hive配置Kerbros安全认证

末蓝、 2023-10-07 14:07 8阅读 0赞

需求：
    对新建hadoop集群和hive集群的安全认证安装部署。
    
    版本：
    centos 7.7
    hadoop 2.7.6
    hive 1.2.2
    
    部署规划：
    192.168.216.111 hadoop01 namenode、resourcemanager、datanode、nodemanager、hive、KDC服务
    192.168.216.112 hadoop02 datanode、nodemanager、secondarynamenode、kerbros客户端 
    192.168.216.113 hadoop03 datanode、nodemanager、kerbros客户端

### **第一章 kerbros认证** ###

### **1.1 Kerbros概述** ###

Kerberos 是一种网络认证协议，其设计目标是通过密钥系统为客户机 / 服务器应用程序提供强大的认证服务。该认证过程的实现不依赖于主机操作系统的认证，无需基于主机地址的信任，不要求网络上所有主机的物理安全，并假定网络上传送的数据包可以被任意地读取、修改和插入数据。在以上情况下， Kerberos 作为一种可信任的第三方认证服务，是通过传统的密码技术（如：共享密钥）执行认证服务的。

### **1.2 Kerbros身份认证原理和机制** ###

Kerberos的工作围绕着票据展开，票据类似于人的驾驶证，驾驶证标识了人的信息，以及其可以驾驶的车辆等级。

Kerberos是一种基于对称密钥技术的身份认证协议，它作为一个独立且可靠的的第三方的身份认证服务，可以为其它服务提供身份认证功能，且支持SSO（即客户端身份认证后，可以访问多个服务如HBase/HDFS等）。

Kerberos协议过程主要有两个阶段，第一个阶段是KDC对Client身份认证，第二个阶段是Service对Client身份认证。如下图：

![format_png][]

**俗语：**

KDC：Kerberos的服务端程序;密钥分发中心，负责管理发放票据，记录授权。
    Client：需要访问服务的用户（principal），KDC和Service会对用户的身份进行认证。
    Service：集成了Kerberos的服务，如HDFS/YARN/HBase等。
    principal：当每添加一个用户或服务的时候都需要向kdc添加一条principal，principl的形式为 主名称／实例名@领域名。
    TGT : 票证授予票证。
    SGT : 服务授予票证。

**认证步骤：**

*  KDC对Client身份认证  
    当客户端用户（principal）访问一个集成了Kerberos的服务之前，需要先通过KDC的身份认证。  
    若身份认证通过，则客户端会获取到一个TGT（Ticket Granting Ticket,票据），后续就可以使用该TGT去访问集成了Kerberos的服务。
 *  Service对Client身份认证  
    当用户获取TGT后，就可以继续访问Service服务。它会使用TGT以及需要访问的服务名称（如 HDFS）去KDC获取SGT（Service Granting Ticket），然后使用SGT去访问 Service，Service会利用相关信息对Client进行身份认证，认证通过后就可以正常访问Service服务。

### **1.3 Kerbros的安装部署** ###

#### **1.3.1 Kerbros服务端安装(KDC)** ####

[root@hadoop01 ~]# yum install -y krb5-server krb5-lib krb5-workstation
    或者使用下面这个：
    yum install -y krb5-server krb5-libs krb5-auth-dialog krb5-workstation

#### **1.3.2 Kerbros客户端安装** ####

客户机在hadoop的从节点上安装即可。
    [root@hadoop02 ~]# yum install -y krb5-libs krb5-workstation
    [root@hadoop03 ~]# yum install -y krb5-libs krb5-workstation

#### **1.3.3 KDC的配置** ####

在安装的kerbros服务端上修改即可。
    
    [root@hadoop01 ~]# vi /var/kerberos/krb5kdc/kdc.conf
    修改内容如下：
    [kdcdefaults]
     kdc_ports = 88
     kdc_tcp_ports = 88
    
    [realms]
    # EXAMPLE.COM = {
    #  #master_key_type = aes256-cts
    #  acl_file = /var/kerberos/krb5kdc/kadm5.acl
    #  dict_file = /usr/share/dict/words
    #  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    #  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
    # }
    
     HIVE.COM = {
      #master_key_type = aes256-cts
      acl_file = /var/kerberos/krb5kdc/kadm5.acl
      dict_file = /usr/share/dict/words
      admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
      max_renewable_life = 7d
      supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
     }

配置说明：

HIVE.COM:是设定的realms。名字随意。Kerberos可以支持多个realms，一般全用大写
    master_key_type，supported_enctypes默认使用aes256-cts。由于，JAVA使用aes256-cts验证方式需要安装额外的jar包，这里暂不使用
    acl_file:标注了admin的用户权限。文件格式是
    Kerberos_principal permissions [target_principal] [restrictions]支持通配符等
    admin_keytab:KDC进行校验的keytab
    supported_enctypes:支持的校验方式。注意把aes256-cts去掉

#### **1.3.4 krb5.conf配置** ####

krb5.conf需要再kerbros的服务和客户端都配置。
    kerbros服务端配置：
    [root@hadoop01 ~]# vi /etc/krb5.conf
    
    替换内容如下：
    # Configuration snippets may be placed in this directory as well
    includedir /etc/krb5.conf.d/
    
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
    # dns_lookup_realm = false
    # ticket_lifetime = 24h
    # renew_lifetime = 7d
    # forwardable = true
    # rdns = false
    # pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
    ## default_realm = EXAMPLE.COM
    # default_ccache_name = KEYRING:persistent:%{uid}
     default_realm = HIVE.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
     clockskew = 120
     udp_preference_limit = 1
    
    [realms]
    # EXAMPLE.COM = {
    #  kdc = kerberos.example.com
    #  admin_server = kerberos.example.com
    # }
     HIVE.COM = {
      kdc = hadoop01
      admin_server = hadoop01
     }
    
    [domain_realm]
    # .example.com = EXAMPLE.COM
    # example.com = EXAMPLE.COM
     .hive.com = HIVE.COM
     hive.com = HIVE.COM
     
     
     kerbros客户端配置：
    [root@hadoop02 ~]# vi /etc/krb5.conf
    内容如上
    [root@hadoop03 ~]# vi /etc/krb5.conf
    内容如上

