From 6f58019d1d6f7eaf2eedc3d8b10159ec29b7556b Mon Sep 17 00:00:00 2001 From: jaybo Date: Sat, 25 Jun 2022 22:32:08 +0800 Subject: [PATCH] update --- ...25-01_\345\256\211\350\243\205OpenLDAP.md" | 617 ++++++++++++++++++ ...ooKeng\351\233\206\346\210\220OpenLDAP.md" | 336 ++++++++++ ...nLooKeng\351\233\206\346\210\220Ranger.md" | 389 +++++++++++ ...0\253Kerberos\345\256\211\350\243\205).md" | 440 +++++++++++++ 4 files changed, 1782 insertions(+) create mode 100644 "content/zh-cn/blog/jaybo/2022-06-25-01_\345\256\211\350\243\205OpenLDAP.md" create mode 100644 "content/zh-cn/blog/jaybo/2022-06-25-02_openLooKeng\351\233\206\346\210\220OpenLDAP.md" create mode 100644 "content/zh-cn/blog/jaybo/2022-06-25-03_openLooKeng\351\233\206\346\210\220Ranger.md" create mode 100644 "content/zh-cn/blog/jaybo/2022-06-25-04_openLooKeng\345\205\263\351\227\255HTTP(\345\220\253Kerberos\345\256\211\350\243\205).md" diff --git "a/content/zh-cn/blog/jaybo/2022-06-25-01_\345\256\211\350\243\205OpenLDAP.md" "b/content/zh-cn/blog/jaybo/2022-06-25-01_\345\256\211\350\243\205OpenLDAP.md" new file mode 100644 index 0000000..a411445 --- /dev/null +++ "b/content/zh-cn/blog/jaybo/2022-06-25-01_\345\256\211\350\243\205OpenLDAP.md" @@ -0,0 +1,617 @@ ++++ + +title = "openLooKeng安全配置操作指南(一)----安装OpenLDAP" +date = "2022-06-25" +tags = ["openLooKeng", "OpenLDAP"] +archives = "2022-06" +author = "jaybo" +description = "安装OpenLDAP,使用 LDAP Client 连接 OpenLDAP" + ++++ + +[toc] + +# 0. 环境 + +| Role | IP | Hostname | Hostname+domain name | +| :---------------------- | :------------ | :------- | :------------------- | +| openldap、ranger、mysql | 192.168.80.40 | olk0 | olk0.example.com | +| kerberos | 192.168.80.41 | olk1 | olk1.example.com | +| coordinator | 192.168.80.42 | olk2 | olk2.example.com | +| worker | 192.168.80.43 | olk3 | olk3.example.com | + + + +# 1. 安装OpenLDAP + +``` shell +yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel +``` + + + +# 2. 初始化OpenLDAP配置 + +``` shell +mkdir /root/ldap_confs + +cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG +cp /usr/share/openldap-servers/slapd.ldif /root/ldap_confs +``` + + + +# 3. 修改配置文件slapd.ldif + +``` shell +# vim /root/ldap_confs/slapd.ldif +``` + +``` properties +# +# See slapd-config(5) for details on configuration options. +# This file should NOT be world readable. +# + +dn: cn=config +objectClass: olcGlobal +cn: config +olcArgsFile: /var/run/openldap/slapd.args +olcPidFile: /var/run/openldap/slapd.pid +# +# TLS settings +# 此处有坑,将tls配置先注释掉,稍后再配置,否则无法生成ldap配置 +# +#olcTLSCACertificatePath: /etc/openldap/certs +#olcTLSCertificateFile: "OpenLDAP Server" +#olcTLSCertificateKeyFile: /etc/openldap/certs/password +# +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +# +#olcReferral: ldap://root.openldap.org +# +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 64-bit encryption for simple bind +# +#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 + + +# +# Load dynamic backend modules: +# - modulepath is architecture dependent value (32/64-bit system) +# - back_sql.la backend requires openldap-servers-sql package +# - dyngroup.la and dynlist.la cannot be used at the same time +# + +#dn: cn=module,cn=config +#objectClass: olcModuleList +#cn: module +#olcModulepath: /usr/lib/openldap +#olcModulepath: /usr/lib64/openldap +#olcModuleload: accesslog.la +#olcModuleload: auditlog.la +#olcModuleload: back_dnssrv.la +#olcModuleload: back_ldap.la +#olcModuleload: back_mdb.la +#olcModuleload: back_meta.la +#olcModuleload: back_null.la +#olcModuleload: back_passwd.la +#olcModuleload: back_relay.la +#olcModuleload: back_shell.la +#olcModuleload: back_sock.la +#olcModuleload: collect.la +#olcModuleload: constraint.la +#olcModuleload: dds.la +#olcModuleload: deref.la +#olcModuleload: dyngroup.la +#olcModuleload: dynlist.la +#olcModuleload: memberof.la +#olcModuleload: pcache.la +#olcModuleload: ppolicy.la +#olcModuleload: refint.la +#olcModuleload: retcode.la +#olcModuleload: rwm.la +#olcModuleload: seqmod.la +#olcModuleload: smbk5pwd.la +#olcModuleload: sssvlv.la +#olcModuleload: syncprov.la +#olcModuleload: translucent.la +#olcModuleload: unique.la +#olcModuleload: valsort.la + + +# +# Schema settings +# + +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +#include: file:///etc/openldap/schema/core.ldif #注释或删除该行,将下面这些ldif拷贝粘贴即可 +include: file:///etc/openldap/schema/corba.ldif +include: file:///etc/openldap/schema/core.ldif +include: file:///etc/openldap/schema/cosine.ldif +include: file:///etc/openldap/schema/duaconf.ldif +include: file:///etc/openldap/schema/dyngroup.ldif +include: file:///etc/openldap/schema/inetorgperson.ldif +include: file:///etc/openldap/schema/java.ldif +include: file:///etc/openldap/schema/misc.ldif +include: file:///etc/openldap/schema/nis.ldif +include: file:///etc/openldap/schema/openldap.ldif +include: file:///etc/openldap/schema/ppolicy.ldif +include: file:///etc/openldap/schema/collective.ldif + +# +# Frontend settings +# + +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig +olcDatabase: frontend +# +# Sample global access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# +#olcAccess: to dn.base="" by * read +#olcAccess: to dn.base="cn=Subschema" by * read +#olcAccess: to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! +# + +# +# Configuration