Yarn配置kerberos认证
2016-09-05 16:39
555 查看
1、环境说明
系统环境:操作系统:centos6.6
Hadoop版本:CDH5.5
JDK版本:1.7.0_67
集群各节点Yarn的角色规划为:
172.16.57.74 bd-ops-test-74 ResourceManager NodeManager 172.16.57.75 bd-ops-test-75 ResourceManager NodeManager 172.16.57.76 bd-ops-test-76 NodeManager JobHistoryServer yarn-proxyserver 172.16.57.77 bd-ops-test-77 NodeManager
2、生成keytab
在 74 节点,即 KDC server 节点上执行下面命令:cd /var/kerberos/krb5kdc/ kadmin.local -q "addprinc -randkey yarn/bd-ops-test-74@BIGDATA.COM " kadmin.local -q "addprinc -randkey yarn/bd-ops-test-75@BIGDATA.COM " kadmin.local -q "addprinc -randkey yarn/bd-ops-test-76@BIGDATA.COM " kadmin.local -q "addprinc -randkey yarn/bd-ops-test-77@BIGDATA.COM " kadmin.local -q "addprinc -randkey mapred/bd-ops-test-74@BIGDATA.COM " kadmin.local -q "addprinc -randkey mapred/bd-ops-test-75@BIGDATA.COM " kadmin.local -q "addprinc -randkey mapred/bd-ops-test-76@BIGDATA.COM " kadmin.local -q "addprinc -randkey mapred/bd-ops-test-77@BIGDATA.COM " kadmin.local -q "xst -k yarn.keytab yarn/bd-ops-test-74@BIGDATA.COM" kadmin.local -q "xst -k yarn.keytab yarn/bd-ops-test-75@BIGDATA.COM " kadmin.local -q "xst -k yarn.keytab yarn/bd-ops-test-76@BIGDATA.COM " kadmin.local -q "xst -k yarn.keytab yarn/bd-ops-test-77@BIGDATA.COM " kadmin.local -q "xst -k mapred.keytab mapred/bd-ops-test-74@BIGDATA.COM " kadmin.local -q "xst -k mapred.keytab mapred/bd-ops-test-75@BIGDATA.COM " kadmin.local -q "xst -k mapred.keytab mapred/bd-ops-test-76@BIGDATA.COM " kadmin.local -q "xst -k mapred.keytab mapred/bd-ops-test-77@BIGDATA.COM "
拷贝 yarn.keytab 和 mapred.keytab 文件到其他节点的
/etc/hadoop/conf目录
scp yarn.keytab mapred.keytab bd-ops-test-xx:/etc/hadoop/conf
并设置权限,在各节点上执行:
# cd /etc/hadoop/conf/;chown yarn:hadoop yarn.keytab;chown mapred:hadoop mapred.keytab ;chmod 400 *.keytab
由于 keytab 相当于有了永久凭证,不需要提供密码(如果修改 kdc 中的 principal 的密码,则该 keytab 就会失效),所以其他用户如果对该文件有读权限,就可以冒充 keytab 中指定的用户身份访问 hadoop,所以 keytab 文件需要确保只对 owner 有读权限(
0400)
3. 修改 YARN 配置文件
修改 yarn-site.xml,添加下面配置:<property> <name>yarn.resourcemanager.keytab</name> <value>/etc/hadoop/conf/yarn.keytab</value> </property> <property> <name>yarn.resourcemanager.principal</name> <value>yarn/_HOST@BIGDATA.COM</value> </property> <property> <name>yarn.nodemanager.keytab</name> <value>/etc/hadoop/conf/yarn.keytab</value> </property> <property> <name>yarn.nodemanager.principal</name> <value>yarn/_HOST@BIGDATA.COM</value> </property> <property> <name>yarn.nodemanager.container-executor.class</name> <value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value> </property> <property> <name>yarn.nodemanager.linux-container-executor.group</name> <value>yarn</value> </property> <property> <name>yarn.web-proxy.keytab</name> <value>/etc/hadoop/conf/yarn.keytab</value> </property> <property> <name>yarn.web-proxy.principal</name> <value>yarn/_HOST@BIGDATA.COM</value> </property>
修改 mapred-site.xml,添加如下配置:
<property> <name>mapreduce.jobhistory.keytab</name> <value>/etc/hadoop/conf/mapred.keytab</value> </property> <property> <name>mapreduce.jobhistory.principal</name> <value>mapred/_HOST@BIGDATA.COM</value> </property>
在
/etc/hadoop/conf目录下创建 container-executor.cfg 文件,内容如下:
#configured value of yarn.nodemanager.linux-container-executor.group yarn.nodemanager.linux-container-executor.group=yarn #comma separated list of users who can not run applications banned.users=bin #Prevent other super-users min.user.id=0 #comma separated list of system users who CAN run applications allowed.system.users=root,nobody,impala,hive,hdfs,yarn
设置该文件权限:
# chown root:yarn container-executor.cfg # chmod 400 container-executor.cfg # ll container-executor.cfg -r-------- 1 root yarn 354 11-05 14:14 container-executor.cfg
注意:
