Open anantamukhta opened 6 years ago
download jce for java8 from this site http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip
unzip the jce jar by following command $unzip jce_policy-8.zip
copy US_export_policy.jar and local_policy.jar to the location to java lib directory sudo cp *policy.jar /usr/java/jdk1.8.0_171-amd64/jre/lib/security/
install krb client at all node yum -y install krb5-workstation krb5-libs krb5-auth-dialog
Change Realm Name > SEBCLAB.COM sudo vi /var/kerberos/krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88
[realms] SEBCLA.COM = {
acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }
udp_preference_limit = 1 default_tgs_enctypes = arcfour-hmac default_tkt_enctypes = arcfour-hmac
$ sudo vi /etc/krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = SEBCLAB.COM default_ccache_name = KEYRING:persistent:%{uid} udp_preference_limit = 1 default_tgs_enctypes = arcfour-hmac default_tkt_enctypes = arcfour-hmac
[realms] EXAMPLE.COM = { kdc = ip-172-31-47-144.example.com admin_server = ip-172-31-47-144.example.com }
[domain_realm] .example.com = SEBCLAB.COM example.com = SEBCLAB.COM
$ sudo /usr/sbin/kdb5_util create -s Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'SEBCLAB.COM', master key name 'K/M@SEBCLAB.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
$ sudo kadmin.local Authenticating as principal root/admin@SEBCLAB.COM with password. kadmin.local: admin kadmin.local: Unknown request "admin". Type "?" for a request list. kadmin.local: addprinc cloudera-scm@SEBCLAB.COM WARNING: no policy specified for cloudera-scm@SEBCLAB.COM; defaulting to no policy Enter password for principal "cloudera-scm@SEBCLAB.COM": Re-enter password for principal "cloudera-scm@SEBCLAB.COM": Principal "cloudera-scm@SEBCLAB.COM" created. kadmin.local: exit
sudo vi /var/kerberos/krb5kdc/kadm5.acl /admin@EXAMPLE.COM cloudera-scm@SEBCLAB.COM admilc
Authenticating as principal root/admin@SEBCLAB.COM with password. kadmin.local: addpol admin kadmin.local: addpol users kadmin.local: addpol hosts kadmin.local: exit
$ sudo kadmin.local Authenticating as principal root/admin@SEBCLAB.COM with password. kadmin.local: xst -k cmf.keytab cloudera-scm@SEBCLAB.COM Entry for principal cloudera-scm@SEBCLAB.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:cmf.keytab. Entry for principal cloudera-scm@SEBCLAB.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:cmf.keytab. kadmin.local: exit
$ sudo mv cmf.keytab /etc/cloudera-scm-server/ $ sudo chown cloudera-scm:cloudera-scm /etc/cloudera-scm-server/cmf.keytab $ chmod 600 /etc/cloudera-scm-server/cmf.keytab
$sudo vi /etc/cloudera-scm-server/cmf.principal cloudera-scm@SEBCLAB.COM
$ sudo chown cloudera-scm:cloudera-scm /etc/cloudera-scm-server/cmf.principal $ sudo chmod 600 /etc/cloudera-scm-server/cmf.principal
$ sudo systemctl start krb5kdc $ sudo systemctl start kadmin
Administration -> Settings -> Security ->Kerberos Security Realm -> SEBCLAB.COM
install all krb5 client ssh user@hostname sudo yum -y install krb5-workstation krb5-libs krb5-auth-dialog
kinit cloudera-scm@SEBCLAB.COM kinit: Cannot find KDC for realm "SEBCLAB.COM" while getting initial credentials
i change SEBCLAB.COM realm to internal hostname
$beeline
!connect jdbc:hive2://
install the krb5 by following guide http://blog.puneethabm.in/configure-hadoop-security-with-cloudera-manager-using-kerberos/