配置说明：

[logging]：表示server端的日志的打印位置
    udp_preference_limit = 1 禁止使用udp可以防止一个Hadoop中的错误
    ticket_lifetime： 表明凭证生效的时限，一般为24小时。
    renew_lifetime： 表明凭证最长可以被延期的时限，一般为一个礼拜。当凭证过期之后，对安全认证的服务的后续访问则会失败。
    clockskew：时钟偏差是不完全符合主机系统时钟的票据时戳的容差，超过此容差将不接受此票据，单位是秒
    修改其中的realm，把默认的EXAMPLE.COM修改为自己要定义的值，如：HIVE.COM。其中，以下参数需要修改：
    default_realm：默认的realm。设置为realm。如HIVE.COM
    kdc：代表要kdc的位置。添加格式是 机器名
    admin_server:代表admin的位置。格式是机器名
    default_domain：代表默认的域名。（设置master主机所对应的域名，如hive.com）

#### **1.3.5 database administrator的ACL权限** ####

数据库管理员权限配置。在kerbros的服务端配置。
    
    [root@hadoop01 ~]# vi /var/kerberos/krb5kdc/kadm5.acl
    修改如下：
    */admin@HIVE.COM        *

配置说明：

kadm5.acl 文件更多内容可参考：kadm5.acl文档
    想要管理 KDC 的资料库有两种方式， 一种直接在 KDC 本机上面直接执行，可以不需要密码就登入资料库管理；一种则是需要输入账号密码才能管理～这两种方式分别是：
    kadmin.local：需要在 KDC server 上面操作，无需密码即可管理资料库
    kadmin：可以在任何一台 KDC 领域的系统上面操作，但是需要输入管理员密码

#### **1.3.6 配置Kerberos服务操作** ####

#### **1.3.6.1 创建kerbros数据库** ####

创建Kerberos数据库，需要设置管理员密码，创建成功后会在/var/Kerberos/krb5kdc/下生成一系列文件，如果重新创建的话，需要先删除/var/kerberos/krb5kdc下面principal相关文件。

kerbros服务器上操作命令：

[root@hadoop01 ~]# kdb5_util create -s -r HIVE.COM

输入kdc的密码。一定要记住。我这儿设置为root,两次相同即可。

![format_png 1][]

#### **1.3.6.2 kerberos开机启动配置** ####

kerbros的服务端执行即可。
    
    [root@hadoop01 ~]# chkconfig krb5kdc on
    [root@hadoop01 ~]# chkconfig kadmin on
    [root@hadoop01 ~]# service krb5kdc start
    [root@hadoop01 ~]# service kadmin start
    [root@hadoop01 ~]# service krb5kdc status

#### **1.3.6.3 kerberos的管理员创建** ####

在kerbros服务端执行如下命令。
    
    kadmin.local输入后，，添加规则：addprinc admin/admin@HIVE.COM。
    [root@hadoop01 ~]# kadmin.local
    Authenticating as principal root/admin@HIVE.COM with password.
    继续如下图的填写：

![format_png 2][]

输入规则和密码，，两次密码相同即可，我是用的是root。

最后使用q、quit或者exist退出即可。

### **第二章 hadoop集群配置Kerbros** ###

一些概念：
    Kerberos principal用于在kerberos加密系统中标记一个唯一的身份。
    kerberos为kerberos principal分配tickets使其可以访问由kerberos加密的hadoop服务。
    对于hadoop，principals的格式为username/fully.qualified.domain.name@YOUR-REALM.COM.

keytab是包含principals和加密principal key的文件。 keytab文件对于每个host是唯一的，因为key中包含hostname。keytab文件用于不需要人工交互和保存纯文本密码，实现到kerberos上验证一个主机上的principal。 因为服务器上可以访问keytab文件即可以以principal的身份通过kerberos的认证，所以，keytab文件应该被妥善保存，应该只有少数的用户可以访问。

hive配置kerberos的前提是Hadoop集群已经配置好Kerberos，因此我们先来配置Hadoop集群的认证。

### **2.1 添加用户** ###

如下的创建用户，密码都是用户名。可以随意设置。
    #创建hadoop用户
    [root@hadoop01 hadoop]# useradd hadoop
    [root@hadoop01 hadoop]# passwd hadoop
    
    [root@hadoop02 hadoop]# useradd hadoop
    [root@hadoop02 hadoop]# passwd hadoop
    
    [root@hadoop03 hadoop]# useradd hadoop
    [root@hadoop03 hadoop]# passwd hadoop
    
    #新建用户yarn，其中需设定userID<1000，命令如下：
    [root@hadoop01 ~]# useradd -u 502 yarn -g hadoop
    #并使用passwd命令为新建用户设置密码
    [root@hadoop01 ~]# passwd yarn
    passwd yarn 输入新密码
    
    #创建hdfs用户
    [root@hadoop01 hadoop]# useradd hdfs -g hadoop
    [root@hadoop01 hadoop]# passwd hdfs
    
    [root@hadoop02 hadoop]# useradd hdfs -g hadoop
    [root@hadoop02 hadoop]# passwd hdfs
    
    [root@hadoop03 hadoop]# useradd hdfs -g hadoop
    [root@hadoop03 hadoop]# passwd hdfs
    
    #创建HTTP用户
    [root@hadoop01 hadoop]# useradd HTTP
    [root@hadoop01 hadoop]# passwd HTTP
    
    [root@hadoop02 hadoop]# useradd HTTP
    [root@hadoop02 hadoop]# passwd HTTP
    
    [root@hadoop03 hadoop]# useradd HTTP
    [root@hadoop03 hadoop]# passwd HTTP

### **2.2 创建 kerberos的普通用户及密钥文件，为配置 YARN kerberos security 时，各节点可以相互访问用** ###

在服务端节点的root用户下分别执行以下命令：
    
    [root@hadoop01 ~]# cd /var/kerberos/krb5kdc/
    #登录管理用户
    [root@hadoop01 krb5kdc]# kadmin.local
    #创建用户
    addprinc -randkey yarn/hadoop01@HIVE.COM
    addprinc -randkey yarn/hadoop02@HIVE.COM
    addprinc -randkey yarn/hadoop03@HIVE.COM
    addprinc -randkey hdfs/hadoop01@HIVE.COM
    addprinc -randkey hdfs/hadoop02@HIVE.COM
    addprinc -randkey hdfs/hadoop03@HIVE.COM
    addprinc -randkey HTTP/hadoop01@HIVE.COM
    addprinc -randkey HTTP/hadoop02@HIVE.COM
    addprinc -randkey HTTP/hadoop03@HIVE.COM
    #生成密钥文件（生成到当前路径下）
    [root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k yarn.keytab  yarn/hadoop01@HIVE.COM"
    [root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k yarn.keytab  yarn/hadoop02@HIVE.COM"
    [root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k yarn.keytab  yarn/hadoop03@HIVE.COM"
    