database +# + +dn: olcDatabase=config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" manage by * none + +# +# Server status monitoring +# + +dn: olcDatabase=monitor,cn=config +objectClass: olcDatabaseConfig +olcDatabase: monitor +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" read by dn.base="cn=Manager,dc=tcjf,dc=com" read by * none + +# +# Backend database definitions +# + +dn: olcDatabase=hdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcHdbConfig +olcDatabase: hdb +olcSuffix: dc=tcjf,dc=com +olcRootDN: cn=Manager,dc=tcjf,dc=com +olcRootPW: {SSHA}errZK7nns6gKzd0d0LqgUCXm5g/DTRI6 +olcDbDirectory: /var/lib/ldap +olcDbIndex: objectClass eq,pres +olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub +olcDbIndex: uidNumber,gidNumber,loginShell eq,pres +olcDbIndex: uid,memberUid eq,pres,sub +olcDbIndex: nisMapName,nisMapEntry eq,pres,sub +``` + +几处改动的地方: + +1. include: file,注释或删除该行,复制粘贴该行下面那些 .ldif + +2. 三处 `dc=dc-domain`,更改为你自己的,也可以就照我的改 `dc=tcjf` + +3. 增加下面四列: + + ``` properties + olcRootPW: {SSHA}errZK7nns6gKzd0d0LqgUCXm5g/DTRI6 + ``` + + ``` properties + olcDbIndex: uidNumber,gidNumber,loginShell eq,pres + olcDbIndex: uid,memberUid eq,pres,sub + olcDbIndex: nisMapName,nisMapEntry eq,pres,sub + ``` + + 其中 olcRootPW 后面的密码由 slappasswd 命令生成,如下为生成 123456 的加密密码: + + ``` shell + slappasswd -s 123456 + ``` + + 在你本机执行,将生成的加密密码复制粘贴到 olcRootPW 后面。 + +​ image-20220502171500393 + + + +# 4. 重新生成配置文件信息 + +``` shell +# 删除之前配置 +rm -rf /etc/openldap/slapd.d/* + +# 生成新配置 +slapadd -F /etc/openldap/slapd.d -n 0 -l /root/ldap_confs/slapd.ldif + +# 测试配置 +slaptest -u -F /etc/openldap/slapd.d +# 注意:完成后查看下/etc/openldap/slapd.d/下生成的配置信息是否完整! + +# 授权 +chown -R ldap. /etc/openldap/slapd.d/ +chown -R ldap. /var/lib/ldap/ + +# 启动服务 +systemctl start slapd +systemctl enable slapd +systemctl status slapd +``` + + + +# 5. 导入根域及管理员账号 + +生成 root.ldif + +``` properties +# cd /root/ldap_confs +# vim root.ldif +dn: dc=tcjf,dc=com +dc: tcjf +objectClass: top +objectClass: domain + +dn: cn=Manager,dc=tcjf,dc=com +objectClass: organizationalRole +cn: Manage +``` + +``` shell +# 导入根域及管理员信息到OpenLDAP服务中 +ldapadd -D "cn=Manager,dc=tcjf,dc=com" -W -x -f root.ldif +## 导入密码是:slapd.ldif中配置的对应明文密码123456 +``` + +``` shell +ldapsearch -h 127.0.0.1 -b "dc=tcjf,dc=com" -D "cn=Manager,dc=tcjf,dc=com" -W +##查看是否导入成功(-h后为ldap服务ip) +``` + + + +# 6. 导入用户和用户组 + +1. 添加基础信息 + +``` properties +# cd /root/ldap_confs +# vim base.ldif +dn: ou=People,dc=tcjf,dc=com +ou: People +objectClass: top +objectClass: organizationalUnit + +dn: ou=Group,dc=tcjf,dc=com +ou: Group +objectClass: top +objectClass: organizationalUnit +``` + +2.添加组信息 + +``` properties +# vim group.ldif +dn: cn=root,ou=Group,dc=tcjf,dc=com +objectClass: posixGroup +objectClass: top +cn: root +userPassword: {crypt}x +gidNumber: 0 + +dn: cn=lk,ou=Group,dc=tcjf,dc=com +objectClass: posixGroup +objectClass: top +cn: lk +userPassword: {crypt}x +gidNumber: 1501 +memberUid: lk +``` + +3.添加用户信息 + +```shell +# /usr/share/migrationtools/migrate_passwd.pl /etc/passwd >user.ldif +# mv user.ldif user.ldif.bak +# vim user.ldif.bak #复制里面的 dn: uid=root,ou=People,dc=xxx,dc=com 的条目内容,粘贴到 user.ldif +# vim user.ldfi #粘贴到此,再复制粘贴下面 dn: uid=lk,ou=People,dc=tcjf,dc=com 条目内容 +# rm user.ldif.bak +``` + +``` properties +# vim user.ldif +dn: uid=root,ou=People,dc=tcjf,dc=com +uid: root +cn: root +objectClass: account +objectClass: posixAccount +objectClass: top +objectClass: shadowAccount +userPassword: {crypt}$6$TC.3Iv9i$n8MVv4Eh4E7cVGP8nhiATKVJBgkmt4Zz7aapaW8/rvuwuWqP7.xwcpyFvQ3gN9Ha0LfzlCMAdIlfqhBtz/30e. +shadowLastChange: 19113 +shadowMin: 0 +shadowMax: 99999 +shadowWarning: 7 +loginShell: /bin/bash +uidNumber: 0 +gidNumber: 0 +homeDirectory: /root +gecos: root + +dn: uid=lk,ou=People,dc=tcjf,dc=com +uid: lk +cn: lk +objectClass: account +objectClass: posixAccount +objectClass: top +objectClass: shadowAccount +userPassword: {crypt}!! +shadowLastChange: 17988 +loginShell: /bin/bash +uidNumber: 1501 +gidNumber: 1501 +homeDirectory: /home/lk +gecos: lk +``` + +使用 slapadd 命令将基础文件及用户和组导入 OpenLDAP: + +``` shell +ldapadd -D "cn=Manager,dc=tcjf,dc=com" -W -x -f base.ldif +ldapadd -D "cn=Manager,dc=tcjf,dc=com" -W -x -f group.ldif +ldapadd -D "cn=Manager,dc=tcjf,dc=com" -W -x -f user.ldif +``` + +4.查看是否导入成功: + +``` shell +ldapsearch -h 127.0.0.1 -b "dc=tcjf,dc=com" -D "cn=Manager,dc=tcjf,dc=com" -W|grep dn +``` + +![image-20220502172710565](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502172710565.png) + + + +# 7. 生成 OpenLDAP 证书 + +## 7.1 修改openssl配置文件 + +1. 复制 openssl 配置文件到 /tmp 下: + + ``` shell + cp /etc/pki/tls/openssl.cnf /tmp/openssl.cnf + ``` + +2. 