1. 安装ZK,单机多实例配置及启动
·创建data目录,创建datalog目录
·1040mkdirdata
1041cddata/
1043mkdirslave1
1044mkdirslave2
1045mkdirslave3
1046cd..
1047mkdirdatalog
1048cddatalog/
1049mkdirslave1
1051mkdirslave2
1052mkdirslave3
·配置zoo.cfg,拷贝配置文件,生成三个配置文件:zoo-slave1.cfg:(另外两个 zoo-slave2.cfg 和zoo-slave3.cfg)。
·Zoo-slave1.cfg:
·tickTime=2000
initLimit=10
syncLimit=5
dataDir=/opt/zookeeper-3.4.8/data/slave1
clientPort=2181
dataLogDir=/opt/zookeeper-3.4.8/datalog/slave1
server.1=mj1:2889:3889
server.2= mj1:2890:3890
zoo-slave2.cfg:
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/opt/zookeeper-3.4.8/data/slave2
clientPort=2182
dataLogDir=/opt/zookeeper-3.4.8/datalog/slave2
server.1= mj1:2889:3889
server.2= mj1:2890:3890
zoo-slave3.cfg:
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/opt/zookeeper-3.4.8/data/slave3
clientPort=2183
dataLogDir=/opt/zookeeper-3.4.8/datalog/slave3
server.1= mj1:2889:3889
server.2= mj1:2890:3890
server.3= mj1:2891:3891
·如何区分到底是第几个实例呢,就要有个id文件,名字必须是myid
[root@gatewaydata]#echo"1">slave1/myid
[root@gatewaydata]#echo"2">slave2/myid
[root@gatewaydata]#echo"3">slave3/myid
·启动
bin/zkServer.shstartzoo-slave1.cfg
bin/zkServer.shstartzoo-slave2.cfg
bin/zkServer.shstartzoo-slave3.cfg
bin/zkServer.shstatuszoo-slave1.cfg
bin/zkCli.sh
2. ZK + kerberos
·KDC:
kadmin.local:addprinc-randkeyzookeeper/mj1@BDSM.CMCC
kadmin.local:addprinc-randkeyzkcli@BDSM.CMCC
kadmin.local:xst-kzookeeper.keytabzookeeper/mj1@BDSM.CMCC
kadmin.local:xst-norandkey-kzkcli.keytabzkcli@BDSM.CMCC
·zoo-slave1.cfg,zoo-slave2.cfg,zoo-slave3.cfg:
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
·/opt/zookeeper-3.4.8/conf/jaas.conf
Server{
com.sun.security.auth.module.Krb5LoginModulerequired
useKeyTab=true
keyTab="/opt/zookeeper-3.4.8/conf/zookeeper.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/mj1@YOUR.DOMAIN_NAME";
};
Client{
com.sun.security.auth.module.Krb5LoginModulerequired
useKeyTab=true
keyTab="/opt/zookeeper-3.4.8/conf/zkcli.keytab"
storeKey=true
useTicketCache=false
principal="zkcli@YOUR.DOMAIN_NAME";
};
·/opt/zookeeper-3.4.8/conf/java.env
exportJVMFLAGS="-Djava.security.auth.login.config=/opt/zookeeper-3.4.8/conf/jaas.conf"
3. HBASE
·Hbase-site.xml:
<configuration>
<property>
<name>hbase.rootdir</name>
<value>hdfs://mj1:9000/hbase</value>
</property>
<property>
<name>hbase.cluster.distributed</name>
<value>true</value>
</property>
<property>
<name>hbase.tmp.dir</name>
<value>/opt/hbase-1.2.1/tmp</value>
</property>
<property>
<name>hbase.zookeeper.quorum</name>
<value>mj1</value>
</property>
<property>
<name>hbase.zookeeper.property.clientPort</name>
<value>2181</value>
</property>
<property>
<name>hbase.zookeeper.property.dataDir</name>
<!--<value>/opt/hbase-1.2.1/zookeeper</value>-->
<value>/opt/zookeeper-3.4.6</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<!--<property>
<name>hbase.coprocessor.master.classes</name>