    [root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k HTTP.keytab  HTTP/hadoop01@HIVE.COM"
    [root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k HTTP.keytab  HTTP/hadoop02@HIVE.COM"
    [root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k HTTP.keytab  HTTP/hadoop03@HIVE.COM"
    
    [root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k hdfs-unmerged.keytab hdfs/hadoop01@HIVE.COM"
    [root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k hdfs-unmerged.keytab  hdfs/hadoop02@HIVE.COM"
    [root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k hdfs-unmerged.keytab hdfs/hadoop03@HIVE.COM"
    
    #合并成一个keytab文件，rkt表示展示,wkt表示写入
    [root@hadoop01 krb5kdc]# ktutil
    ktutil:  rkt hdfs-unmerged.keytab
    ktutil:  rkt HTTP.keytab
    ktutil:  rkt yarn.keytab
    ktutil:  wkt hdfs.keytab
    ktutil:  q
    注意：ktutil：以后面的是输入的。
    
    #查看
    [root@hadoop01 krb5kdc]# klist -ket  hdfs.keytab
    Keytab name: FILE:hdfs.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (aes128-cts-hmac-sha1-96)
       3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (des3-cbc-sha1)
       3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (arcfour-hmac)
       3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (camellia256-cts-cmac)
       3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (camellia128-cts-cmac)
       3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (des-hmac-sha1)
       3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (des-cbc-md5)
       3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (aes128-cts-hmac-sha1-96)
       3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (des3-cbc-sha1)
       3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (arcfour-hmac)
       3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (camellia256-cts-cmac)
       3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (camellia128-cts-cmac)
       3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (des-hmac-sha1)
       3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (des-cbc-md5)
       8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (aes128-cts-hmac-sha1-96)
       8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des3-cbc-sha1)
       8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (arcfour-hmac)
       8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (camellia256-cts-cmac)
       8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (camellia128-cts-cmac)
       8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des-hmac-sha1)
       8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des-cbc-md5)
       6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (aes128-cts-hmac-sha1-96)
       6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (des3-cbc-sha1)
       6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (arcfour-hmac)
       6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (camellia256-cts-cmac)
       6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (camellia128-cts-cmac)
       6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (des-hmac-sha1)
       6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (des-cbc-md5)
       6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (aes128-cts-hmac-sha1-96)
       6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (des3-cbc-sha1)
       6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (arcfour-hmac)
       6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (camellia256-cts-cmac)
       6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (camellia128-cts-cmac)
       6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (des-hmac-sha1)
       6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (des-cbc-md5)
       7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (aes128-cts-hmac-sha1-96)
       7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des3-cbc-sha1)
       7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (arcfour-hmac)
       7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (camellia256-cts-cmac)
       7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (camellia128-cts-cmac)
       7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des-hmac-sha1)
       7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des-cbc-md5)
       4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (aes128-cts-hmac-sha1-96)
       4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (des3-cbc-sha1)
       4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (arcfour-hmac)
       4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (camellia256-cts-cmac)
       4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (camellia128-cts-cmac)
       4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (des-hmac-sha1)
       4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (des-cbc-md5)
       4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (aes128-cts-hmac-sha1-96)
       4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (des3-cbc-sha1)
       4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (arcfour-hmac)
       4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (camellia256-cts-cmac)
       4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (camellia128-cts-cmac)
       4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (des-hmac-sha1)
       4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (des-cbc-md5)
       4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (aes128-cts-hmac-sha1-96)
       4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (des3-cbc-sha1)
       4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (arcfour-hmac)
       4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (camellia256-cts-cmac)
       4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (camellia128-cts-cmac)
       4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (des-hmac-sha1)
       4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (des-cbc-md5)

将生成的hdfs.keytab文件复制到hadoop配置路径下，并授权 后面经常会遇到使用keytab login失败的问题，首先需要检查的就是文件的权限。

[root@hadoop01 krb5kdc]# cp ./hdfs.keytab /usr/local/hadoop-2.7.6/etc/hadoop/
    [root@hadoop01 krb5kdc]# cd /usr/local/hadoop-2.7.6/etc/hadoop/
    [root@hadoop01 krb5kdc]# chown hdfs:hadoop hdfs.keytab && chmod 400 hdfs.keytab

### **2.3 配置hadoop集群** ###

core-site.xml配置：

<property>
        <name>hadoop.security.authorization</name>
        <value>true</value>
    </property>
    <property>
        <name>hadoop.security.authentication</name>
        <value>kerberos</value>
    </property>

**yarn-site.xml**

<property>
      <name>yarn.resourcemanager.keytab</name>
      <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
    </property>
    <property>
      <name>yarn.resourcemanager.principal</name>
      <value>hdfs/_HOST@HIVE.COM</value>
    </property>
    
    <property>
      <name>yarn.nodemanager.keytab</name>
      <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
    </property>
    <property>
      <name>yarn.nodemanager.principal</name>
      <value>hdfs/_HOST@HIVE.COM</value>
    </property>
    <property>
      <name>yarn.nodemanager.container-executor.class</name>
      <value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>
    </property>
    <property>
      <name>yarn.nodemanager.linux-container-executor.group</name>
      <value>yarn</value>
    </property>
    <property>
      <name>yarn.resourcemanager.proxy-user-privileges.enabled</name>
      <value>true</value>
    </property>
    <property>
      <name>yarn.nodemanager.local-dirs</name>
      <value>/usr/local/hadoop-2.7.6/tmp/nm-local-dir</value>
    </property>

**hdfs-site.xml**

<property>
      <name>dfs.block.access.token.enable</name>
      <value>true</value>
    </property>
    <property>  
      <name>dfs.datanode.data.dir.perm</name>  
      <value>700</value>  
    </property>
    <property>
      <name>dfs.namenode.keytab.file</name>
      <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
    </property>
    <property>
      <name>dfs.namenode.kerberos.principal</name>
      <value>hdfs/_HOST@HIVE.COM</value>
    </property>
    <property>
      <name>dfs.namenode.kerberos.https.principal</name>
      <value>HTTP/_HOST@HIVE.COM</value>
    </property>
    <property>
      <name>dfs.datanode.address</name>
      <value>0.0.0.0:1004</value>
    </property>
    <property>
      <name>dfs.datanode.http.address</name>
      <value>0.0.0.0:1006</value>
    </property>
    <property>
      <name>dfs.datanode.keytab.file</name>
      <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
    </property>
    <property>
      <name>dfs.datanode.kerberos.principal</name>
      <value>hdfs/_HOST@HIVE.COM</value>
    </property>
    <property>
      <name>dfs.datanode.kerberos.https.principal</name>
      <value>HTTP/_HOST@HIVE.COM</value>
    </property>
    
