前置条件
FreeIPA双mastesr高可用集群部署完毕
Hadoop3.x HA高可用集群部署完毕
Hadoop3.x集成kerberos完毕
knox主机安装ipa客户端
全限定域名配置
hostnamectl set-hostname knox.tobehacker.com
配置时间同步
yum -y install ntpdate
ntpdate ntp1.aliyun.com
echo "*/10 * * * * /usr/sbin/ntpdate time1.aliyun.com" >> /var/spool/cron/root
timedatectl set-timezone Asia/Shanghai
hwclock --systohc
添加DNS解析
vim /etc/sysconfig/network-scripts/ifcfg-ens33
追加ipa的DNS配置
DNS1=192.168.18.151
DNS2=192.168.18.152
安装ipa客户端
yum -y install freeipa-client
sudo ipa-client-install --mkhomedir --no-ntp --enable-dns-updates --principal=admin --password=admin123456
ipa1界面上新建knox用户,并且分配到bigdata组
knox主机上初始化knox用户
kinit knox
赋予knox用户/opt/bigdata/knox所有权限
chown -R knox:bigdata /opt/bigdata/knox
添加knox服务主体
登录ipa1主机
kinit admin
添加knox服务主体
sudo ipa service-add knox/knox.tobehacker.com@TOBEHACKER.COM
生成knox服务主体的keytab
ipa-getkeytab -s ipa1.tobehacker.com -p knox/knox.tobehacker.com@TOBEHACKER.COM -k /etc/security/keytabs/knox.keytab
将ipa1生成的knox.keytab分发到knox主机
scp /etc/security/keytabs/knox.keytab knox@knox:/opt/bigdata/knox/knox-2.0.0/conf/
添加HTTP/knox.tobehacker.com@TOBEHACKER.COM 服务主体
ipa1新建HTTP/knox.tobehacker.com@TOBEHACKER.COM 服务主体
sudo ipa service-add HTTP/knox.tobehacker.com@TOBEHACKER.COM
生成knox服务主体的keytab
ipa-getkeytab -s ipa1.tobehacker.com -p HTTP/knox.tobehacker.com@TOBEHACKER.COM -k /etc/security/keytabs/knox.spnego.keytab
将ipa1生成的knox.keytab分发到knox主机
scp /etc/security/keytabs/knox.spnego.keytab knox@knox:/opt/bigdata/knox/knox-2.0.0/conf/
配置文件修改
全部配置文件下载地址:点我下载
krb5JAASLogin.conf
复制模板文件/opt/bigdata/knox/knox-2.0.0/templates/krb5JAASLogin.conf到 /opt/bigdata/knox/knox-2.0.0/conf/目录下
cp /opt/bigdata/knox/knox-2.0.0/templates/krb5JAASLogin.conf /opt/bigdata/knox/knox-2.0.0/conf/
修改krb5JAASLogin.conf文件
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
renewTGT=true
doNotPrompt=true
useKeyTab=true
keyTab="/opt/bigdata/knox/knox-2.0.0/conf/knox.keytab"
principal="knox@TOBEHACKER.COM"
isInitiator=true
storeKey=true
useTicketCache=true
client=true;
};
gateway-site.xml
路径: /opt/bigdata/knox/knox-2.0.0/conf/gateway-site.xml
开启kerberos认证功能
<property>
<name>gateway.hadoop.kerberos.secured</name>
<value>true</value>
</property>
要保证knox启动用户具有读的权限
<property>
<name>java.security.krb5.conf</name>
<value>/etc/krb5.conf</value>
</property>
<property>
<name>java.security.auth.login.config</name>
<value>/opt/bigdata/knox/knox-2.0.0/conf/krb5JAASLogin.conf</value>
</property>
这里写用户组bigdata
<property>
<name>gateway.knox.admin.groups</name>
<value>bigdata</value>
</property>
下面的配置基本和hadoop的core-site.xml里关于用户组映射配置一致
配置解释:目前是想要去除knox内置的LDAP服务,替换为FreeIPA的LDAP服务,Knox要是想连接FreeIPA的LDAP服务需要配置一个能访问目录服务的用户(可以叫做绑定用户,FreeIPA的LDAP服务默认不支持匿名访问,所以需要使用这个LDAP服务,必须配置一个已经存在于FreeIPA的LDAP用户),以便于能够进行用户、用户组的搜索和映射。因为在hadoop里面配置的是ldapbind用户,这里也配置一样的,从配置名称也能看出。
<property>
<name>gateway.group.config.hadoop.security.group.mapping.ldap.bind.user</name>
<value>uid=ldapbind,cn=users,cn=accounts,dc=tobehacker,dc=com</value>
</property>
<property>
<name>gateway.group.config.hadoop.security.group.mapping.ldap.bind.password</name>
<value>admin123456</value>
