-cbc-sha1) 
   2 07/12/2018 18:28:33 hd3@HADOOP.COM (arcfour-hmac) 
   2 07/12/2018 18:28:33 hd3@HADOOP.COM (camellia256-cts-cmac) 
   2 07/12/2018 18:28:33 hd3@HADOOP.COM (camellia128-cts-cmac) 
   2 07/12/2018 18:28:33 hd3@HADOOP.COM (des-hmac-sha1) 
   2 07/12/2018 18:28:33 hd3@HADOOP.COM (des-cbc-md5) 

References

• https://www.cnblogs.com/xiaodf/p/5968178.html
• http://linux.vbird.org/linux_enterprise/kerberos.php#2.1
• http://blog.javachen.com/2014/11/04/config-kerberos-in-cdh-hdfs.html
• https://blog.csdn.net/wulantian/article/details/42418231
• https://www.jianshu.com/p/2039fe8c62a1