    <property>
      <name>dfs.webhdfs.enabled</name>
      <value>true</value>
    </property>
     
    <property>
      <name>dfs.web.authentication.kerberos.principal</name>
      <value>HTTP/_HOST@HIVE.COM</value>
    </property>
     
    <property>
      <name>dfs.web.authentication.kerberos.keytab</name>
      <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
    </property>
    
    <property>
    <name>dfs.secondary.namenode.keytab.file</name>
    <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
    </property>
    
    <property>
    <name>dfs.secondary.namenode.kerberos.principal</name>
    <value>hdfs/_HOST@HIVE.COM</value>
    </property>
    
    <property>
      <name>hadoop.tmp.dir</name>
      <value>/usr/local/hadoop-2.7.6/tmp</value>
    </property>

mapred-site.xml:

<property>
      <name>mapreduce.jobhistory.keytab</name>
      <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
    </property>
    <property>
      <name>mapreduce.jobhistory.principal</name>
      <value>hdfs/_HOST@HIVE.COM</value>
    </property>
    <property>
      <name>mapreduce.jobhistory.http.policy</name>
      <value>HTTPS_ONLY</value>
    </property>

**container-executor.cfg**

yarn.nodemanager.linux-container-executor.group=hadoop
    
    #configured value of yarn.nodemanager.linux-container-executor.group
    
    banned.users=hdfs
    
    #comma separated list of users who can not run applications
    
    min.user.id=0
    
    #Prevent other super-users
    
    allowed.system.users=root,yarn,hdfs,mapred,nobody
    
    ##comma separated list of system users who CAN run applications

### **2.4 编译安装JSVC** ###

当设置了安全的datanode时,启动datanode需要root权限,需要修改hadoop-env.sh文件.且需要安装jsvc,同时重新下载编译包commons-daemon-1.0.15.jar,并把$HADOOP_HOME/share/hadoop/hdfs/lib下替换掉.
    否则报错Cannot start secure DataNode without configuring either privileged resources

启动datanode具体报错如下：

2020-04-14 15:56:35,164 FATAL org.apache.hadoop.hdfs.server.datanode.DataNode: Exception in secureMain
    java.lang.RuntimeException: Cannot start secure DataNode without configuring either privileged resources or SASL RPC data transfer protection and SSL for HTTP.  Using privileged resources in combination with SASL RPC data transfer protection is not supported.
            at org.apache.hadoop.hdfs.server.datanode.DataNode.checkSecureConfig(DataNode.java:1208)
            at org.apache.hadoop.hdfs.server.datanode.DataNode.startDataNode(DataNode.java:1108)
            at org.apache.hadoop.hdfs.server.datanode.DataNode.<init>(DataNode.java:429)
            at org.apache.hadoop.hdfs.server.datanode.DataNode.makeInstance(DataNode.java:2414)
            at org.apache.hadoop.hdfs.server.datanode.DataNode.instantiateDataNode(DataNode.java:2301)
            at org.apache.hadoop.hdfs.server.datanode.DataNode.createDataNode(DataNode.java:2348)
            at org.apache.hadoop.hdfs.server.datanode.DataNode.secureMain(DataNode.java:2530)
            at org.apache.hadoop.hdfs.server.datanode.DataNode.main(DataNode.java:2554)
    2020-04-14 15:56:35,173 INFO org.apache.hadoop.util.ExitUtil: Exiting with status 1
    2020-04-14 15:56:35,179 INFO org.apache.hadoop.hdfs.server.datanode.DataNode: SHUTDOWN_MSG:

#### **2.4.1 下载安装包** ####

下载解压commons-daemon-1.2.2-src.tar.gz及commons-daemon-1.2.2-bin.tar.gz

#### **2.4.2 安装操作** ####

[root@hadoop01 hadoop]# cd /usr/local
    [root@hadoop01 local]# cd ./JSVC_packages/
    [root@hadoop01 JSVC_packages]# wget http://apache.fayea.com//commons/daemon/source/commons-daemon-1.2.2-src.tar.gz
    [root@hadoop01 JSVC_packages]# wget http://apache.fayea.com//commons/daemon/binaries/commons-daemon-1.2.2-bin.tar.gz
    [root@hadoop01 JSVC_packages]# tar xf commons-daemon-1.2.2-bin.tar.gz
    [root@hadoop01 JSVC_packages]# tar xf commons-daemon-1.2.2-src.tar.gz
    
    [root@hadoop01 JSVC_packages]# ll
    total 472
    drwxr-xr-x. 3 root root    278 Apr 14 16:25 commons-daemon-1.2.2
    -rw-r--r--. 1 root root 179626 Apr 14 16:24 commons-daemon-1.2.2-bin.tar.gz
    drwxr-xr-x. 3 root root    180 Apr 14 16:25 commons-daemon-1.2.2-src
    -rw-r--r--. 1 root root 301538 Apr 14 16:24 commons-daemon-1.2.2-src.tar.gz
    
    #编译生成jsvc，并拷贝至指定目录
    [root@hadoop01 JSVC_packages]# cd commons-daemon-1.2.2-src/src/native/unix/
    [root@hadoop01 unix]# ./configure
    [root@hadoop01 unix]# make
    [root@hadoop01 unix]# cp ./jsvc /usr/local/hadoop-2.7.6/libexec/
    
    #拷贝commons-daemon-1.2.2.jar
    [root@hadoop01 unix]# cd /usr/local/JSVC_packages/commons-daemon-1.2.2/
    [root@hadoop01 commons-daemon-1.2.2]# cp /usr/local/hadoop-2.7.6/share/hadoop/hdfs/lib/commons-daemon-1.0.13.jar /usr/local/hadoop-2.7.6/share/hadoop/hdfs/lib/commons-daemon-1.0.13.jar.bak
    
    [root@hadoop01 commons-daemon-1.2.2]# cp ./commons-daemon-1.2.2.jar /usr/local/hadoop-2.7.6/share/hadoop/hdfs/lib/
    
    
    [root@hadoop01 /opt/JSVC_packages/commons-daemon-1.2.2]# cd /opt/hadoop-2.7.2/share/hadoop/hdfs/lib/
    [root@hadoop01 /opt/hadoop-2.7.2/share/hadoop/hdfs/lib]# chown hdfs:hadoop commons-daemon-1.2.2.jar

