Kerberos高可用
文章目录
-
-
- 1.备节点安装Kerberos服务
- 2. 修改主节点配置
- 3. 备节点配置
- 4. 节点数据同步至备节点
- 5. 节点数据同步至备节点
- 6. 配置主节点crontab任务定时同步数据
-
1.备节点安装Kerberos服务
cdh001(192.168.159.100)已经装好了主Kerberos服务
现在在cdh002(191.168.159.101)安装备Kerberos服务
先安装服务,暂不做配置
[root@cdh002 ~]# yum install -y krb5-server openldap-clients krb5-workstation krb5-libs
2. 修改主节点配置
- 修改cdh001机器/etc/krb5.conf的配置文件,在realms配置下增加备Kerberos的配置
[realms]
DEJIN.COM = {
kdc = cdh001
admin_server = cdh001
kdc = cdh002
admin_server = cdh002
}
- 将修改后的/etc/krb5.conf文件同步到集群的所有Kerberos客户端节点相应目录
[root@cdh001 ~]# pscp -h /node.list /etc/krb5.conf /etc/
[1] 17:17:11 [SUCCESS] [email protected]:22
[2] 17:17:11 [SUCCESS] [email protected]:22
[3] 17:17:11 [SUCCESS] [email protected]:22
- 保存配置,然后重启krb5kdc和kadmin服务
[root@cdh001 ~]# systemctl restart krb5kdc
[root@cdh001 ~]# systemctl restart kadmin
- 创建主从同步账号,并为账号生成keytab文件
kadmin.local
kadmin.local: addprinc -randkey host/cdh001
kadmin.local: addprinc -randkey host/cdh002
kadmin.local: ktadd host/cdh001
kadmin.local: ktadd host/cdh002
[root@cdh001 ~]# kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local: addprinc -randkey host/cdh001
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal "host/[email protected]" created.
kadmin.local: addprinc -randkey host/cdh002
WARNING: no policy specified for host/[email protected]; defaulting to no policy
Principal "host/[email protected]" created.
kadmin.local: ktadd host/cdh001
Entry for principal host/cdh001 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh001 with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local: ktadd host/cdh002
Entry for principal host/cdh002 with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type camellia256-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type camellia128-cts-cmac added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type des-hmac-sha1 added to keytab FILE:/etc/krb5.keytab.
Entry for principal host/cdh002 with kvno 2, encryption type des-cbc-md5 added to keytab FILE:/etc/krb5.keytab.
kadmin.local:
使用随机生成秘钥的方式创建同步账号,并使用ktadd命令生成同步账号的keytab文件,默认文件生成在/etc/krb5.keytab下,生成多个账号则在krb5.keytab基础上追加。
- 复制以下文件到备Kerberos服务器相应目录
/etc/krb5.conf
/etc/krb5.keytab
/var/kerberos/krb5kdc/.k5.DEJIN.COM
/var/kerberos/krb5kdc/kadm5.acl
/var/kerberos/krb5kdc/kdc.conf
[root@cdh001 ~]# scp /etc/krb5.conf /etc/krb5.keytab cdh002:/etc/
[root@cdh001 ~]# cd /var/kerberos/krb5kdc
[root@cdh001 krb5kdc]# scp .k5.DEJIN.COM kadm5.acl kdc.conf cdh002:/var/kerberos/krb5kdc/
3. 备节点配置
- 需要申明用来同步的用户,在/var/kerberos/krb5kdc/kpropd.acl配置文件中添加对应账户,如果配置文件不存在则新增
[root@cdh002 ~]# cat /var/kerberos/krb5kdc/kpropd.acl
host/[email protected]
host/[email protected]
- 启动kprop服务并加入系统自启动
[root@cdh002 ~]# systemctl enable kprop
Created symlink from /etc/systemd/system/multi-user.target.wants/kprop.service to /usr/lib/systemd/system/kprop.service.
[root@cdh002 ~]# systemctl start kprop
[root@cdh002 ~]# systemctl status kprop
● kprop.service - Kerberos 5 Propagation
Loaded: loaded (/usr/lib/systemd/system/kprop.service; enabled; vendor preset: disabled)
Active: active (running) since 日 2020-12-27 17:47:03 CST; 10s ago
Process: 20906 ExecStart=/usr/sbin/_kpropd $KPROPD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 20911 (kpropd)
Tasks: 1
CGroup: /system.slice/kprop.service
└─20911 /usr/sbin/kpropd
12月 27 17:47:03 cdh002 systemd[1]: Starting Kerberos 5 Propagation...
12月 27 17:47:03 cdh002 systemd[1]: Started Kerberos 5 Propagation.
备节点上已经准备好数据传输。接下来在主节点上使用kdb5_util将Kerberos库导出,然后通过kprop命令向备节点同步数据。
4. 节点数据同步至备节点
- 在主节点上使用kdb5_util命令导出Kerberos数据库文件
[root@cdh001 krb5kdc]# kdb5_util dump /var/kerberos/krb5kdc/master.dump
导出成功后生成master.dump和master.dump.dump_ok两个文件。
- 在主节点上使用kprop命令将master.dump文件同步至备节点
[root@cdh001 krb5kdc]# kprop -f /var/kerberos/krb5kdc/master.dump -d -P 754 cdh002
32768 bytes sent.