</property>
<property>
<name>gateway.group.config.hadoop.security.group.mapping.ldap.url</name>
<value>ldap://ipa1.tobehacker.com:389</value>
</property>
<property>
<name>gateway.group.config.hadoop.security.group.mapping.ldap.base</name>
<value>dc=tobehacker,dc=com</value>
</property>
<property>
<name>gateway.group.config.hadoop.security.group.mapping.ldap.search.filter.user</name>
<value>(&(objectClass=posixAccount)(uid={0}))</value>
</property>
<property>
<name>gateway.group.config.hadoop.security.group.mapping.ldap.search.filter.group</name>
<value>(objectClass=posixGroup)</value>
</property>
<property>
<name>gateway.group.config.hadoop.security.group.mapping.ldap.search.attr.member</name>
<value>member</value>
</property>
<property> <name>gateway.group.config.hadoop.security.group.mapping.ldap.search.attr.group.name</name>
<value>cn</value>
</property>
注意以下配置:
- gateway.dispatch.whitelist.services # 白名单应用到哪些代理的服务,如YARNUI
- gateway.dispatch.whitelist # 白名单主机设置
bdha.xml配置修改
路径: /opt/bigdata/knox/knox-2.0.0/conf/topologies/bdha.xml,bdha是hadoop集群环境名称
vim /opt/bigdata/knox/knox-2.0.0/conf/topologies/bdha.xml
修改配置
<param>
<name>sessionTimeout</name>
<value>10080</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},cn=users,cn=accounts,dc=tobehacker,dc=com</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://ipa1.tobehacker.com:389</value>
</param>
default-providers.json 配置修改
路径: /opt/bigdata/knox/knox-2.0.0/conf/shared-providers/default-providers.json
sessionTimeout 单位是分钟
{
"providers": [
{
"role": "authentication",
"name": "ShiroProvider",
"enabled": "true",
"params": {
"sessionTimeout": "10080",
"main.ldapRealm": "org.apache.knox.gateway.shirorealm.KnoxLdapRealm",
"main.ldapContextFactory": "org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory",
"main.ldapRealm.contextFactory": "$ldapContextFactory",
"main.ldapRealm.userDnTemplate": "uid={0},cn=users,dc=accounts,dc=tobehacker,dc=com",
"main.ldapRealm.contextFactory.url": "ldap://ipa1.tobehacker.com:389",
"main.ldapRealm.contextFactory.authenticationMechanism": "simple",
"urls./**": "authcBasic"
}
}
]
}
截止
访问konx homepage测试
地址:
输入用户名密码出现401wei未授权问题
解决步骤1: 电脑登录 mit kerberos
解决步骤2: 火狐浏览器配置高级选项
下面两个选项添加 knox.tobehacker.com域名
TODO knox故障排查;
在knox主机上
curl -i --negotiate -u knox : "http://master.tobehacker.com:9870/webhdfs/v1?op=LISTSTATUS"
测试knox 代理服务是否正常
curl -i -k --negotiate -u knox : "https://knox.tobehacker.com:8443/gateway/bdha/hdfs/?host=http://master.tobehacker.com:9870/webhdfs/v1?op=LISTSTATUS"
测试2
curl -c c.txt -i -k --negotiate -u knox : "https://knox.tobehacker.com:8443/gateway/bdha/hdfs/?host=http://master.tobehacker.com:9870/webhdfs/v1?op=LISTSTATUS"
curl -c c.txt -i -k --negotiate -u knox : "https://knox.tobehacker.com:8443/gateway/bdha/hdfs/?host=http://master.tobehacker.com:9870/webhdfs/v1?op=LISTSTATUS"
Enter host password for user 'knox':
curl: (6) Could not resolve host: ; Unknown error
HTTP/1.1 401 Authentication required
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Path=gateway/bdha; Domain=tobehacker.com; Secure; HttpOnly
