Kerberos 基本命令 - 持续更新

  • 授权添加yarn账户 
[root@xxx ~]# kadmin.local 
Authenticating as principal cloudera-scm/admin@JAST.COM with password.
kadmin.local:  addprinc yarn@JAST.COM
WARNING: no policy specified for yarn@JAST.COM; defaulting to no policy
Enter password for principal "yarn@JAST.COM": 
Re-enter password for principal "yarn@JAST.COM": 
Principal "yarn@JAST.COM" created.
kadmin.local:  exit
  •  查看当前系统使用的Kerberos账户
#使用的 cloudera-scm
[root@xxx ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cloudera-scm/admin@IZHONGHONG.COM

Valid starting       Expires              Service principal
2019-08-06T14:45:54  2019-08-07T14:45:54  krbtgt/JAST.COM@JAST.COM
	renew until 2019-08-13T14:45:54

注意:这里 Expires 是过期时间,即我们使用kinit 授权时候是有有效期的 

有效期设置对应配置文件  /etc/krb5.conf 中的 ticket_lifetime = 24h 参数 (修改时服务端与客户端同时修改)

  • 退出授权 - kdestroy
[root@ecs-dbtest-0003 kerberos]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@JAST.COM

Valid starting       Expires              Service principal
10/17/2019 10:17:27  10/18/2019 10:17:27  krbtgt/JAST.COM@JAST.COM
        renew until 10/24/2019 10:17:27
[root@ecs-dbtest-0003 kerberos]# kdestroy
[root@ecs-dbtest-0003 kerberos]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)
  • 使用Kerberos账户
[root@xxx ~]# kinit yarn #这里yarn是通过 kadmin.local  addprinc yarn@JAST.COM 创建的
Password for yarn@JAST.COM:   #这里输入密码

然后使用root用户读/写/执行hdfs权限即为yarn用户

[root@xxx ~]# hdfs dfs -put index.html /tmp
[root@xxx ~]# hdfs dfs -ls /tmp
Found 6 items
drwxrwxrwx   - hdfs   supergroup          0 2019-08-06 15:56 /tmp/.cloudera_health_monitoring_canary_files
drwxr-xr-x   - yarn   supergroup          0 2019-07-17 09:37 /tmp/hadoop-yarn
drwx--x--x   - hbase  supergroup          0 2019-07-01 13:37 /tmp/hbase-staging
drwx-wx-wx   - hive   supergroup          0 2019-07-02 16:16 /tmp/hive
-rw-r--r--   2 yarn   supergroup       2381 2019-08-06 15:57 /tmp/index.html
drwxrwxrwt   - mapred hadoop              0 2019-07-18 21:38 /tmp/logs
  • 创建keytab文件
[root@xxx jast]# kadmin.local -q "xst -norandkey -k hdfs.keytab hdfs@JAST.COM"
Authenticating as principal hdfs/admin@JAST.COM with password.
Entry for principal hdfs@JAST.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:hdfs.keytab.
Entry for principal hdfs@JAST.COM with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:hdfs.keytab.
Entry for principal hdfs@JAST.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:hdfs.keytab.
Entry for principal hdfs@JAST.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:hdfs.keytab.
Entry for principal hdfs@JAST.COM with kvno 1, encryption type camellia256-cts-cmac added to keytab WRFILE:hdfs.keytab.
Entry for principal hdfs@JAST.COM with kvno 1, encryption type camellia128-cts-cmac added to keytab WRFILE:hdfs.keytab.
Entry for principal hdfs@JAST.COM with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:hdfs.keytab.
Entry for principal hdfs@JAST.COM with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:hdfs.keytab.
  • 命令行使用keytab 
[root@xxx jast]# kinit -kt hdfs.keytab hdfs@JAST.COM
[root@xxx jast]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs@JAST.COM

Valid starting       Expires              Service principal
2019-08-07T13:35:19  2019-08-08T13:35:19  krbtgt/JAST.COM@JAST.COM
	renew until 2019-08-14T13:35:19

 

创建keytab不同用户,即便密码相同,也不可共用keytab

[root@xxx jast]# kinit -kt hdfs.keytab yarn@JAST.COM
kinit: Keytab contains no suitable keys for yarn@JAST.COM while getting initial credentials

 

  • 合并多个 keytab 为一个 keytab
[root@xxx jast]# ktutil
ktutil:  rkt hdfs.keytab  #读取多个keytab
ktutil:  rkt yarn.keytab  
ktutil:  wkt hdfs-nb.keytab #合并为一个hdfs-nb.keytab , 即这个文件可以使用 hdfs 和yarn 的keytab
ktutil:  exit

在当前目录可以看到生成的 hdfs-nb.keytab

验证:

[root@xxx jast]# kinit -kt hdfs.keytab yarn@JAST.COM   #使用hdfs的keytab,登录yarn用户,报错
kinit: Keytab contains no suitable keys for yarn@JAST.COM while getting initial credentials
[root@xxx jast]# kinit -kt hdfs-nb.keytab yarn@JAST.COM #使用合并的keytab,登录yarn用户,成功
[root@xxx jast]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: yarn@JAST.COM