#### **2.4.3 hadoop-env.sh** ####

[root@hadoop01 hadoop-2.7.6]# vi ./etc/hadoop/hadoop-env.sh
    
    追加如下内容：
    export HADOOP_SECURE_DN_USER=hdfs
    export JSVC_HOME=/usr/local/hadoop-2.7.6/libexec/

### **2.5 分发到其它服务器** ###

[root@hadoop01 local]# scp -r /usr/local/hadoop-2.7.6/ hadoop02:/usr/local/
    
    [root@hadoop01 local]# scp -r /usr/local/hadoop-2.7.6/ hadoop03:/usr/local/

### **2.6 启动hadoop集群** ###

[root@hadoop01 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop01@HIVE.COM
    [root@hadoop02 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop02@HIVE.COM
    [root@hadoop03 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop03@HIVE.COM
    
    [root@hadoop02 krb5kdc]# cd /usr/local/hadoop-2.7.6/etc/hadoop/
    [root@hadoop02 krb5kdc]# chown hdfs:hadoop hdfs.keytab && chmod 400 hdfs.keytab
    
    [root@hadoop03 krb5kdc]# cd /usr/local/hadoop-2.7.6/etc/hadoop/
    [root@hadoop03 krb5kdc]# chown hdfs:hadoop hdfs.keytab && chmod 400 hdfs.keytab
    
    [root@hadoop01 hadoop-2.7.6]# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: hdfs/hadoop01@HIVE.COM
    
    Valid starting       Expires              Service principal
    04/14/2020 16:49:17  04/15/2020 16:49:17  krbtgt/HIVE.COM@HIVE.COM
            renew until 04/21/2020 16:49:17
            
     
     
     
     [root@hadoop02 ~]# useradd hdfs
     [root@hadoop02 hadoop-2.7.6]# passwd hdfs
     [root@hadoop03 ~]# useradd hdfs
     [root@hadoop03 hadoop-2.7.6]# passwd hdfs
     
     #启动hdfs，，直接root用户
    [root@hadoop01 hadoop-2.7.6]# start-dfs.sh
    #启动DataNode，直接root用户
    [root@hadoop01 hadoop-2.7.6]# start-secure-dns.sh
    #启动yarn，直接root用户启动即可(亲测没有问题)
    [root@hadoop01 hadoop-2.7.6]# start-yarn.sh
     #启动historyserver，，直接root用户
    [root@hadoop01 hadoop-2.7.6]# mr-jobhistory-daemon.sh start historyserver
    
    
    停止集群：
    #停止DataNode，需要切换到root用户
    [root@hadoop01 hadoop-2.7.6]# stop-secure-dns.sh
     #停止hdfs
    [root@hadoop01 hadoop-2.7.6]# stop-dfs.sh
    
    #停止yarn，直接root用户启动即可(亲测没有问题)
    [root@hadoop01 hadoop-2.7.6]# stop-yarn.sh

### **2.7 测试hadoop集群** ###

访问地址：[http://hadoop01:50070][http_hadoop01_50070]

![format_png 3][]

![format_png 4][]

yarn的访问地址：[http://hadoop01:8088][http_hadoop01_8088]

![format_png 5][]

![format_png 6][]

hdfs的测试：

[root@hadoop01 hadoop-2.7.6]# hdfs dfs -ls /
    [root@hadoop01 hadoop-2.7.6]# hdfs dfs -put /home/words /
    [root@hadoop01 hadoop-2.7.6]# hdfs dfs -cat /words
    hello qianfeng
    hello flink
    wuhan jiayou hello wuhan wuhan hroe
    
    
    # 如下使用hdfs测试，当hdfs未获取授权验证，是不能访问hdfs的文件系统的
    [hdfs@hadoop02 hadoop]$ hdfs dfs -cat /words
    20/04/15 15:04:41 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
    cat: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "hadoop02/192.168.216.112"; destination host is: "hadoop01":9000;
    
    #解决方法：
    [hdfs@hadoop02 hadoop]$ kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop02@HIVE.COM
    [hdfs@hadoop02 hadoop]$ hdfs dfs -cat /words
    hello qianfeng
    hello flink
    wuhan jiayou hello wuhan wuhan hroe

yarn的测试：

[root@hadoop01 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab yarn/hadoop01@HIVE.COM
    
    [root@hadoop01 hadoop-2.7.6]# yarn jar ./share/hadoop/mapreduce/hadoop-mapreduce-examples-2.7.6.jar wordcount /words /out/00
    
    错误1：
    20/04/15 23:42:45 INFO mapreduce.Job: Job job_1586934815492_0008 failed with state FAILED due to: Application application_1586934815492_0008 failed 2 times due to AM Container for appattempt_1586934815492_0008_000002 exited with  exitCode: -1000
    For more detailed output, check application tracking page:http://hadoop01:8088/cluster/app/application_1586934815492_0008Then, click on links to logs of each attempt.
    Diagnostics: Application application_1586934815492_0008 initialization failed (exitCode=255) with output: Requested user hdfs is banned
    
    错误2：
    Caused by: java.io.IOException: Exceeded MAX_FAILED_UNIQUE_FETCHES; bailing-out.
    解决方案：
    hdfs-site.xml中配置临时目录
    yarn-site.xml中也要配置零食目录，，并且和hdfs中的前边一样，后边加一点固定的
    