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 441
HTTP/1.1 200 OK
Date: Sun, 23 Apr 2023 02:44:26 GMT
WWW-Authenticate: Negotiate YGoGCSqGSIb3EgECAgIAb1swWaADAgEFoQMCAQ+iTTBLoAMCARKiRARCaqL9JGA0KTARTX9oqqKJy/jNDNrBSarqwNH4ePakx+MNxNcTPaJDwznRyAyrPqKtlON+yNHNvimA7wU2Ou4W5eLC
Set-Cookie: hadoop.auth="u=knox&p=knox@TOBEHACKER.COM&t=kerberos&e=1682219666195&s=/9qE8N3T0DJ0ropIAmRBJ8dC4Djs/RVnWB3RpwRT9dA="; Path=gateway/bdha; Domain=tobehacker.com; Secure; HttpOnly
Date: Sun, 23 Apr 2023 02:44:24 GMT
Cache-Control: no-cache
Expires: Sun, 23 Apr 2023 02:44:24 GMT
Date: Sun, 23 Apr 2023 02:44:24 GMT
Pragma: no-cache
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Type: application/json;charset=utf-8
Transfer-Encoding: chunked
{"FileStatuses":{"FileStatus":[
{"accessTime":1681890748936,"blockSize":134217728,"childrenNum":0,"fileId":16386,"group":"bigdata","length":8008518,"modificationTime":1681715245612,"owner":"hadoop","pathSuffix":"linux内核完全注释.pdf","permission":"644","replication":3,"storagePolicy":0,"type":"FILE"},
{"accessTime":1681884542907,"blockSize":134217728,"childrenNum":0,"fileId":16387,"group":"supergroup","length":6805,"modificationTime":1681884543929,"owner":"hadoop","pathSuffix":"logo-halo.png","permission":"644","replication":3,"storagePolicy":0,"type":"FILE"}
]}}
[knox@knox logs]$ cat c.txt
# Netscape HTTP Cookie File
# http://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
#HttpOnly_.tobehacker.com TRUE gateway/bdha TRUE 0 hadoop.auth "u=knox&p=knox@TOBEHACKER.COM&t=kerberos&e=1682219666195&s=/9qE8N3T0DJ0ropIAmRBJ8dC4Djs/RVnWB3RpwRT9dA="
第二种方式调用方法:
curl -b c.txt -k -i -H 'WWW-Authenticate: Negotiate YGoGCSqGSIb3EgECAgIAb1swWaADAgEFoQMCAQ+iTTBLoAMCARKiRARCaqL9JGA0KTARTX9oqqKJy/jNDNrBSarqwNH4ePakx+MNxNcTPaJDwznRyAyrPqKtlON+yNHNvimA7wU2Ou4W5eLC' "https://knox.tobehacker.com:8443/gateway/bdha/hdfs/?host=http://master.tobehacker.com:9870/webhdfs/v1?op=LISTSTATUS"
HTTP/1.1 200 OK
Date: Sun, 23 Apr 2023 02:46:16 GMT
Date: Sun, 23 Apr 2023 02:46:16 GMT
Cache-Control: no-cache
Expires: Sun, 23 Apr 2023 02:46:16 GMT
Date: Sun, 23 Apr 2023 02:46:16 GMT
Pragma: no-cache
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Type: application/json;charset=utf-8
Transfer-Encoding: chunked
{"FileStatuses":{"FileStatus":[
{"accessTime":1681890748936,"blockSize":134217728,"childrenNum":0,"fileId":16386,"group":"bigdata","length":8008518,"modificationTime":1681715245612,"owner":"hadoop","pathSuffix":"linux内核完全注释.pdf","permission":"644","replication":3,"storagePolicy":0,"type":"FILE"},
{"accessTime":1681884542907,"blockSize":134217728,"childrenNum":0,"fileId":16387,"group":"supergroup","length":6805,"modificationTime":1681884543929,"owner":"hadoop","pathSuffix":"logo-halo.png","permission":"644","replication":3,"storagePolicy":0,"type":"FILE"}
]}}
curl -i -k --negotiate -u knox: --location-trusted “https://knox.tobehacker.com:8443/gateway/bdha/hdfs/?host=http://master.tobehacker.com:9870/webhdfs/v1?op=LISTSTATUS”
参考指南
官网指南-关于gateway-site.xml配置
官网指南-knox配置kerberos
关于配置多个LDAP URL实现高可用-1
关于配置多个LDAP URL实现高可用-2
评论区