编辑 /tmp/openssl.cnf + + 此文件的格式是类似 ini 的配置文件格式,找到 [ req ] 段落,加上下面的配置: + + ``` shell + req_extensions = v3_req + ``` + + ![image-20220502173305330](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502173305330.png) + + 这段配置表示在生成 CSR 文件时读取名叫 v3_req 的段落的配置信息,因此我们再在此配置文件中加入一段名 + 为 v3_req 的配置: + + ``` shell + [ v3_req ] + # Extensions to add to a certificate request + basicConstraints = CA:FALSE + keyUsage = nonRepudiation, digitalSignature, keyEncipherment + subjectAltName = @alt_names + ``` + + ![image-20220502173344904](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502173344904.png) + + 这段配置中最重要的是在最后导入名为 alt_names 的配置段,因此我们还需要添加一个名为 [ alt_names ] 的 + 配置段: + + ``` shell + [ alt_names ] + IP = 192.168.80.40 + ``` + + 注:ip 为OpenLDAP 服务器 ip + +## 7.2 生成OpenLDAP证书(crt文件) + +``` shell +cd /etc/openldap/certs/ +openssl genrsa -out ldap.key 1024 +openssl req -new -key ldap.key -out ldap.csr -config /tmp/openssl.cnf +``` + +``` shell +[root@olk0 certs]# openssl req -new -key ldap.key -out ldap.csr -config /tmp/openssl.cnf +You are about to be asked to enter information that will be incorporated +into your certificate request. +What you are about to enter is what is called a Distinguished Name or a DN. +There are quite a few fields but you can leave some blank +For some fields there will be a default value, +If you enter '.', the field will be left blank. +----- +Country Name (2 letter code) [XX]:CN +State or Province Name (full name) []:ZJ +Locality Name (eg, city) [Default City]:HZ +Organization Name (eg, company) [Default Company Ltd]:synway +Organizational Unit Name (eg, section) []:bigdata +Common Name (eg, your name or your server's hostname) []:192.168.80.40 +Email Address []:aaabbb@foxmail.com + +Please enter the following 'extra' attributes +to be sent with your certificate request +A challenge password []: +An optional company name []: +``` + +> your name or your server's hostname:输入 ldap server ip 地址。 + +查看证书请求文件的内容: + +``` shell +openssl req -text -noout -in ldap.csr +``` + +生成签名: + +``` shell +openssl x509 -req -days 3650 -in ldap.csr -signkey ldap.key -out ldap.crt -extensions v3_req -extfile /tmp/openssl.cnf +``` + + + +# 8. 配置ldap开启ssl + +## 8.1 编辑 certs.ldif + +编写 ldif 文件,导入证书。 + +``` shell +# cd /root/ldap_confs +# vim certs.ldif +``` + +**该配置为 tls 相关配置,配置文件必须为此格式,此顺序,此格式导入,不然会报错!** + +``` properties +dn: cn=config +changetype: modify +replace: olcTLSCACertificatePath +olcTLSCACertificatePath: /etc/openldap/certs +- +replace: olcTLSCertificateFile +olcTLSCertificateFile: /etc/openldap/certs/ldap.crt +- +replace: olcTLSCertificateKeyFile +olcTLSCertificateKeyFile: /etc/openldap/certs/ldap.key +- +replace: olcTLSVerifyClient +olcTLSVerifyClient: never +``` + +执行命令导入配置到 /etc/openldap/slapd.d/cn=config.ldif 文件中: + +``` shell +ldapmodify -Y EXTERNAL -H ldapi:/// -f certs.ldif +``` + +## 8.2 编辑/etc/openldap/ldap.conf + +打开 /etc/openldap/ldap.conf 文件,在 `TLS_CACERTDIR /etc/openldap/certs` 的下面添加如下内容: + +``` shell +# vim /etc/openldap/ldap.conf +TLS_REQCERT allow +TLS_CERT /etc/openldap/certs/ldap.crt +TLS_KEY /etc/openldap/certs/ldap.key +URI ldaps://192.168.80.40 +BASE dc=tcjf,dc=com +``` + +其中,URI ldaps 为 ldap server 地址。 + +image-20220502174640207 + +## 8.3 配置同时启动ldap和ldaps + +编辑 /etc/sysconfig/ldap (没有就手动创建): + +``` shell +# vim /etc/sysconfig/ldap +SLAPD_LDAP=yes +SLAPD_LDAPI=yes +SLAPD_LDAPS=yes +``` + +编辑 /etc/sysconfig/slapd: + +``` shell +# 配置slapd启动监听ldaps +# vim /etc/sysconfig/slapd +SLAPD_URLS="ldapi:/// ldap:/// ldaps:///” +``` + +## 8.4 启动并查看是否已经成功 + +``` shell +service slapd restart + +netstat -tnlp |grep 389 + +netstat -tnlp |grep 636 +``` + + + +# 9. 使用ldap client连接 + +使用 LDAP Client 连接。Windows 可以下载 LDAP Admin,它是一款很棒的 LDAP 管理工具,界面简洁直观,连接到 LDAP 服务器后,即可快速执行管理操作。下载地址:http://www.xitongzhijia.net/soft/208026.html + +下载完成,双击打开软件,依次点击「Start」->「Connection」->「New Connection」,再按如下步骤操作,最后点击 OK。 + +![image-20220502175750237](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502175750237.png) + + + +# 10. 开启ldap日志 + +1.在 lapd.conf 中加一行 + +``` properties +# vim /etc/openldap/ldap.conf +loglevel 4095 +``` + +2.在 /etc/rsyslog.conf 中加入 ldap 日志文档,增加该条配置: + +``` properties +# vim /etc/rsyslog.conf +local4.* /var/log/ldap.log +``` + +3.在终端用命令重启 syslog 服务和 ldap 服务 + +``` shell +service rsyslog restart +service slapd restart +``` + +4.在 /var/log/ 下可以看到 ldap.log 文件 + +5.查看日志 + +``` shell +tailf /var/log/ladp.log +``` diff --git "a/content/zh-cn/blog/jaybo/2022-06-25-02_openLooKeng\351\233\206\346\210\220OpenLDAP.md" "b/content/zh-cn/blog/jaybo/2022-06-25-02_openLooKeng\351\233\206\346\210\220OpenLDAP.md" new file mode 100644 index 0000000..4d025cf --- /dev/null +++ "b/content/zh-cn/blog/jaybo/2022-06-25-02_openLooKeng\351\233\206\346\210\220OpenLDAP.md" @@ -0,0 +1,336 @@ ++++ + +title = "openLooKeng安全配置操作指南(二)----集成OpenLDAP" +date = "2022-06-25" +tags = ["openLooKeng", "OpenLDAP"] +archives = "2022-06" +author = "jaybo" +description = "openLooKeng集成OpenLDAP" + ++++ + +[toc] + +# 0. 环境 + +| Role | IP | Hostname | Hostname+domain name | +| :---------------------- | :------------ | :------- | :------------------- | +| openldap、ranger、mysql | 192.168.80.40 | olk0 | olk0.example.com | +| kerberos | 192.168.80.41 | olk1 | olk1.example.com | +| coordinator | 192.168.80.42 | olk2 | olk2.example.com | +| worker | 192.168.80.43 | olk3 | olk3.example.com | + + + +# 1. 导入证书(crt文件)到jdk + +拷贝 openldap 的 /etc/openldap/cert 文件夹下的 ldap.crt 证书到 openLooKeng 集群各个节点。 + +``` shell +scp /etc/openldap/cert/ldap.crt 192.168.80.42:/root/hetu-server-1.4.0 +scp /etc/openldap/cert/ldap.crt 192.168.80.43:/root/hetu-server-1.4.0 +``` + +在 openLooKeng 集群各个节点使用 keytool 导入证书到 jdk。 + +**(密码:changeit)** + +``` shell +# 导入证书 +keytool -import -trustcacerts -file ldap.crt -alias ldapserver -keystore /usr/local/java/jdk1.8.0_261/jre/lib/security/cacerts + +# 移除证书(无需运行此命令) +# -delete 删除密钥库中某条目 +# 格式:keytool -delete -alias 指定需删除的别名 -keystore 指定keystore -storepass 密码 +keytool -delete -alias ldapserver -keystore /usr/local/java/jdk1.8.0_261/jre/lib/security/cacerts +``` + +**如果这步跳过,后面当输入账号和密码登录 openLooKeng,ldap 会报 TLS negotiation failure:** + +``` xml +May 3 03:27:57 olk0 slapd[11426]: conn=1001 fd=19 ACCEPT from IP=192.168.80.42:48838 (IP=0.0.0.0:636) +May 3 03:27:57 olk0 slapd[11426]: conn=1001 fd=19 closed (TLS negotiation failure) +``` + + + +# 2. 生成openLooKeng的keystore + +> 使用 Kerberos 和 LDAP 身份验证时,必须通过 HTTPS 访问 openLooKeng 协调节点。openLooKeng 协调节点使用`JavaKeystore`文件进行 TLS 配置。这些密钥使用`keytool`生成,并存储在 Java 密钥库文件中,供 openLooKeng 协调节点使用。https://openlookeng.io/zh-cn/docs/docs/security/tls.html + +修改 coordinator、worker 节点 hostname 和 hosts。 + +hostname: + +``` Markdown +hostnamectl set-hostname olk0 +hostnamectl set-hostname olk1 +hostnamectl set-hostname olk2 +hostnamectl set-hostname olk3 +``` + +hosts: + +``` Markdown +192.168.80.40 olk0 olk0.example.com +192.168.80.41 olk1 olk1.example.com +192.168.80.42 olk2 olk2.example.com +192.168.80.43 olk3 olk3.example.com +``` + +创建所有 coordinator 和 worker 节点**公用的 keystore**。 + +``` shell +keytool -genkeypair -alias openLooKeng -keyalg RSA -keystore keystore.jks -keysize 2048 +``` + +**创建 keystore,“first and last name”选项必须填为\*.域名,如\*.example.com**(这样不用每个 openLooKeng 节点生成一遍) + +![img](https://img-1256179949.cos.ap-shanghai.myqcloud.com/2021-09-24-config-01.png) + +拷贝生成的 keystore.jks 到 openLookeng 集群所有节点。 + +``` shell +scp keystore.jks olk2:/root/hetu-server-1.4.0/ +scp keystore.jks olk3:/root/hetu-server-1.4.0/ +``` + +可验证该文件密码并查看其内容: + +``` shell +keytool -list -v -keystore keystore.jks +``` + + + +# 3. 配置 config.properties + +新增配置: + +``` properties +# 配置config.properties增加 +# vim config.properties +http-server.authentication.type=PASSWORD +http-server.https.enabled=true +http-server.https.port=8443 +http-server.https.keystore.path=/root/hetu-server-1.4.0/keystore.jks +http-server.https.keystore.key=123456 +``` + +此时 config.properties 供参考(如下为 coordinator 节点配置): + +``` properties +coordinator=true +node-scheduler.include-coordinator=false + +query.max-memory=5GB +query.max-memory-per-node=1GB +query.max-total-memory-per-node=2GB + +http-server.http.enabled=true +http-server.http.port=9999 +discovery-server.enabled=true +discovery.uri=http://olk2.example.com:9999 +#discovery.uri=https://olk2.example.com:8443 + +# 是否开启HTTP访问Web UI +hetu.queryeditor-ui.allow-insecure-over-http=true + +http-server.authentication.type=PASSWORD +http-server.https.enabled=true +http-server.https.port=8443 +http-server.https.keystore.path=/root/hetu-server-1.4.0/keystore.jks +http-server.https.keystore.key=123456 +``` + + + +# 4. 配置 jvm.config + +打开 etc/jvm.config,增加: + +``` properties +# vim jvm.config +-Djavax.net.ssl.trustStore=/usr/local/java/jdk1.8.0_261/jre/lib/security/cacerts +-Djavax.net.ssl.trustStorePassword=changeit +``` + + + +# 5. 增加 password-authenticator.properties 配置文件 + +增加 etc/password-authenticator.properties 配置文件: + +``` properties +# 增加password-authenticator.properties配置文件 +# vim password-authenticator.properties +password-authenticator.name=ldap +ldap.url=ldaps://192.168.80.40:636 +ldap.user-bind-pattern=uid=${USER},ou=People,dc=tcjf,dc=com +ldap.cache-ttl=1s +``` + +其中,ldap.url 为 ldap server 的地址。 + + + +# 6. 验证 + +## 6.1 Web UI + +访问地址:https://192.168.80.42:8443/ui/login.html + +> 因未关闭 HTTP 访问 Web UI,所以 HTTP 地址依然可以用: http://192.168.80.42:9999/ui/login.html + +输入 ldap 中的账号和密码,点击 Log In。 + +image-20220502194616006 + +## 6.2 Hetu CLI + +``` shell +./hetu-cli \ +--server https://coordinator-ip:port \ +--keystore-path /root/hetu-server-1.4.0/keystore.jks \ +--keystore-password password \ +--user \ +--password +``` + +(1) 使用 ip 地址访问: + +``` shell +./hetu-cli \ +--server https://192.168.80.42:8443 \ +--keystore-path /root/hetu-server-1.4.0/keystore.jks \ +--keystore-password 123456 \ +--user test \ +--password + +#或 +./hetu-cli --server https://192.168.80.42:8443 --keystore-path /root/hetu-server-1.4.0/keystore.jks --keystore-password 123456 --user test --password +``` + +进入后,执行 sql 会报: + +``` xml +Error running command: javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.80.42 not verified: + certificate: sha256/rUnl0qCdFeyPJQ5dlHFtXn/ZAYPkRgYonVFkWc9d5TI= + DN: CN=*.example.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown + subjectAltNames: [] +``` + +(2) 使用域名访问: + +> 添加 ip 地址映射: +> +> ``` properties +> 192.168.80.42 olk2.example.com +> ``` + +``` shell +./hetu-cli \ +--server https://olk2.example.com:8443 \ +--keystore-path /root/hetu-server-1.4.0/keystore.jks \ +--keystore-password 123456 \ +--user test \ +--password + +#或 +./hetu-cli --server https://olk2.example.com:8443 --keystore-path /root/hetu-server-1.4.0/keystore.jks --keystore-password 123456 --user test --password +``` + +- 当输入错误密码进入,执行 sql 会报: + + ``` xml + Error running command: Authentication failed: Unauthorized + ``` + +- 当输入正确密码进入,执行 sql 成功 + +## 6.3 JDBC + +使用如下连接信息: + +``` shell +String url = "jdbc:lk://192.168.80.42:8443/hive/"; +Properties properties = new Properties(); +properties.setProperty("user", "test"); +properties.setProperty("password", "123456"); +properties.setProperty("SSL", "true"); +properties.setProperty("SSLKeyStorePath", "D:\\keystore.jks"); +properties.setProperty("SSLKeyStorePassword", "123456"); +``` + +运行的时候要是出现如下报错: + +``` xml +java.sql.SQLException: Error setting up SSL: KeyStore certificate is not yet valid: NotBefore: Mon May 02 23:42:08 CST 2022 +``` + +先检查下运行程序的电脑和服务器的时间差,如果较大,修改服务器和电脑时间保持一致再运行。 + +若运行报错: + +``` xml +Caused by: java.io.UncheckedIOException: javax.net.ssl.SSLPeerUnverifiedException: Hostname 192.168.80.42 not verified: + certificate: sha256/uU1H9VEjdwlWBym1uNWTRGr3O7hNKYXslIphe2Hv1D0= + DN: CN=*.example.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown + subjectAltNames: [] +``` + +需将 url 地址改为 ip 映射: + +``` shell +String url = "jdbc:lk://olk2.example.com:8443/hive/"; +``` + +并在 `C:\Windows\System32\drivers\etc\hosts` 添加该条映射: + +``` properties +192.168.80.42 olk2.example.com +``` + +image-20220502204118363 + +## 6.4 存在的问题: 基于HTTP访问(无需密码)依然可用 + +(1) Web UI + +HTTP 访问地址:http://192.168.80.42:9999/ui/login.html + +(2) Hetu CLI + +``` shell +./hetu-cli --server http://olk2.example.com:9999 --user test +``` + +(3) JDBC + +``` shell +String url = "jdbc:lk://olk2.example.com:9999/hive/"; +Properties properties = new Properties(); +properties.setProperty("user", "test"); +properties.setProperty("password", ""); +``` + +**以上三种基于 http 访问的方式(无需密码)依然可使用。** + + + +# 7. 集成ldap成功,可先备份openLooKeng,再去集成Ranger + +``` shell +cp -r hetu-server-1.4.0 hetu-server-1.4.0-ldap +``` + + + +# 参考资料 + +[1] [openLooKeng集成OpenLDAP(二)](https://mp.weixin.qq.com/s/daC1Rs3fy2iXBnktgB4sow) + +[2] [openLooKeng AA安全配置指导(一)----对接Kerberos](https://openlookeng.io/zh-cn/blog/2021/09/24/2021-09-24-config-01.html) + +[3] [openLooKeng 官网文档_Java密钥库和信任库](https://openlookeng.io/zh-cn/docs/docs/security/tls.html) + diff --git "a/content/zh-cn/blog/jaybo/2022-06-25-03_openLooKeng\351\233\206\346\210\220Ranger.md" "b/content/zh-cn/blog/jaybo/2022-06-25-03_openLooKeng\351\233\206\346\210\220Ranger.md" new file mode 100644 index 0000000..974d9e2 --- /dev/null +++ "b/content/zh-cn/blog/jaybo/2022-06-25-03_openLooKeng\351\233\206\346\210\220Ranger.md" @@ -0,0 +1,389 @@ ++++ + +title = "openLooKeng安全配置操作指南(三)----集成Ranger" +date = "2022-06-25" +tags = ["openLooKeng", "Ranger"] +archives = "2022-06" +author = "jaybo" +description = "openLooKeng集成Ranger" + ++++ + +[toc] + +# 0. 环境 + +| Role | IP | Hostname | Hostname+domain name | +| :---------------------- | :------------ | :------- | :------------------- | +| openldap、ranger、mysql | 192.168.80.40 | olk0 | olk0.example.com | +| kerberos | 192.168.80.41 | olk1 | olk1.example.com | +| coordinator | 192.168.80.42 | olk2 | olk2.example.com | +| worker | 192.168.80.43 | olk3 | olk3.example.com | + + + +# 1. 编译 Ranger + +由于 Ranger 不提供二进制安装包,故需要 maven 编译,如何编译 Ranger 不做本文重点。 + +反正最后编译成功后会得到如下一些 tar.gz 包(图片来源网络): + +在这里插入图片描述 + +当前我们只要 ranger admin 包: + +``` xml +ranger-2.1.0-admin.tar.gz +``` + +若需要同步 ldap 用户,还需安装 usersync,这个可以等以后再安装: + +``` shell +ranger-2.1.0-usersync.tar.gz +``` + + + +# 2. 编译 openLooKeng-ranger-plugin + +[openlookeng-ranger-plugin](https://gitee.com/openlookeng/openlookeng-ranger-plugin) 是为 openLooKeng 开发的 Ranger 插件,用于全面的数据安全监控和权限管理。 + +- 代码仓库:https://gitee.com/openlookeng/openlookeng-ranger-plugin + +编译过程: + +1. 从 Git 仓库检出 openlookeng-ranger-plugin 代码 + + ``` shell + git clone -b 1.4.0 https://gitee.com/openlookeng/openlookeng-ranger-plugin.git + ``` + + **本文以 openLooKeng 1.4.0 版本为例。** + +2. 进入代码根目录,执行 maven 命令: + + ```shell + mvn clean package + ``` + +3. 在上述 maven 命令执行完成后,可以在 target 目录发现以下 tar.gz 文件: + + ``` xml + ranger-2.1.0-admin-openlookeng-1.4.0-plugin.tar.gz + ranger-2.1.0-openlookeng-1.4.0-plugin.tar.gz + ``` + + + +# 3. 所要用到的安装包 + +这是这次所要用到的安装包: + +``` xml +ranger-2.1.0-admin.tar.gz +ranger-2.1.0-admin-openlookeng-1.4.0-plugin.tar.gz +ranger-2.1.0-openlookeng-1.4.0-plugin.tar.gz +``` + +![image-20220502220722786](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502220722786.png) + +接下来按照步骤安装即可。 + + + +# 4. 安装 Ranger Admin + +## 4.1 解压 Ranger Admin + +``` shell +tar -zxvf ranger-2.1.0-admin.tar.gz +``` + +## 4.2 安装 Ranger Admin + +需要使用 root 用户,**ranger admin 依赖 MySQL、JDK**(如何安装 MySQL 和 JDK,这里略过)。 + +进入 ranger admin 根目录,打开 install.properties: + +``` shell +cd ranger-2.1.0-admin +vim install.properties +``` + +修改配置: + +``` properties +# 指定一个mysql的驱动,需要自己指定一个jar包 +SQL_CONNECTOR_JAR=/usr/local/java/mysql-connector-java-5.1.47.jar + +# 配置mysql数据库的信息, mysql账号、密码、地址 +db_root_user=root +db_root_password=123456 +db_host=localhost + +# 安装时会使用上面的root用户创建如下数据库 +db_name=ranger +db_user=ranger +db_password=123456 #数据库密码 + +#登录ranger-admin的用户名密码:admin/admin123 +rangerAdmin_password=admin123 +rangerTagsync_password=admin123 +rangerUsersync_password=admin123 +keyadmin_password=admin123 + +#Source for Audit Store. Currently solr and elasticsearch are supported. +# * audit_store is solr +# 不使用solr做审计存储,置为空即可 +audit_stoe= + +# * audit_solr_url Elasticsearch Host(s). E.g. 127.0.0.1 +audit_elasticsearch_urls= +audit_elasticsearch_port= +audit_elasticsearch_protocol= +audit_elasticsearch_user= +audit_elasticsearch_password= +audit_elasticsearch_index= +audit_elasticsearch_bootstrap_enabled=true + +#localhost或本机ip +policymgr_external_url=http://localhost:6080 +policymgr_http_enabled=true +policymgr_https_keystore_file= +policymgr_https_keystore_keyalias=rangeradmin policymgr_https_keystore_password=123456 + +unix_user=ranger +unix_user_pwd=ranger +unix_group=ranger +``` + +使用 root 用户执行如下脚本,安装 RangerAdmin: + +``` shell +./setup.sh +``` + +## 4.3 启动 Ranger Admin + +``` shell +# stop关闭 restar重启 +ews/ranger-admin-services.sh start +#或 ews/ranger-admin start +``` + +**注:服务器关机后,需重启 ranger admin 服务。