    #再次测试：
    [root@hadoop01 hadoop-2.7.6]# yarn jar ./share/hadoop/mapreduce/hadoop-mapreduce-examples-2.7.6.jar wordcount /words /out/02
    20/04/16 02:55:38 INFO client.RMProxy: Connecting to ResourceManager at hadoop01/192.168.216.111:8032
    20/04/16 02:55:38 INFO hdfs.DFSClient: Created HDFS_DELEGATION_TOKEN token 61 for yarn on 192.168.216.111:9000
    20/04/16 02:55:38 INFO security.TokenCache: Got dt for hdfs://hadoop01:9000; Kind: HDFS_DELEGATION_TOKEN, Service: 192.168.216.111:9000, Ident: (HDFS_DELEGATION_TOKEN token 61 for yarn)
    20/04/16 02:55:39 INFO input.FileInputFormat: Total input paths to process : 1
    20/04/16 02:55:39 INFO mapreduce.JobSubmitter: number of splits:1
    20/04/16 02:55:39 INFO mapreduce.JobSubmitter: Submitting tokens for job: job_1586976916277_0001
    20/04/16 02:55:39 INFO mapreduce.JobSubmitter: Kind: HDFS_DELEGATION_TOKEN, Service: 192.168.216.111:9000, Ident: (HDFS_DELEGATION_TOKEN token 61 for yarn)
    20/04/16 02:55:41 INFO impl.YarnClientImpl: Submitted application application_1586976916277_0001
    20/04/16 02:55:41 INFO mapreduce.Job: The url to track the job: http://hadoop01:8088/proxy/application_1586976916277_0001/
    20/04/16 02:55:41 INFO mapreduce.Job: Running job: job_1586976916277_0001
    20/04/16 02:56:11 INFO mapreduce.Job: Job job_1586976916277_0001 running in uber mode : false
    20/04/16 02:56:11 INFO mapreduce.Job:  map 0% reduce 0%
    20/04/16 02:56:13 INFO mapreduce.Job: Task Id : attempt_1586976916277_0001_m_000000_0, Status : FAILED
    Application application_1586976916277_0001 initialization failed (exitCode=20) with output: main : command provided 0
    main : user is yarn
    main : requested yarn user is yarn
    Permission mismatch for /usr/local/hadoop-2.7.6/tmp/nm-local-dir for caller uid: 0, owner uid: 502.
    Couldn't get userdir directory for yarn.
    20/04/16 02:56:20 INFO mapreduce.Job:  map 100% reduce 0%
    20/04/16 02:56:28 INFO mapreduce.Job:  map 100% reduce 100%
    20/04/16 02:56:28 INFO mapreduce.Job: Job job_1586976916277_0001 completed successfully
    20/04/16 02:56:28 INFO mapreduce.Job: Counters: 51
            File System Counters
                    FILE: Number of bytes read=81
                    FILE: Number of bytes written=251479
                    FILE: Number of read operations=0
                    FILE: Number of large read operations=0
                    FILE: Number of write operations=0
                    HDFS: Number of bytes read=154
                    HDFS: Number of bytes written=51
                    HDFS: Number of read operations=6
                    HDFS: Number of large read operations=0
                    HDFS: Number of write operations=2
            Job Counters
                    Failed map tasks=1
                    Launched map tasks=2
                    Launched reduce tasks=1
                    Other local map tasks=1
                    Data-local map tasks=1
                    Total time spent by all maps in occupied slots (ms)=4531
                    Total time spent by all reduces in occupied slots (ms)=3913
                    Total time spent by all map tasks (ms)=4531
                    Total time spent by all reduce tasks (ms)=3913
                    Total vcore-milliseconds taken by all map tasks=4531
                    Total vcore-milliseconds taken by all reduce tasks=3913
                    Total megabyte-milliseconds taken by all map tasks=4639744
                    Total megabyte-milliseconds taken by all reduce tasks=4006912
            Map-Reduce Framework
                    Map input records=3
                    Map output records=10
                    Map output bytes=103
                    Map output materialized bytes=81
                    Input split bytes=91
                    Combine input records=10
                    Combine output records=6
                    Reduce input groups=6
                    Reduce shuffle bytes=81
                    Reduce input records=6
                    Reduce output records=6
                    Spilled Records=12
                    Shuffled Maps =1
                    Failed Shuffles=0
                    Merged Map outputs=1
                    GC time elapsed (ms)=192
                    CPU time spent (ms)=2120
                    Physical memory (bytes) snapshot=441053184
                    Virtual memory (bytes) snapshot=4211007488
                    Total committed heap usage (bytes)=277348352
            Shuffle Errors
                    BAD_ID=0
                    CONNECTION=0
                    IO_ERROR=0
                    WRONG_LENGTH=0
                    WRONG_MAP=0
                    WRONG_REDUCE=0
            File Input Format Counters
                    Bytes Read=63
            File Output Format Counters
                    Bytes Written=51

错误1：

2020-04-15 14:38:36,457 INFO org.apache.hadoop.security.UserGroupInformation: Login successful for user hdfs/hadoop02@HIVE.COM using keytab file /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab
    2020-04-15 14:38:36,961 WARN org.apache.hadoop.hdfs.server.datanode.DataNode: Invalid dfs.datanode.data.dir /home/hdfs/hadoopdata/dfs/data :
    
    解决方案(如果满足下面的要求，不用做)
    第1步：
    [root@hadoop02 ~]#  useradd hdfs -g hadoop
    [root@hadoop02 ~]#  passwd hdfs
    
    [root@hadoop03 ~]#  useradd hdfs -g hadoop
    [root@hadoop03 ~]#  passwd hdfs
    
    第2步(那一台报错在那一台执行)：
    [root@hadoop02 hadoop]# chown -R hdfs:hadoop /home/hdfs/hadoopdata/
    [root@hadoop02 hadoop]# chown -R hdfs:hadoop /home/hdfs/hadoopdata/
    [root@hadoop03 hadoop]# chown -R hdfs:hadoop /home/hdfs/hadoopdata/

错误2：

启动datanode报错：
    java.io.IOException: All directories in dfs.datanode.data.dir are invalid: "/home/hdfs/hadoopdata/dfs/data"
    
    解决方案(确定没有手动创建都可以)：
    [root@hadoop02 hadoop-2.7.6]# mkdir -p /home/hdfs/hadoopdata/dfs/data
    [root@hadoop03 hadoop-2.7.6]# mkdir -p /home/hdfs/hadoopdata/dfs/data

错误3：

启动yarn时报错：
    Caused by: java.io.IOException: Login failure for hdfs/hadoop03@HIVE.COM from keytab /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user
    
    解决(那一台报错就在那一台是对应执行)：
    [root@hadoop02 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop02@HIVE.COM
    [root@hadoop03 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop03@HIVE.COM

错误4：

启动yarn时报错如下：
    Caused by: ExitCodeException exitCode=24: File /usr/local/hadoop-2.7.6/etc/hadoop/container-executor.cfg must be owned by root, but is owned by 20415
    
    将container-executor.cfg的所有父目录及本身文件都修改成root:root即可：
    [root@hadoop01 hadoop-2.7.6]# chown  root:root /usr/local/hadoop-2.7.6/etc/
    [root@hadoop01 hadoop-2.7.6]# chown  root:root /usr/local/hadoop-2.7.6/etc/hadoop/
    [root@hadoop01 hadoop-2.7.6]# chown  root:root /usr/local/hadoop-2.7.6/etc/hadoop/container-executor.cfg

错误5：

启动yarn时报错如下：
    Caused by: ExitCodeException exitCode=22: Invalid permissions on container-executor binary.
    