container-executor.cfg文件读写权限需设置为
400,所有者为
root:yarn。
yarn.nodemanager.linux-container-executor.group要同时配置在 yarn-site.xml 和 container-executor.cfg,且其值需要为运行 NodeManager 的用户所在的组,这里为 yarn。
banned.users不能为空,默认值为
hfds,yarn,mapred,bin
min.user.id默认值为 1000,在有些 centos 系统中,用户最小 id 为500,则需要修改该值
确保
yarn.nodemanager.local-dirs和
yarn.nodemanager.log-dirs对应的目录权限为
755。
设置 /usr/lib/hadoop-yarn/bin/container-executor 读写权限为
6050如下:
# chown root:yarn /usr/lib/hadoop-yarn/bin/container-executor # chmod 6050 /usr/lib/hadoop-yarn/bin/container-executor # ll /usr/lib/hadoop-yarn/bin/container-executor ---Sr-s--- 1 root yarn 333 11-04 19:11 container-executor
测试是否配置正确:
# /usr/lib/hadoop-yarn/bin/container-executor --checksetup
如果提示错误,则查看 NodeManger 的日志,然后对照 YARN ONLY: Container-executor Error Codes 查看错误对应的问题说明。
关于 LinuxContainerExecutor 的详细说明,可以参考 http://hadoop.apache.org/docs/r2.5.0/hadoop-project-dist/hadoop-common/SecureMode.html#LinuxContainerExecutor。
记住将修改的上面文件同步到其他节点,并再次一一检查权限是否正确。
# cd /etc/hadoop/conf/ # scp yarn-site.xml mapred-site.xml container-executor.cfg bd-ops-test-xx:/etc/hadoop/conf/ # cd /etc/hadoop/conf/; chown root:yarn container-executor.cfg ; chmod 400 container-executor.cfg # cd /etc/hadoop/conf/; chown root:yarn container-executor.cfg ; chmod 400 container-executor.cfg
4、启动服务
启动 ResourceManager
resourcemanager 是通过 yarn 用户启动的,故在 74,75 上先获取 yarn 用户的 ticket 再启动服务:$ kinit -k -t /etc/hadoop/conf/yarn.keytab yarn/bd-ops-test-xx@BIGDATA.COM # service hadoop-yarn-resourcemanager start
然后查看日志,确认是否启动成功。
2016-09-05 13:40:11,190 INFO org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger: USER=yarn OPERATION=transitionToActive TARGET=RMHAProtocolService RESULT=SUCCESS
启动 NodeManager
resourcemanager 是通过 yarn 用户启动的,故在各节点上先获取 yarn 用户的 ticket 再启动服务:kinit -k -t /etc/hadoop/conf/yarn.keytab yarn/bd-ops-test-xx@BIGDATA.COM ;service hadoop-yarn-nodemanager start
观察日志成功信息:
2016-09-05 13:50:37,869 INFO org.apache.hadoop.security.UserGroupInformation: Login successful for user yarn/bd-ops-test-76@BIGDATA.COM using keytab file /etc/hadoop/conf/yarn.keytab
启动 MapReduce Job History Server
resourcemanager 是通过 mapred 用户启动的,故在 76节点 上先获取 mapred 用户的 ticket 再启动服务:$ kinit -k -t /etc/hadoop/conf/mapred.keytab mapred/bd-ops-test-75@BIGDATA.COM # service hadoop-mapreduce-historyserver start
观察日志成功信息:
16/09/05 13:55:49 INFO security.UserGroupInformation: Login successful for user mapred/bd-ops-test-76@BIGDATA.COM using keytab file /etc/hadoop/conf/mapred.keytab
启动 yarn-proxyserver
# service hadoop-yarn-proxyserver start
观察日志成功信息:
2016-09-05 16:28:24,569 INFO org.apache.hadoop.security.UserGroupInformation: Login successful for user yarn/bd-ops-test-76@BIGDATA.COM using keytab file /etc/hadoop/conf/yarn.keytab
5. 测试
运行一个 mapreduce 的例子:hadoop jar /usr/lib/hadoop-mapreduce/hadoop-mapreduce-examples.jar pi 10 10000
如果没有报错,则说明配置成功。最后运行的结果为:
Job Finished in 45.007 seconds Estimated value of Pi is 3.14120000000000000000
相关文章推荐
- YARN配置Kerberos认证
- YARN配置Kerberos认证
- Spark On Yarn(HDFS HA)详细配置
- 配置sharepoint的在多个域环境中的kerberos认证
- 国内第一篇详细讲解hadoop2的automatic HA+Federation+Yarn配置的教程
- 国内第一篇详细讲解hadoop2的automatic HA+Federation+Yarn配置的教程
- hadoop2.0 新一代map reduce 框架 yarn 配置
- hadoop2.3.0 配置yarn-site.xml时需要注意的一个细节
- 国内第一篇详细讲解hadoop2的automatic HA+Federation+Yarn配置的教程
- Ubuntu上搭建hadoop 2.2.0环境,配置yarn(单机)
- Hadoop YARN配置参数剖析(4)—Fair Scheduler相关参数
- 为SharePoint 配置Kerberos认证
- YARN & HDFS2 安装和配置Kerberos
- Hadoop 2.2 YARN分布式集群搭建配置流程
- 国内第一篇详细讲解hadoop2的automatic HA+Federation+Yarn配置的教程
- YARN & HDFS2 安装和配置Kerberos
- yarn fairscheduler原理与配置
- Hadoop 2.x(YARN)安装配置LZO
- yarn 日志聚集配置
- hadoop cdh4.5 mapreduce yarn 配置文件 (接上文)