** + +> 可以按如下步骤设置 ranger admin 服务为开机自启: +> +> 1. 将 `/etc/rc.d/rc.local` 文标记为可执行文件(因为在CentOS 7中,`/etc/rc.d/rc.local` 文件的权限被降低了——是没有执行权限的) +> +> ``` shell +> chmod +x /etc/rc.d/rc.local +> ``` +> +> 2. 打开 `/etc/rc.d/rc.local` 文件,在文件末尾加入启动命令即可 +> +> ``` shell +> /root/ranger-2.1.0-admin/ews/ranger-admin-services.sh start +> ``` +> +> 3. 可以重启服务器看看是不是开机自启了: +> +> ``` shell +> reboot +> lsof -i:6080 +> ``` + +## 4.4 web 登录验证是否安装 + +访问网址:http://192.168.80.40:6080/login.jsp + +- 用户名:admin +- 密码:admin123(install.properties 中设置的) + +如下登录成功,表示安装成功。 + +image-20220502224844206 + + + +# 5. 安装 Ranger Admin 插件 + +**(1) 解压 ranger-2.1.0-admin-openlookeng-1.4.0-plugin.tar.gz** + +``` shell +tar -zxvf ranger-2.1.0-admin-openlookeng-1.4.0-plugin.tar.gz +``` + +可以发现以下目录: + +``` xml +openlookeng +service-defs +``` + +**(2) Ranger 服务类型定义的注册** + +使用 Ranger Admin 提供的 REST API 向 Ranger 注册服务类型定义。注册后,Ranger Admin 将提供 UI 以创建服务实例(在以前的版本中称为存储库)和服务类型策略。Ranger 插件使用服务类型定义和策略来确定请求是否有访问权限以进行授权。如下示例所示,可以使用 curl 命令调用 REST API 接口注册服务: + +``` shell +curl -u admin:password -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d @service-defs/ranger-servicedef-openlookeng.json http://ranger-admin-host:port/service/plugins/definitions +``` + +eg: + +``` shell +curl -u admin:admin123 -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d @service-defs/ranger-servicedef-openlookeng.json http://192.168.80.40:6080/service/plugins/definitions +``` + +**(3) 复制 openlookeng 目录到 Ranger Admin 安装目录下的 ranger-plugins 目录** + +``` shell +scp -r openlookeng/ /root/softwares/ranger-2.1.0-admin/ews/webapp/WEB-INF/classes/ranger-plugins/ +``` + +这时打开 Ranger Admin 可以看到多了“OPENLOOKENG”服务。 + +![image-20220502225652234](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502225652234.png) + + + +# 6. 安装 openLooKeng 插件 + +**(1) 解压 ranger-2.1.0-openlookeng-1.4.0-plugin.tar.gz** + +``` shell +tar -zxvf ranger-2.1.0-openlookeng-1.4.0-plugin.tar.gz +``` + +**(2) 适当的修改 install.properties 文件** + +如下示例所示,修改了部分参数值: + +``` properties +# Location of Policy Manager URL +# ranger admin 地址 +POLICY_MGR_URL=http://192.168.80.40:6080 + +# This is the repository name created within policy manager +# 这个随便取,回头在ranger admin中新建jdbc连接的时候需要填写这个 +REPOSITORY_NAME=openlookengdev + +# openLooKeng component installed directory +# openLooKeng 安装目录 +COMPONENT_INSTALL_DIR_NAME=/root/hetu-server-1.4.0 + +XAAUDIT.SOLR.ENABLE=false + +# 添加该条配置,不然后面执行会报错 +XAAUDIT.SUMMARY.ENABLE=false +``` + +**(3) 执行 ./enable-openlookeng-plugin.sh** + +``` shell +./enable-openlookeng-plugin.sh +``` + +重启服务: + +``` shell +重启 Ranger Admin 服务:ews/ranger-admin-services.sh restart +重启 openLooKeng 服务:sh launcher restart +``` + +![image-20220502230955452](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502230955452.png) + + + +# 7. 添加 openLookeng Service + +## 7.1 添加 openLooKeng Service + +打开 Admin Ranger:http://192.168.80.40:6080/index.html,找到「OPENLOOKENG」点击「+」添加 Service。 + +输入 Service Name、Username、Password、jdbc.driverClassName、jdbc.url 这些信息: + +- Username填写: + + - 未对接 openLDAP,用户任意 + - 对接了 openLDAP,填写 ldap 用户 + +- Passworld:对接了 openLDAP 需填写;未对接 openLDAP 不用填写。 + +- jdbc 填写(openLooKeng 关闭了 http 选择 ②,否则选择 ①): + + ① 非安全openLooKeng集群:jdbc:lk://openLooKeng-IP:http-port/catalog + + ``` properties + eg: + jdbc:lk://192.168.80.40:9999/hive + ``` + + + + + + ② 安全openLooKeng集群:jdbc:lk://openLooKeng-IP:https-port/hive?SSL=true + + ``` properties + eg: + jdbc:lk://192.168.80.40:8443/hive?SSL=true + ``` + +image-20220502232941292 + +点击「Test Connection」可能会报如下这样错误: + +``` xm +Connection Failed. +Unable to retrieve any files using given parameters, You can still save the repository and start creating policies, but you would not be able to use autocomplete for resource names. Check ranger_admin.log for more info. + +org.apache.ranger.plugin.client.HadoopException: Unable to execute SQL [SHOW CATALOGS]. . +Error executing query. +javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. +PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. +unable to find valid certification path to requested target. +``` + +忽略,点击「Save」保存。 + +## 7.1 验证是否添加成功 + +重启 openLooKeng,再打开 Ranger Admin Web 页面,点击「Adult」->「Plugins」查看,出现如下表明 openLooKeng 插件安装成功。 + +![image-20220502232226897](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502232226897.png) + +点击「OPENLOOKENG」下的 openlookengdev,可以看到生成了 jdbc 连接信息中填写的 lk 用户的 Policy,该默认权限配置,包含了执行如下 sql 权限: + +``` sql +select * from system.information_schema.tables; +``` + +后面就以该条 sql 进行验证。注:没有进行配置的用户,没有任何权限,比如 lk2、test 用户没配置,则没有任何权限。 + +![image-20220502234122755](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502234122755.png) + + + +# 8. 