    解决方法：
    [root@hadoop01 hadoop-2.7.6]# chown root:hadoop $HADOOP_HOME/bin/container-executor
    [root@hadoop01 hadoop-2.7.6]# chmod 6050 $HADOOP_HOME/bin/container-executor
    
    [root@hadoop02 hadoop-2.7.6]# chown root:hadoop $HADOOP_HOME/bin/container-executor
    [root@hadoop02 hadoop-2.7.6]# chmod 6050 $HADOOP_HOME/bin/container-executor
    
    [root@hadoop03 hadoop-2.7.6]# chown root:hadoop $HADOOP_HOME/bin/container-executor
    [root@hadoop03 hadoop-2.7.6]# chmod 6050 $HADOOP_HOME/bin/container-executor

错误6：

#运行案例报错
    java.io.IOException: org.apache.hadoop.yarn.exceptions.InvalidResourceRequestException: Invalid resource request, requested memory < 0, or requested memory > max configured, requestedMemory=1536, maxMemory=1024
    
    
    #解决方案，修改yarn-site.xml:
    <property>
          <name>yarn.nodemanager.resource.memory-mb</name>
          <value>2048</value>
    </property>
    
    #分发到别的服务器：
    [root@hadoop02 hadoop-2.7.6]# scp -r ./etc/hadoop/yarn-site.xml hadoop02:/usr/local/hadoop-2.7.6/etc/hadoop/
    [root@hadoop03 hadoop-2.7.6]# scp -r ./etc/hadoop/yarn-site.xml hadoop03:/usr/local/hadoop-2.7.6/etc/hadoop/
    
    #重启yarn服务
    [root@hadoop01 hadoop-2.7.6]# start-yarn.sh

### **第三章 Hive配置Kerberos** ###

### **3.1 创建hive用户** ###

#新建用户hive，命令如下：
    [root@hadoop01 hive-1.2.2]# useradd -u 503 hive -g hadoop
    [root@hadoop01 hive-1.2.2]# passwd hive 输入新密码，我的密码为hive

### **3.2 生成 keytab** ###

在主节点，即KDC server 节点上执行下面命令（root用户）：

[root@hadoop01 hive-1.2.2]# cd /var/kerberos/krb5kdc/
    [root@hadoop01 krb5kdc]# kadmin.local -q "addprinc -randkey hive/hadoop01@HIVE.COM"
    [root@hadoop01 krb5kdc]# kadmin.local -q "xst -k hive.keytab hive/hadoop01@HIVE.COM"
    #查看
    [root@hadoop01 krb5kdc]# klist -ket hive.keytab
    Keytab name: FILE:hive.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (aes128-cts-hmac-sha1-96)
       2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (des3-cbc-sha1)
       2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (arcfour-hmac)
       2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (camellia256-cts-cmac)
       2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (camellia128-cts-cmac)
       2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (des-hmac-sha1)
       2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (des-cbc-md5)
    
    
    #将hive.keytab发送到hive目录的配置文件下：
    [root@hadoop01 krb5kdc]# cp hive.keytab /usr/local/hive-1.2.2/conf/
    #授权
    [root@hadoop01 krb5kdc]# cd /usr/local/hive-1.2.2/conf/
    [root@hadoop01 conf]# chown hive:hadoop hive.keytab && chmod 400 hive.keytab
    
    由于 keytab 相当于有了永久凭证，不需要提供密码(如果修改 kdc 中的 principal 的密码，则该 keytab 就会失效)，所以其他用户如果对该文件有读权限，就可以冒充 keytab 中指定的用户身份访问 hadoop，所以 keytab 文件需要确保只对 owner 有读权限(0400)

### **3.3 修改配置文件** ###

hive-site.xml：

[root@hadoop01 hive-1.2.1]# vi ./conf/hive-site.xml
    
    <property>
        <name>hive.server2.authentication</name>
        <value>KERBEROS</value>
      </property>
      <property>
        <name>hive.server2.authentication.kerberos.principal</name>
        <value>hive/_HOST@HIVE.COM</value>
      </property>
    <property>
      <name>hive.server2.authentication.kerberos.keytab</name>
      <value>/usr/local/hive-1.2.2/conf/hive.keytab</value>
    </property>
    
    <property>
      <name>hive.metastore.sasl.enabled</name>
      <value>true</value>
    </property>
    <property>
      <name>hive.metastore.kerberos.keytab.file</name>
      <value>/usr/local/hive-1.2.2/conf/hive.keytab</value>
    </property>
    <property>
      <name>hive.metastore.kerberos.principal</name>
      <value>hive/_HOST@HIVE.COM</value>
    </property>

core-site.xml：

[root@hadoop01 hive-1.2.2]# vi ../hadoop-2.7.6/etc/hadoop/core-site.xml
    
    <property>
        <name>hadoop.proxyuser.hive.hosts</name>
        <value>*</value>
    </property>
    <property>
        <name>hadoop.proxyuser.hive.groups</name>
        <value>*</value>
    </property>
    <property>
        <name>hadoop.proxyuser.hdfs.hosts</name>
        <value>*</value>
    </property>
    <property>
        <name>hadoop.proxyuser.hdfs.groups</name>
        <value>*</value>
    </property>
    <property>
        <name>hadoop.proxyuser.HTTP.hosts</name>
        <value>*</value>
    </property>
    <property>
        <name>hadoop.proxyuser.HTTP.groups</name>
        <value>*</value>
    </property>
    
    
    # 添加后同步到其它服务器
    [root@hadoop01 hive-1.2.2]# scp -r ../hadoop-2.7.6/etc/hadoop/core-site.xml hadoop02:/usr/local/hadoop-2.7.6/etc/hadoop/
    [root@hadoop01 hive-1.2.2]# scp -r ../hadoop-2.7.6/etc/hadoop/core-site.xml hadoop03:/usr/local/hadoop-2.7.6/etc/hadoop/

### **3.4 启动hive** ###

[root@hadoop01 hive-1.2.2]# nohup hive --service metastore >> metastore.log 2>&1 &
    [root@hadoop01 hive-1.2.2]# nohup hive --service hiveserver2 >> hiveserver2.log 2>&1 &
    
    ##也可以切换到hive执行。

### **3.5 连接测试** ###

hive连接

[root@hadoop01 hive-1.2.2]# hive
    
    Logging initialized using configuration in file:/opt/apache-hive-1.2.1-bin/conf/hive-log4j.properties
    hive> 
    
    Caused by: MetaException(message:Could not connect to meta store using any of the URIs provided. Most recent failure: org.apache.thrift.transport.TTransportException: GSS initiate failed
    