<value>org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor</value>
</property>
<property>
<name>hbase.coprocessor.region.classes</name>
<value>org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor</value>
</property>-->
<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>
<property>
<name>hbase.regionserver.kerberos.principal</name>
<value>hbase/mj1@YOUR.DOMAIN_NAME</value>
</property>
<property>
<name>hbase.regionserver.keytab.file</name>
<value>/opt/hbase-1.2.1/conf/hbase.keytab</value>
</property>
<property>
<name>hbase.master.kerberos.principal</name>
<value>hbase/mj1@YOUR.DOMAIN_NAME</value>
</property>
<property>
<name>hbase.master.keytab.file</name>
<value>/opt/hbase-1.2.1/conf/hbase.keytab</value>
</property>
</configuration>
·hbase conf目录创建jaas.conf,文件内容和zk配置一致
Client{
com.sun.security.auth.module.Krb5LoginModulerequired
useKeyTab=true
keyTab="/opt/zookeeper-3.4.8/conf/zkcli.keytab"
storeKey=true
useTicketCache=false
principal="zkcli@YOUR.DOMAIN_NAME";
};
·hbase-env.sh添加
exportHBASE_OPTS="$HBASE_OPTS-Djava.security.auth.login.config=/opt/hbase-1.2.1/conf/jaas.conf"
exportHBASE_MANAGES_ZK=false
·zoo.cfg添加下两行
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
·重启zk和Hbase
若要在client端登录远程的Hbase,则还需要修改如下配置:
/opt/hadoop-2.7.2/etc/hadoop/core-site.xml:
添加如下配置:
<property>
<name>hadoop.proxyuser.hbase.hosts</name>
<value>*</value>
</property>
<property>
<name>hadoop.proxyuser.hbase.groups</name>
<value>*</value>
</property>
其中,name中的hbase为client端登录远程hbase时所用的kerberos的principal。
Client端需要的配置文件内容如下:
<configuration>
<property>
<name>hbase.zookeeper.quorum</name>
<value>mj1</value>
</property>
<property>
<name>hbase.zookeeper.property.clientPort</name>
<value>2181</value>
</property>
<property>
<name>hbase.security.authorization</name>
<value>true</value>
</property>
<property>
<name>hbase.security.authentication</name>
<value>kerberos</value>
</property>
<!--<property>
<name>hbase.zookeeper.client.kerberos.principal</name>
<value>client/mj1@YOUR.DOMAIN_NAME</value>
</property>
<property>
<name>hbase.zookeeper.client.keytab.file</name>
<value>/opt/hbase-1.2.1/back_conf/client.keytab</value>
</property>-->
<property>
<name>hbase.regionserver.kerberos.principal</name>
<value>hbase/mj1@YOUR.DOMAIN_NAME</value>
</property>
<property>
<name>hbase.master.kerberos.principal</name>
<value>hbase/mj1@YOUR.DOMAIN_NAME</value>
</property>
</configuration>
在client端,kinit –kt hbase.keytab
hbase/mj1@YOUR.DOMAIN_NAME,使得client以hbase用户的身份去和zookeeper连接,以hbase用户的身份去和master和regionserver交互。
配置错误集结:
Org.apache.hadoop.ipc.RemoteException:User:rootis not allowed to impersonate root;
解决方法:参照上述对hadoop中core-site.xml的添加配置项。
注意:在hbase安装了kerberos之后,若以zkcli@YOUR.DOMAIN_NAME的身份登录hbase,在zookeeper上的/hbase目录下创建znode节点的时候,所创建的节点的权限会变为
'world,'anyone
: r
'sasl,'zkcli
: cdrwa
所以,要是继续在/hbase目录下创建节点,则访问节点的时候会报错:Authentication is not valid
若是使用zkcli命令行创建节点,则用如下命令create / znode1 sasl:zkcli@YOUR.DOMAIN_NAME