验证权限控制 + +(1) HTTP + +访问地址:http://192.168.80.42:9999/ui/login.html + +- 分别使用 lk,test 用户进入执行 sql,可以发现 test 用户没有权限 + +(2) HTTPS + +访问地址:https://192.168.80.42:8443/ui/ + +- 分别使用 lk,test 用户并输入正确的密码进入执行 sql,可以发现 test 用户没有权限 + + + +# 参考资料 + +[1] [openLooKeng 官网文档_Ranger 访问控制](https://openlookeng.io/zh-cn/docs/docs/security/ranger-access-control.html) + +[2] [大数据权限管理工具Ranger2.0.0的安装部署到使用测试(踩坑详情)](https://juejin.cn/post/6844904159930482696) diff --git "a/content/zh-cn/blog/jaybo/2022-06-25-04_openLooKeng\345\205\263\351\227\255HTTP(\345\220\253Kerberos\345\256\211\350\243\205).md" "b/content/zh-cn/blog/jaybo/2022-06-25-04_openLooKeng\345\205\263\351\227\255HTTP(\345\220\253Kerberos\345\256\211\350\243\205).md" new file mode 100644 index 0000000..8b32944 --- /dev/null +++ "b/content/zh-cn/blog/jaybo/2022-06-25-04_openLooKeng\345\205\263\351\227\255HTTP(\345\220\253Kerberos\345\256\211\350\243\205).md" @@ -0,0 +1,440 @@ ++++ + +title = "openLooKeng安全配置操作指南(三)----关闭HTTP(含Kerberos安装)" +date = "2022-06-25" +tags = ["openLooKeng", "Kerberos"] +archives = "2022-06" +author = "jaybo" +description = "openLooKeng关闭HTTP,含Kerberos安装" + ++++ + +[toc] + +# 0. 环境 + +| Role | IP | Hostname | Hostname+domain name | +| :---------------------- | :------------ | :------- | :------------------- | +| openldap、ranger、mysql | 192.168.80.40 | olk0 | olk0.example.com | +| kerberos | 192.168.80.41 | olk1 | olk1.example.com | +| coordinator | 192.168.80.42 | olk2 | olk2.example.com | +| worker | 192.168.80.43 | olk3 | olk3.example.com | + + + +# 1. 安装 Kerberos Server + +## 1.1 安装 + +``` shell +yum install -y krb5-server krb5-lib krb5-workstation +``` + +## 1.2 修改配置文件 + +**配置/etc/krb5.conf**:vim /etc/krb5.conf + +``` properties +# Configuration snippets may be placed in this directory as well + +includedir /etc/krb5.conf.d/ +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + dns_lookup_realm = false + ticket_lifetime = 24h + renew_lifetime = 7d + forwardable = true + rdns = false + pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt + default_realm = EXAMPLE.COM + default_ccache_name = /tmp/krb5cc_%{uid} + +[realms] + EXAMPLE.COM = { + kdc = host4 //kerberos服务器主机名 + admin_server = host4 + } + +[domain_realm] + .example.com = EXAMPLE.COM + example.com = EXAMPLE.COM +``` + +注: + +1. 修改 default_realm 与 [realms] 中命名相同; +2. kdc、admin_server 配置为本地的 hostname; +3. 配置 default_ccache_name。 + +**拷贝 /etc/krb5.conf 文件到 openLooKeng 集群所有节点上,config.properties 认证配置会用到。** + +**配置** **/var/kerberos/krb5kdc/kdc.conf**:vim /var/kerberos/krb5kdc/kdc.conf + +``` properties +[kdcdefaults] + kdc_ports = 88 + kdc_tcp_ports = 88 + +[realms] + EXAMPLE.COM = { + \#master_key_type = aes256-cts + acl_file = /var/kerberos/krb5kdc/kadm5.acl + dict_file = /usr/share/dict/words + admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab + supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal + } +``` + +**注:** kdc.conf 中 realm 名与 krb5.conf 相同 + +## 1.3 创建数据库 + +``` shell +/usr/sbin/kdb5_util create -r EXAMPLE.COM -s +``` + +其中需要设置管理员密码,创建完成会在 /var/kerberos/krb5kdc/ 下面生成 principal 文件,若重建数据库则需先删除 /var/kerberos/krb5kdc 下面 principal 相关文件,附删除命令: + +``` shell +rm -rf /var/kerberos/krb5kdc/principal* +``` + +## 1.4 创建管理员账号 + +编辑 /var/kerberos/krb5kdc/kadm5.acl,vim /var/kerberos/krb5kdc/kadm5.acl,增加: + +``` shell +*/admin@EXAMPLE.COM * +``` + +**注:** \* 代表全部权限 + +## 1.5 重启Kerberos服务器 + +``` shell +systemctl restart krb5kdc +systemctl restart kadmin +``` + +服务器关机后,kerberos 服务也会关闭。可以将 kerberos 加入开机自启: + +``` shell +systemctl enable krb5kdc +systemctl enable kadmin +``` + +## 1.6 Kerberos Client安装(若client和server部署在同台服务器,不用安装) + +``` shell +yum install krb5-workstation krb5-libs krb5-auth-dialog +``` + +复制 kerberos server 的 /etc/krb5.conf 到 kerberos client 的 /etc/krb5.conf。 + +## 1.7 在客户端添加用户 + +为 Kerberos database 添加 administrative principals: + +``` shell +kadmin.local -q "addprinc admin/admin@EXAMPLE.COM" +``` + +## 1.8 验证客户端可以访问KDC + +``` shell +kinit admin/admin +kadmin -p 'admin/admin' -w '123456' -s 'ip4' -q 'list_principals' +``` + +其中,ip4 为 kerberos server 地址。 + + + +# 2. openLooKeng对接Kerberos + +## 2.1 生成openLooKeng的Keytab + +在装有 Kerberos 客户端的机器上执行下面语句(**生成服务名为HTTP**) + +创建 principal: + +``` shell +kadmin -p admin/admin -q "addprinc -randkey HTTP@EXAMPLE.COM" +kadmin -p admin/admin -q "addprinc -randkey HTTP/olk2@EXAMPLE.COM" +kadmin -p admin/admin -q "addprinc -randkey HTTP/olk3@EXAMPLE.COM" +``` + +生成 keytab: + +``` shell +kadmin -p admin/admin -q "ktadd -k ./lk.keytab HTTP@EXAMPLE.COM" +kadmin -p admin/admin -q "ktadd -k ./lk.keytab HTTP/olk2@EXAMPLE.COM" +kadmin -p admin/admin -q "ktadd -k ./lk.keytab HTTP/olk3@EXAMPLE.COM" +``` + +**注:**openLooKeng 主机名必须为小写,如 olk2、olk3。所有节点主机名的 principal 都要创建。 + +**拷贝 lk.keytab 文件到 openLooKeng 集群所有节点上,config.properties 认证配置会用到。** + +``` shell +scp lk.keytab olk2:/root/hetu-server-1.4.0/ +scp lk.keytab olk3:/root/hetu-server-1.4.0/ +``` + +## 2.2 配置openLooKeng的config.properties + +所有节点进行如下修改: + +1. 禁用 http 端点 + + ``` shell + http-server.http.enabled=false + ``` + +2. 配置集群使用集群节点的 FQDN(全量域名)进行通信: + + ``` shell + node.internal-address= + #eg:node.internal-address=olk2.example.com + ``` + +3. 启用 HTTPS 端点(这个在对接 openLDAP 时已配置) + + ``` properties + http-server.https.enabled=true + http-server.https.port= + http-server.https.keystore.path= + http-server.https.keystore.key= + + #eg: + #http-server.https.enabled=true + #http-server.https.port=8443 + #http-server.https.keystore.path=/root/hetu-server-1.4.0/keystore.jks + #http-server.https.keystore.key=123456 + ``` + +4. 将 discovery URI 修改为 HTTPS 地址 + + ``` properties + discovery.uri=https://discovery_ip:port + #eg:discovery.uri=https://olk2.example.com:8443 + ``` + +5. 配置内部通信需要使用 HTTPS 协议 + + ``` properties + internal-communication.https.required=true + ``` + +6. 