Valid starting       Expires              Service principal
2019-08-07T13:43:06  2019-08-08T13:43:06  krbtgt/JAST.COM@JAST.COM
	renew until 2019-08-14T13:43:06
[root@xxx jast]# kinit -kt hdfs-nb.keytab hdfs@JAST.COM  #使用合并的keytab,登录hdfs用户,成功
[root@xxx jast]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs@JAST.COM

Valid starting       Expires              Service principal
2019-08-07T13:44:19  2019-08-08T13:44:19  krbtgt/JAST.COM@JAST.COM
	renew until 2019-08-14T13:44:19
  • 查看keytab内容
[root@xxx jast]# klist -k -e hdfs.keytab 
Keytab name: FILE:hdfs.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 hdfs@JAST.COM (aes256-cts-hmac-sha1-96) 
   1 hdfs@JAST.COM (aes128-cts-hmac-sha1-96) 
   1 hdfs@JAST.COM (des3-cbc-sha1) 
   1 hdfs@JAST.COM (arcfour-hmac) 
   1 hdfs@JAST.COM (camellia256-cts-cmac) 
   1 hdfs@JAST.COM (camellia128-cts-cmac) 
   1 hdfs@JAST.COM (des-hmac-sha1) 
   1 hdfs@JAST.COM (des-cbc-md5) 
[root@fwqml006 jast]# klist -k -e hdfs-nb.keytab
Keytab name: FILE:hdfs-nb.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 hdfs@JAST.COM (aes256-cts-hmac-sha1-96) 
   1 hdfs@JAST.COM (aes128-cts-hmac-sha1-96) 
   1 hdfs@JAST.COM (des3-cbc-sha1) 
   1 hdfs@JAST.COM (arcfour-hmac) 
   1 hdfs@JAST.COM (camellia256-cts-cmac) 
   1 hdfs@JAST.COM (camellia128-cts-cmac) 
   1 hdfs@JAST.COM (des-hmac-sha1) 
   1 hdfs@JAST.COM (des-cbc-md5) 
   1 yarn@JAST.COM (aes256-cts-hmac-sha1-96) 
   1 yarn@JAST.COM (aes128-cts-hmac-sha1-96) 
   1 yarn@JAST.COM (des3-cbc-sha1) 
   1 yarn@JAST.COM (arcfour-hmac) 
   1 yarn@JAST.COM (camellia256-cts-cmac) 
   1 yarn@JAST.COM (camellia128-cts-cmac) 
   1 yarn@JAST.COM (des-hmac-sha1) 
   1 yarn@JAST.COM (des-cbc-md5) 
  • spark授权 启动指定keytab
spark-submit --principal hdfs@JAST.COM --keytab hdfs-nb.keytab --jars $(echo lib/*.jar | tr ' ' ',') --class com.jast.test.Test data-filter-1.0-SNAPSHOT.jar 

 

已标记关键词 清除标记
相关推荐
使用kinit -k -t的时候提示: [root@xyfengkong joindomain]# kinit -k -t fengkong.keytab fengkong kinit: Keytab contains no suitable keys for fengkong@JRTEST.LOCAL while getting initial credentialsgkong.jrtest.local@JRTEST.LOCAL AdminServer.log: while getting initial credentials javax.security.auth.login.LoginException: weblogic.security.spi.IdentityAssertionException: com.bea.security.utils.kerberos.KerberosException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) at com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.assertChallengeIdentity(ChallengeIdentityAssertionServiceImpl.java:128) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57) at com.sun.proxy.$Proxy18.assertChallengeIdentity(Unknown Source) at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl$NegotiateHandler.assertChallengeContext(NegotiateIdentityAsserterServiceImpl.java:327) at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl$NegotiateHandler.process(NegotiateIdentityAsserterServiceImpl.java:212) at com.bea.common.security.internal.service.NegotiateIdentityAsserterServiceImpl.process(NegotiateIdentityAsserterServiceImpl.java:130) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57) at com.sun.proxy.$Proxy19.process(Unknown Source) at weblogic.security.providers.authentication.NegotiateIdentityAsserterServletAuthenticationFilter.doFilter(NegotiateIdentityAsserterServletAuthenticationFilter.java:33) at weblogic.servlet.security.internal.AuthFilterChain.doFilter(AuthFilterChain.java:34) at weblogic.servlet.security.internal.WebAppSecurity$ServletAuthenticationFilterAction.run(WebAppSecurity.java:887) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57) at weblogic.servlet.security.internal.WebAppSecurity.invokeAuthFilterChain(WebAppSecurity.java:828) at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:87) at weblogic.servlet.security.internal.SecurityModule.checkAccess(SecurityModule.java:95) at weblogic.servlet.security.internal.SecurityModule.isAuthorized(SecurityModule.java:543) at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:499) at weblogic.servlet.security.internal.WebAppSecurity.checkAccess(WebAppSecurity.java:463) at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2119) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2089) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1513) at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256) at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
©️2020 CSDN 皮肤主题: 创作都市 设计师:CSDN官方博客 返回首页