    2020-04-16 00:47:11,335 ERROR [main]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure
    javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]

beeline连接

配置kerberos后，每次窗口连接都要登录：kinit -k -t /usr/local/hive-1.2.2/conf/hive.keytab hive/hadoop01@HIVE.COM
    
    [root@hadoop01 hive-1.2.2]# kinit -k -t /usr/local/hive-1.2.2/conf/hive.keytab hive/hadoop01@HIVE.COM
    
    [root@hadoop01 hive-1.2.2]# beeline
    Beeline version 1.2.2 by Apache Hive
    beeline> !connect jdbc:hive2://hadoop01:10000/default;principal=hive/hadoop01@HIVE.COM
    SLF4J: Class path contains multiple SLF4J bindings.
    SLF4J: Found binding in [jar:file:/usr/local/hbase-1.2.1/lib/phoenix-4.14.1-HBase-1.2-client.jar!/org/slf4j/impl/StaticLoggerBinder.class]
    SLF4J: Found binding in [jar:file:/usr/local/hadoop-2.7.6/share/hadoop/common/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
    SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
    SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
    Connecting to jdbc:hive2://hadoop01:10000/default;principal=hive/hadoop01@HIVE.COM
    Enter username for jdbc:hive2://hadoop01:10000/default;principal=hive/hadoop01@HIVE.COM: hive
    Enter password for jdbc:hive2://hadoop01:10000/default;principal=hive/hadoop01@HIVE.COM: ****
    Connected to: Apache Hive (version 1.2.2)
    Driver: Hive JDBC (version 1.2.2)
    Transaction isolation: TRANSACTION_REPEATABLE_READ
    0: jdbc:hive2://hadoop01:10000/default> show databases;
    这里登录的用户名和密码是最开始创建hive的时候的所用的 hive的用户名和密码，本次测试的用户名和密码为：hive/hive

### **3.6 hive操作测试** ###

[root@hadoop01 hive-1.2.2]# hive
    
    create table if not exists u1(
    uid int,
    age int
    )
    row format delimited fields terminated by ','
    ;
    
    数据：
    [root@hadoop01 hive-1.2.2]# vi /home/u1
    1,18
    2,20
    3,20
    4,32
    5,18
    6.20
    
    #数据装载
    load data local inpath '/home/u1' into table u1;
    
    #查询
    hive> select * from u1;
    chmod: changing permissions of 'hdfs://hadoop01:9000/tmp/hive/hive/e9a76813-5c64-47f7-9a2b-5d7876111786/hive_2020-04-16_01-18-41_393_8778198899588815011-1/-mr-10000': Permission denied: user=hive, access=EXECUTE, inode="/tmp":hdfs:supergroup:drwx------
    OK
    1       18
    2       20
    3       20
    4       32
    5       18
    6       NULL
    
    
    hive> select count(*) from u1;
    Query ID = root_20200416025824_e9adc8a8-7052-4ee9-8924-bf735461484b
    Total jobs = 1
    Launching Job 1 out of 1
    Number of reduce tasks determined at compile time: 1
    In order to change the average load for a reducer (in bytes):
      set hive.exec.reducers.bytes.per.reducer=<number>
    In order to limit the maximum number of reducers:
      set hive.exec.reducers.max=<number>
    In order to set a constant number of reducers:
      set mapreduce.job.reduces=<number>
    Starting Job = job_1586976916277_0002, Tracking URL = http://hadoop01:8088/proxy/application_1586976916277_0002/
    Kill Command = /usr/local/hadoop-2.7.6//bin/hadoop job  -kill job_1586976916277_0002
    Hadoop job information for Stage-1: number of mappers: 1; number of reducers: 1
    2020-04-16 02:58:39,528 Stage-1 map = 0%,  reduce = 0%
    2020-04-16 02:58:45,992 Stage-1 map = 100%,  reduce = 0%, Cumulative CPU 2.03 sec
    2020-04-16 02:58:52,547 Stage-1 map = 100%,  reduce = 100%, Cumulative CPU 4.51 sec
    MapReduce Total cumulative CPU time: 4 seconds 510 msec
    Ended Job = job_1586976916277_0002
    MapReduce Jobs Launched:
    Stage-Stage-1: Map: 1  Reduce: 1   Cumulative CPU: 4.51 sec   HDFS Read: 6381 HDFS Write: 2 SUCCESS
    Total MapReduce CPU Time Spent: 4 seconds 510 msec
    OK
    6
    Time taken: 30.518 seconds, Fetched: 1 row(s)
    hive>

至此，hive的kerberos认证配置完成！

[format_png]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9waWM0LnpoaW1nLmNvbS84MC92Mi1mMTIwZTRmZWRlZTgzNDEyNWZiMjEyYzVhYjhkNzMzM183MjB3LmpwZw?x-oss-process=image/format,png
[format_png 1]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9waWMxLnpoaW1nLmNvbS84MC92Mi0xOGIzODQyN2UyYWY5Mzk1ZTU0NDRlYTE5YzNhNTBiNF83MjB3LmpwZw?x-oss-process=image/format,png
[format_png 2]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9waWMzLnpoaW1nLmNvbS84MC92Mi03NzIyMWQ4MTZkOGUxNDRkMmI5YjZlNTkyYWZmNzQ0ZV83MjB3LmpwZw?x-oss-process=image/format,png
[http_hadoop01_50070]: https://link.zhihu.com/?target=http%3A//hadoop01%3A50070/
[format_png 3]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9waWM0LnpoaW1nLmNvbS84MC92Mi1mN2M2NmQ2NDE1NzJjNWM4ZjZhMTI2OTcwOTlkMDE5N183MjB3LmpwZw?x-oss-process=image/format,png
[format_png 4]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9waWM0LnpoaW1nLmNvbS84MC92Mi02MGE4MzFiOThlYTM2MjhiZmY1MWNkY2JiMTVjNzYyYl83MjB3LmpwZw?x-oss-process=image/format,png
[http_hadoop01_8088]: https://link.zhihu.com/?target=http%3A//hadoop01%3A8088/
[format_png 5]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9waWMxLnpoaW1nLmNvbS84MC92Mi0wMDlhOWVhODk3ZTNmYTk2YzU4NTZlZWQ3ZTM4NGIyOF83MjB3LmpwZw?x-oss-process=image/format,png
[format_png 6]: https://imgconvert.csdnimg.cn/aHR0cHM6Ly9waWMzLnpoaW1nLmNvbS84MC92Mi1iZGI1NmFiYjg2OWFkODUzMTg4MTliNTZhNWE3NWRjMl83MjB3LmpwZw?x-oss-process=image/format,png