在CentOS上配置HDFS(Hadoop分布式文件系统)的安全设置涉及多个步骤,包括启用Kerberos认证、配置HDFS权限和设置SSL/TLS加密。以下是一个基本的指南:
Kerberos是HDFS安全性的基础。你需要先安装和配置Kerberos。
sudo yum install krb5-server krb5-admin-server krb5-workstation
编辑/etc/krb5.conf文件,添加以下内容:
[libdefaults]
default_realm = YOUR.REALM.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
YOUR.REALM.COM = {
kdc = kdc.your.realm.com:88
admin_server = kdc.your.realm.com:749
}
[domain_realm]
.your.realm.com = YOUR.REALM.COM
your.realm.com = YOUR.REALM.COM
sudo systemctl start krb5kdc
sudo systemctl start kadmind
kadmin.local -q "addprinc -randkey hdfs/kdc.your.realm.com@YOUR.REALM.COM"
kadmin.local -q "addprinc -randkey hdfs/hostname@YOUR.REALM.COM"
kadmin.local -q "ktadd -k /etc/krb5kdc/hdfs.keytab hdfs/hostname@YOUR.REALM.COM"
编辑hdfs-site.xml文件,添加以下配置:
<configuration>
<property>
<name>dfs.namenode.kerberos.principal</name>
<value>hdfs/kdc.your.realm.com@YOUR.REALM.COM</value>
</property>
<property>
<name>dfs.namenode.keytab.file</name>
<value>/etc/krb5kdc/hdfs.keytab</value>
</property>
<property>
<name>dfs.datanode.kerberos.principal</name>
<value>hdfs/hostname@YOUR.REALM.COM</value>
</property>
<property>
<name>dfs.datanode.keytab.file</name>
<value>/etc/krb5kdc/hdfs.keytab</value>
</property>
<property>
<name>dfs.namenode.rpc-address</name>
<value>namenode-hostname:8020</value>
</property>
<property>
<name>dfs.namenode.http-address</name>
<value>namenode-hostname:50070</value>
</property>
<property>
<name>dfs.namenode.secondary.rpc-address</name>
<value>secondary-namenode-hostname:8020</value>
</property>
<property>
<name>dfs.namenode.secondary.http-address</name>
<value>secondary-namenode-hostname:50090</value>
</property>
<property>
<name>dfs.client.use.datanode.hostname</name>
<value>true</value>
</property>
<property>
<name>dfs.permissions.enabled</name>
<value>true</value>
</property>
</configuration>
如果你使用YARN,还需要配置YARN的安全设置。
编辑yarn-site.xml文件,添加以下配置:
<configuration>
<property>
<name>yarn.resourcemanager.principal</name>
<value>yarn/kdc.your.realm.com@YOUR.REALM.COM</value>
</property>
<property>
<name>yarn.resourcemanager.keytab</name>
<value>/etc/krb5kdc/yarn.keytab</value>
</property>
<property>
<name>yarn.nodemanager.principal</name>
<value>yarn/hostname@YOUR.REALM.COM</value>
</property>
<property>
<name>yarn.nodemanager.keytab</name>
<value>/etc/krb5kdc/yarn.keytab</value>
</property>
</configuration>
为了进一步提高安全性,可以配置SSL/TLS加密。
keytool -genkey -alias hdfs -keyalg RSA -keystore hdfs.keystore -storepass yourpassword -validity 365 -keysize 2048
编辑hdfs-site.xml文件,添加以下配置:
<configuration>
<property>
<name>dfs.namenode.https-address</name>
<value>namenode-hostname:50470</value>
</property>
<property>
<name>dfs.namenode.https-keystore-file</name>
<value>/path/to/hdfs.keystore</value>
</property>
<property>
<name>dfs.namenode.https-keystore-password</name>
<value>yourpassword</value>
</property>
<property>
<name>dfs.datanode.https-address</name>
<value>datanode-hostname:50475</value>
</property>
<property>
<name>dfs.datanode.https-keystore-file</name>
<value>/path/to/hdfs.keystore</value>
</property>
<property>
<name>dfs.datanode.https-keystore-password</name>
<value>yourpassword</value>
</property>
</configuration>
sudo systemctl restart hadoop-namenode
sudo systemctl restart hadoop-datanode
sudo systemctl restart hadoop-secondarynamenode
sudo systemctl restart hadoop-resourcemanager
sudo systemctl restart hadoop-nodemanager
使用kinit命令获取Kerberos票据,并验证HDFS和YARN服务是否正常运行。
kinit hdfs/hostname@YOUR.REALM.COM
hdfs dfsadmin -report
yarn node -list
通过以上步骤,你应该能够在CentOS上成功配置HDFS的安全设置。请根据你的具体环境和需求进行调整。
