热门标签
热门文章
- 1Python实现多任务
- 2java transactions数组_java里面Transaction transaction = (Transaction)(list.get(i));是什么意思...
- 3OS-鸿蒙系统-以及编译器_鸿蒙系统编译器
- 4纯血鸿蒙(HarmonyOS 3.1/4.0)入门教程 未完待续......
- 5Python+unittest+requests接口自动化测试框架搭建 完整的框架搭建过程_python接口自动化框架
- 6latex学习笔记——tikz画图 激活函数图像_latex画函数图像
- 7oracle中的row_number,oracle中rank() over与row_number()的区别
- 8如何删除github中已经被追踪的文件
- 9Windows10使用命令行打开3389_Winux之路-WSL 2的使用及填坑
- 10【unity知识点】Unity 协程/携程Coroutine_unity携程
当前位置: article > 正文
开源大数据集群部署(十六)Hadoop集群部署(一)
作者:羊村懒王 | 2024-03-19 00:06:48
赞
踩
开源大数据集群部署(十六)Hadoop集群部署(一)
作者:櫰木
按照上文中hadoop集群规划进行安装。
1 HADOOP集群安装
在hd1.dtstack.com主机root权限下安装hadoop集群
- 解压
[root@hd1.dtstack.com software]# tar -zvxf hadoop-3.2.4.tar.gz -C /opt/
[root@hd1.dtstack.com software]# chown -R hdfs:hadoop /opt/hadoop-3.2.4
[root@hd1.dtstack.com software]# ln -s /opt/hadoop-3.2.4 /opt/hadoop
- 1
- 2
- 3
2 HADOOP Kerberos主体
| 服务 | 所在主机 | 主体格式(Principal) | keytab文件 |
|---|---|---|---|
| NameNode | hd1.dtstack.com、hd2.dtstack.com | hdfs/_HOST@DTSTACK.COM | /etc/security/keytab/hdfs…keytab |
| DataNode | hd3.dtstack.com、hadoop04、hadoop05 | hdfs/_HOST@DTSTACK.COM | /etc/security/keytab/hdfs…keytab |
| JournalNode | hd1.dtstack.com、hd2.dtstack.com、hd3.dtstack.com | hdfs/_HOST@DTSTACK.COM | /etc/security/keytab/hdfs.keytab |
| Web UI | hd1.dtstack.com、hd2.dtstack.com、hd3.dtstack.com | HTTP/_HOST@DTSTACK.COM | |
| /etc/security/keytab/hdfs.keytab | |||
| JobHistory Server | hd1.dtstack.com、hd2.dtstack.com | yarn/_HOST@DTSTACK.COM | /etc/security/keytab/yarn…keytab |
| ResourceManager | hd1.dtstack.com、hd2.dtstack.com | yarn/_HOST@DTSTACK.COM | /etc/security/keytab/yarn.service.keytab |
| NodeManager | hd3.dtstack.com | yarn/_HOST@DTSTACK.COM | /etc/security/keytab/yarn…keytab |
说明:
- 创建主体命令见上面kerberos票据创建
- _HOST表示配置文件变量,在实际使用过程会自动替换成主机名,如hd1.dtstack.com
- Keytab文件名每台主机文件名一样,但文件内容不一样,主要区别是主机名
- Keytab文件创建完成后分发到对应主机,且权限修改成600,权限修改命令如下:
chown -R root:hadoop /etc/security/keytab/
chmod 660 /etc/security/keytab/*
- 1
- 2
按照kerberos票据创建进行票据主体创建和keytab文件创建以及分发到对应主机目录上
生成keytab文件
bash /root/bigdata/getkeytabs.sh /etc/security/keytab/hdfs.keytab hdfs
由于页面需要http的principal,给hdfs的keytab添加httpprincipal
bash /root/bigdata/getkeytabs.sh /etc/security/keytab/hdfs.keytab HTTP
bash /root/bigdata/getkeytabs.sh /etc/security/keytab/yarn.keytab yarn
bash /root/bigdata/getkeytabs.sh /etc/security/keytab/yarn.keytab HTTP
- 1
- 2
- 3
- 4
- 5
3、 HDFS使用HTTPS安全传输协议配置
在hd1.dtstack.com主机root权限下执行
- 添加生成脚本
[root@hd1.dtstack.com hadoop]# cd /opt/hadoop/ [root@hd1.dtstack.com hadoop]# cd bin/ && vi on.sh #!/bin/bash path1=/opt/hadoop/bin hosts="hd1.dtstack.com hd3.dtstack.com hd2.dtstack.com" echo "===========begine install ca ===========" sh $path1/ca_install.sh echo "===========finish install ca ===========" echo "===========begine install https ===========" for host in $hosts do ssh -t $host "$path1/keystore.sh" done echo "===========finish install https ===========" 添加ca脚本 vi ca_install.sh #! /bin/bash path=/data/kerberos/hdfs_ca #集群中安装https hostnamess="hd1.dtstack.com hd3.dtstack.com hd2.dtstack.com" passwords=abc123 hostname1=`hostname` #ca证书创建,只需要在一个节点上创建 function make_CA(){ hostnames=$hostnamess password=$passwords echo 'make_CA begin ...' cd $path #删除之前可能产生的过期CA证书 rm -rf $path/hdfs_ca* #其中一台上生成CA,密码全部为abc123 /usr/bin/expect <<-EOF set timeout 10 spawn openssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days 9999 -subj /C=CN/ST=zhejiang/L=hangzhou/O=dtstack/OU=dtstack/CN=$hostname1 expect { "*phrase*" {send "$password\r"; exp_continue} "*phrase*" { send "$password\r"; exp_continue} } EOF #将生成的CA证书hdfs_ca_key、hdfs_ca_cert分发到其他节点上 for host in $hostnames; do echo "copy hadoop CA to $host:$path" ssh root@$host "mkdir -p /data/kerberos/hdfs_ca" scp hdfs_ca_* $host:$path done #rm -rf hdfs_ca* echo 'make_CA end ...' } make_CA 添加keystore脚本 vi keystore.sh #! /bin/bash path=/data/kerberos/hdfs_ca #集群中安装https keystore hostnamess="hadoop01.dtstack.com hadoop03.dtstack.com hadoop02.dtstack.com" passwords=abc123 current_hostnames="`hostname`" export.UTF-8 function make_certificate(){ current_hostname=$current_hostnames password=$passwords cd $path #keytool需要使用java环境 source /etc/profile #生成keystore #name="CN=$current_hostname, OU=dtstack, O=dtstack, L=hangzhou, ST=zhejiang, C=CN" /usr/bin/expect <<-EOF spawn keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=$current_hostname, OU=dtstack, O=dtstack, L=hangzhou, ST=zhejiang, C=CN" expect { "*password*" {send "$password\r"; exp_continue} "*password*" {send "$password\r"; exp_continue} "*password*" {send "$password\r"; exp_continue} "*password*" {send "$password\r"; exp_continue} } EOF #添加CA到truststore /usr/bin/expect <<-EOF spawn keytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert expect { "*password*" {send "$password\r"; exp_continue} "*password*" {send "$password\r"; exp_continue} "*certificate*" {send "yes\r"; exp_continue} } EOF #从keystore中导出cert /usr/bin/expect <<-EOF spawn keytool -certreq -alias localhost -keystore keystore -file cert expect { "*password*" {send "$password\r"; exp_continue} } EOF #用CA对cert签名 /usr/bin/expect <<-EOF spawn openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial expect { "*phrase*" {send "$password\r"; exp_continue} } EOF #将CA的cert和用CA签名之后的cert导入keystore /usr/bin/expect <<-EOF spawn keytool -keystore keystore -alias CARoot -import -file hdfs_ca_cert expect { "*password*" {send "$password\r"; exp_continue} "*certificate*" {send "yes\r"; exp_continue} } EOF /usr/bin/expect <<-EOF spawn keytool -keystore keystore -alias localhost -import -file cert_signed expect { "*password*" {send "$password\r"; exp_continue} } EOF #将最终keystore,trustores放入合适的目录,并加上后缀jks #rm -rf /etc/security/https && mkdir -p /etc/security/https #chmod 755 /etc/security/https echo "install keystore、truststore to /data/kerberos/hdfs_ca/..." cp $path/keystore $path/keystore.jks cp $path/truststore $path/truststore.jks } echo "[+] execute hlk_each_host_install_https.sh begin ..." echo "hostnames:$hostnames" echo "current_hostname:$current_hostname" #每个节点获取CA证书签照 make_certificate echo "[+] execute hlk_each_host_install_https.sh end ..."
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
将脚本分发到每个节点的/opt/hadoop/bin/目录下,同时修改脚本权限
4、生成对应https证书(只需要在一个节点执行即可)
mkdir -p /data/kerberos/hdfs_ca
cd /opt/hadoop/bin/
bash on.sh
- 1
- 2
- 3
更多技术信息请查看云掣官网https://yunche.pro/?t=yrgw
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/羊村懒王/article/detail/266283
推荐阅读
相关标签
