Hadoop에 Kerberos를 붙이기 위해 keytab 파일을 만드는데,
kadmin shell에서 아래와 같은 명령어로 hdfs, HTTP 2개의 principal을 merge하여 keytab 파일을 만듬.
kadmin: xst -norandkey -k hdfs.keytab hdfs/myhost.com@MYREALM.COM HTTP/myhost.com@MYREALM.COM
근데 Kerberos의 버전에 따라 아래처럼 -norandkey 옵션이 없는 경우가 있음.
kadmin: xst
Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]
이럴 땐 keytab을 각 principal 별로 따로 만들어 놓고 ktutil 을 이용해 merge 하면 됨.
// kadmin
[root@myhost]# kadmin
// hdfs keytab 생성
kadmin: xst -k hdfs-unmerged.keytab hdfs/myhost.com@MYREALM.COM
// HTTP keytab 생성
kadmin: xst -k HTTP.keytab HTTP/myhost.com@MYREALM.COM
kadmin: quit
[root@myhost]# ktutil
// ktutil
ktutil: rkt hdfs-unmerged.keytab
ktutil: rkt HTTP.keytab
ktutil: wkt hdfs.keytab
ktutil: quit
// 확인
[root@myhost]# klist -e -k -t hdfs.keytab
Keytab name: FILE:hdfs.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 04/20/15 09:38:00 hdfs/myhost.com@MYREALM.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
3 04/20/15 09:38:00 hfds/myhost.com@MYREALM.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
3 04/20/15 09:38:00 hfds/myhost.com@MYREALM.COM (Triple DES cbc mode with HMAC/sha1)
3 04/20/15 09:38:00 hdfs/myhost.com@MYREALM.COM (ArcFour with HMAC/md5)
3 04/20/15 09:38:00 hdfs/myhost.com@MYREALM.COM (DES with HMAC/sha1)
3 04/20/15 09:38:00 hdfs/myhost.com@MYREALM.COM (DES cbc mode with RSA-MD5)
3 04/20/15 09:38:00 HTTP/myhost.com@MYREALM.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
3 04/20/15 09:38:00 HTTP/myhost.com@MYREALM.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
3 04/20/15 09:38:00 HTTP/myhost.com@MYREALM.COM (Triple DES cbc mode with HMAC/sha1)
3 04/20/15 09:38:00 HTTP/myhost.com@MYREALM.COM (ArcFour with HMAC/md5)
3 04/20/15 09:38:00 HTTP/myhost.com@MYREALM.COM (DES with HMAC/sha1)
3 04/20/15 09:38:00 HTTP/myhost.com@MYREALM.COM (DES cbc mode with RSA-MD5)
[root@myhost]# kinit -k -t hdfs.keytab hdfs/myhost.com@MYREALM.COM
[root@myhost]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/myhost.com@MYREALM.COM
Valid starting Expires Service principal
04/20/15 09:42:22 04/21/15 09:42:15 krbtgt/MYREALM.COM@MYREALM.COM
이제 merge가 완료된 hdfs.keytab 파일을 dfs.namenode.keytab.file 이나 dfs.datanode.keytab.file 에 지정해서 사용하면 됨.
'Hadoop' 카테고리의 다른 글
| [Hadoop] jsvc를 이용한 secure datanode 적용시 short circuit local read 사용불가 (0) | 2015.04.27 |
|---|---|
| [Hadoop] Zookeeper - Kerberos 보안설정 (0) | 2015.04.20 |
| [Hadoop] Kerberos 인증시 Receive Timed out으로 Login Failure 에러가 날 경우 (0) | 2015.04.20 |
| [Hadoop] HDFS Federation + NameNodeHA (2) | 2015.04.14 |
| [Hadoop] 1.0.0 -> 2.6.0 업그레이드 (0) | 2015.04.08 |