配置内部通信使用 Java 密钥库文件 + + ``` properties + internal-communication.https.keystore.path= + internal-communication.https.keystore.key= + + #eg: + #internal-communication.https.keystore.path=/root/hetu-server-1.4.0/keystore.jks + # internal-communication.https.keystore.key=123456 + ``` + +7. 配置内部通信使用 kerberos 认证 + + ``` properties + internal-communication.kerberos.enabled=true + ``` + +8. 启用 kerberos 认证,并指定 keytab 和 krb5 文件 + + ``` shell + http-server.authentication.type=KERBEROS + http.server.authentication.krb5.service-name= HTTP + http.server.authentication.krb5.keytab=/root/hetu-server-1.4.0/lk.keytab + http.authentication.krb5.config=/root/hetu-server-1.4.0/krb5.conf + ``` + +最终 config.properties(coordinator节点)如下,供参考: + +``` properties +coordinator=true +node-scheduler.include-coordinator=false + +query.max-memory=5GB +query.max-memory-per-node=1GB +query.max-total-memory-per-node=2GB + +http-server.http.enabled=false +http-server.http.port=9999 +discovery-server.enabled=true +#discovery.uri=http://olk2.example.com:9999 +discovery.uri=https://olk2.example.com:8443 + +hetu.queryeditor-ui.allow-insecure-over-http=true + +http-server.authentication.type=PASSWORD,KERBEROS +#http-server.authentication.type=PASSWORD +http-server.https.enabled=true +http-server.https.port=8443 +http-server.https.keystore.path=/root/hetu-server-1.4.0/keystore.jks +http-server.https.keystore.key=123456 + +node.internal-address=olk2.example.com + +internal-communication.https.required=true +internal-communication.https.keystore.path=/root/hetu-server-1.4.0/keystore.jks +internal-communication.https.keystore.key=123456 + +internal-communication.kerberos.enabled=true + +#http-server.authentication.type=KERBEROS +http.server.authentication.krb5.service-name=HTTP +http.server.authentication.krb5.keytab=/root/hetu-server-1.4.0/lk.keytab +http.authentication.krb5.config=/root/hetu-server-1.4.0/krb5.conf +``` + + + +## 2.3 配置openLooKeng的jvm.config + +所有节点增加: + +``` shell +-Dsun.security.krb5.debug=true +-Dlog.enable-console=true +-Djava.security.krb5.conf=/root/hetu-server-1.4.0/krb5.conf +``` + +> 其中 -Dsun.security.krb5.debug=true、-Dlog.enable-console=true 用于调试,可以选择关闭。 + + + +## 关于使用hive连接器报“Cannot locate KDC ”错误的问题 + +如果在启用了 kerberos 认证的 hive 连接器执行 sql 时,报如下错误: + +``` xml +Exception javax.security.auth.login.LoginException: Cannot locate KDC +``` + +请将 hive 连接器用到的 krb5.conf 文件拷贝一份,打开并将本文 krb5.conf 文件中的以下两处配置添加进去: + +- [realms] 配置 +- [domain_realm] 配置 + +再将 default_realm 修改为本文 krb5 文件中的 default_realm 。如图。 + +image-20220625152608510 + +最后在 jvm.config 中添加或修改如下配置: + +``` properties +-Djava.security.krb5.conf=/root/hetu-server-1.4.0/krb5.conf +``` + + + +# 3. 验证 + +## 3.1 Web UI + +**(1) HTTP** + +基于 HTTP 访问:http://192.168.80.42:9999/ui/login.html,访问不了。[达到目的] + +**(2) HTTPS** + +基于 HTTPS 访问:https://192.168.80.42:8443/ui/ 或 https://olk2.example.com:8443/ui/(可访问) + +- 输入正确账户和密码才能进入。 + +执行 sql: + +``` sql +select * from system.information_schema.tables; +``` + +报错如下: + +``` xml +javax.net.ssl.SSLPeerUnverifiedException: Hostname localhost not verified: certificate: sha256/uU1H9VEjdwlWBym1uNWTRGr3O7hNKYXslIphe2Hv1D0= DN: CN=*.example.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown subjectAltNames: [] +``` + +![image-20220502234531590](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502234531590-16515063386493.png) + +> 问官方伙伴,貌似意思是一个 bug。 + +## 3.2 Hetu CLI + +**(1) HTTPS** + +- 输入 test 用户密码,执行 sql,可以看到 test 用户没有执行该条 sql 权限 + + ``` shell + ./hetu-cli --server https://olk2.example.com:8443 --keystore-path /root/hetu-server-1.4.0/keystore.jks --keystore-password 123456 --user test --password + ``` + + ![image-20220502235750600](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502235750600.png) + +- 输入 lk 用户密码,执行 sql,因为 lk 具有该条 sql 权限,可以看到执行结果 + + ``` shell + ./hetu-cli --server https://olk2.example.com:8443 --keystore-path /root/hetu-server-1.4.0/keystore.jks --keystore-password 123456 --user lk --password + ``` + + ![image-20220502235948697](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502235948697.png) + +**(2) HTTP** + +http 访问,可以看到无法连接对应端口:[达到目的] + +``` shell +./hetu-cli --server http://olk2.example.com:9999 --user test +``` + +![image-20220502212214749](https://img-1256179949.cos.ap-shanghai.myqcloud.com/image-20220502212214749.png) + +## 8.3 JDBC + +**(1) HTTPS** + +如下基于 https 的连接方式,可用: + +``` xshell +String url = "jdbc:lk://olk2.example.com:8443/hive/"; +Properties properties = new Properties(); +properties.setProperty("user", "test"); +properties.setProperty("password", "123456"); +properties.setProperty("SSL", "true"); +properties.setProperty("SSLKeyStorePath", "D:\\keystore.jks"); +properties.setProperty("SSLKeyStorePassword", "123456"); +``` + +image-20220503000537019 + +可以看到 test 用户没有该权限。改为 lk 用户可以。 + +image-20220503000658142 + +**(2) HTTP** + +基于 http 方式,可以看到无法连接对应接口:[达到目的] + +``` shell +String url = "jdbc:lk://olk2.example.com:9999/hive/"; +Properties properties = new Properties(); +properties.setProperty("user", "test"); +properties.setProperty("password", ""); +``` + +image-20220502212659562 + + + +# 参考资料 + +[1] [openLooKeng AA安全配置指导(一)----对接Kerberos](https://openlookeng.io/zh-cn/blog/2021/09/24/2021-09-24-config-01.html) + +[2] [openLooKeng 官网文档_内部通信安全](https://openlookeng.io/zh-cn/docs/docs/security/internal-communication.html)