40455 bytes sent.
Database propagation to cdh002: SUCCEEDED
备节点上查看
[root@cdh002 krb5kdc]# ll
总用量 96
-rw------- 1 root root 40455 12月 27 18:31 from_master
-rw------- 1 root root 20 12月 27 18:23 kadm5.acl
-rw------- 1 root root 482 12月 27 18:23 kdc.conf
-rw-r--r-- 1 root root 44 12月 27 18:29 kpropd.acl
-rw------- 1 root root 36864 12月 27 18:31 principal
-rw------- 1 root root 8192 12月 27 18:31 principal.kadm5
-rw------- 1 root root 0 12月 27 18:31 principal.kadm5.lock
-rw------- 1 root root 0 12月 27 18:31 principal.ok
5. 节点数据同步至备节点
- 在备节点上测试同步过来的数据是否能启动Kerberos,krb5kdc服务
[root@cdh002 krb5kdc]# systemctl start krb5kdc
[root@cdh002 krb5kdc]# systemctl status krb5kdc
● krb5kdc.service - Kerberos 5 KDC
Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; disabled; vendor preset: disabled)
Active: active (running) since 日 2020-12-27 18:36:06 CST; 9s ago
Process: 9810 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=0/SUCCESS)
Main PID: 9817 (krb5kdc)
Tasks: 1
CGroup: /system.slice/krb5kdc.service
└─9817 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
12月 27 18:36:06 cdh002 systemd[1]: Starting Kerberos 5 KDC...
12月 27 18:36:06 cdh002 systemd[1]: Started Kerberos 5 KDC.
[root@cdh002 krb5kdc]# kadmin.local
Authenticating as principal dejin/[email protected] with password.
kadmin.local: listprincs
HTTP/[email protected]
HTTP/[email protected]
HTTP/[email protected]
K/[email protected]
admin/[email protected]
cloudera-scm/[email protected]
[email protected]
hbase/[email protected]
hbase/[email protected]
hbase/[email protected]
hdfs/[email protected]
- 在备节点上验证kadmin服务是否正常
kadmin.local: addprinc test
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.
- kill主服务的krb5kdc服务和kadmin 服务进行验证
[root@cdh001 krb5kdc]# ps -ef |grep krb5
root 119669 1 0 18:17 ? 00:00:00 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
root 125422 100883 0 18:41 pts/2 00:00:00 grep --color=auto krb5
[root@cdh001 krb5kdc]# kill -9 119669
[root@cdh001 krb5kdc]# ps -ef | grep kadmin
root 119695 1 0 18:17 ? 00:00:00 /usr/sbin/kadmind -P /var/run/kadmind.pid
root 125686 100883 0 18:42 pts/2 00:00:00 grep --color=auto kadmin
[root@cdh001 krb5kdc]# kill -9 119695
- 在备用服务器上服务依旧正常,可以正常添加凭证
[root@cdh002 krb5kdc]# kadmin.local
Authenticating as principal dejin/[email protected] with password.
kadmin.local: addprinc test2
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created.
kadmin.local: listprincs
HTTP/[email protected]
HTTP/[email protected]
HTTP/[email protected]
K/[email protected]
admin/[email protected]
- 并且在其他客户端节点初始化刚新增的凭证正常
[root@cdh003 ~]# kinit test2
Password for [email protected]:
[root@cdh003 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
2020-12-27T18:50:56 2020-12-28T18:50:56 krbtgt/[email protected]
renew until 2021-01-03T18:50:56
6. 配置主节点crontab任务定时同步数据
- 编写同步脚本
[root@cdh001 krb5kdc]# vim /var/kerberos/krb5kdc/kprop_sync.sh
#!/bin/bash
DUMP=/var/kerberos/krb5kdc/master.dump
PORT=754
SLAVE="cdh002"
TIMESTAMP=`date`
echo "Start at $TIMESTAMP"
sudo kdb5_util dump $DUMP
sudo kprop -f $DUMP -d -P $PORT $SLAVE
- 赋予kprop_sync.sh脚本可执行权限,并测试
[root@cdh001 krb5kdc]# chmod 700 /var/kerberos/krb5kdc/kprop_sync.sh
[root@cdh001 krb5kdc]# sh /var/kerberos/krb5kdc/kprop_sync.sh
Start at 2020年 12月 27日 星期日 19:06:55 CST
32768 bytes sent.
41520 bytes sent.
Database propagation to cdh002: SUCCEEDED
- 配置crontab任务
crontab的使用链接
[root@cdh001 ~]# crontab -e
0 * * * * root/var/kerberos/krb5kdc/kprop_sync.sh >/var/kerberos/krb5kdc/lastupdate
以上命令表示每小时的第0分钟执行kprop_sync.sh,并将输出写到lastupdate文件
退出并保存,启动服务并设置开机启动
[root@cdh001 ~]# systemctl enable crond
[root@cdh001 ~]# systemctl start crond