Zeppelin-0.9.0 开启kerberos登陆认证
目录
序:
一、kerberos及Zeppelin的安装(已安装好的直接跳转第二部分)
二、Zeppelin开启Kerberos步骤
1、Zeppelin官方说明
2、开始配置Zeppelin-Kerberos
(1)在kerberos中添加zeppelin的用户
(2)生成keytab文件
(3)认证keytab文件
(3)修改zeppelin下conf/shiro.ini
(4)将hadoop3.1.3/share/hadoop/common/hadoop-common-3.1.3.jar拷贝到zeppelin/lib下
(5)将hadoop3.1.3/share/hadoop/common/lib/ 下所有包拷贝到zeppelin/lib下
(6)启动zeppelin(zeppelin-0.9.0需要jdk1.8高版本,不然可能启动失败)
(7)验证kerberos是否开启成功
序:
因为工作需求,需要开启Zeppelin的Kerberos认证,在Zeppelin0.9.0之前的版本,需要依赖脚本和LDAP以及修改部分Zeppelin认证部分源码来做到集成Kerberos,在Zeppelin0.9.0版本,官方发布了Zeppelin开启Kerberos的方式,下面记录一下我踩的坑和开启步骤,以便大家少走弯路。
一、kerberos及Zeppelin的安装(已安装好的直接跳转第二部分)
TODO...
二、Zeppelin开启Kerberos步骤
1、Zeppelin官方说明
Zeppelin官方在zeppelin-0.9.0版本公布了开启Kerberos的方式,但是内容比简约,有一些坑需要踩,有一些问题需要解决。
Zeppelin官方的说明如下:
HTTP SPNEGO (Simple and Protected GSS-API NEGOtiation) is the standard way to support Kerberos Ticket based user authentication for Web Services. Based on Apache Hadoop Auth, Zeppelin supports ability to authenticate users by accepting and validating their Kerberos Ticket.
HTTP SPNEGO 是支持基于Kerberos票证的Web服务用户身份验证的标准方法。Zeppelin基于Apache Hadoop Auth,支持通过接受和验证用户的Kerberos票证对用户进行身份验证的功能。
When HTTP SPNEGO Authentication is enabled for Zeppelin, the Apache Hadoop Groups Mapping configuration will used internally to determine group membership of user who is trying to log in. Role-based access permission can be set based on groups as seen by Hadoop.
为Zeppelin启用HTTP SPNEGO身份验证后,将在内部使用Apache Hadoop组映射配置来确定尝试登录的用户的组成员身份。基于角色的访问权限可以基于Hadoop看到的组进行设置。
To enable this, apply the following change in
conf/shiro.iniunder[main]section.
为了实现这一目标,需要修改conf/shiro.ini下[main]部分内容。
krbRealm = org.apache.zeppelin.realm.kerberos.KerberosRealm krbRealm.principal=HTTP/zeppelin.fqdn.domain.com@EXAMPLE.COM krbRealm.keytab=/etc/security/keytabs/spnego.service.keytab krbRealm.nameRules=DEFAULT krbRealm.signatureSecretFile=/etc/security/http_secret krbRealm.tokenValidity=36000 krbRealm.cookieDomain=domain.com krbRealm.cookiePath=/ authc = org.apache.zeppelin.realm.kerberos.KerberosAuthenticationFilterFor above configuration to work, user need to do some more configurations outside Zeppelin.
1). A valid SPNEGO keytab should be available on the Zeppelin node and should be readable by 'zeppelin' user. If there is a SPNEGO keytab already available (because of other Hadoop service), it can be reused here and no need to generate a new keytab.
在Zeppelin的节点上,需要有一个可用的已被认证的keytab文件
2). A secret signature file must be present on Zeppelin node (readable to 'zeppelin' user). This file contains the random binary numbers which is used to sign 'hadoop.auth' cookie, generated during SPNEGO exchange. If such a file is already generated and available on the Zeppelin node, it should be used rather than generating a new file.
Zeppelin节点上必须存在一个秘密签名文件(“ zeppelin”用户可以读取)。该文件包含随机二进制数,该随机二进制数用于对在SPNEGO交换期间生成的“ hadoop.auth” cookie进行签名。如果此类文件已经生成并且可以在Zeppelin节点上使用,则应使用该文件,而不是生成新文件。
2、开始配置Zeppelin-Kerberos
(1)在kerberos中添加zeppelin的用户
kadmin.local: addprinc HTTP/henghe-049@HENGHE.COM
WARNING: no policy specified for HTTP/henghe-049@HENGHE.COM; defaulting to no policy
Enter password for principal "HTTP/henghe-049@HENGHE.COM":
Re-enter password for principal "HTTP/henghe-049@HENGHE.COM":
Principal "HTTP/henghe-049@HENGHE.COM" created.(2)生成keytab文件
kadmin.local: xst -k -norandkey /opt/http.service.keytab HTTP/henghe-049@HENGHE.COM
kadmin.local: Principal /opt/http.service.keytab does not exist.
Entry for principal HTTP/henghe-049@HENGHE.COM with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:-norandkey.
Entry for principal HTTP/henghe-049@HENGHE.COM with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:-norandkey.
Entry for principal HTTP/henghe-049@HENGHE.COM with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:-norandkey.
Entry for principal HTTP/henghe-049@HENGHE.COM with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:-norandkey.
Entry for principal HTTP/henghe-049@HENGHE.COM with kvno 2, encryption type camellia256-cts-cmac added to keytab WRFILE:-norandkey.
Entry for principal HTTP/henghe-049@HENGHE.COM with kvno 2, encryption type camellia128-cts-cmac added to keytab WRFILE:-norandkey.
Entry for principal HTTP/henghe-049@HENGHE.COM with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:-norandkey.
Entry for principal HTTP/henghe-049@HENGHE.COM with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:-norandkey.
kadmin.local: (3)认证keytab文件
[root@henghe-049 lib] kinit -kt /opt/http.service.keytab HTTP/henghe-049@HENGHE.COM(3)修改zeppelin下conf/shiro.ini
注意,若开启kerberos,在需要注释掉【user】下的用户配置信息,不然会发生冲突报错。
在【main】下添加一下内容
krbRealm = org.apache.zeppelin.realm.kerberos.KerberosRealm
krbRealm.principal=HTTP/henghe-049@HENGHE.COM
krbRealm.keytab=/opt/zeppelin.httpservice.keytab
krbRealm.nameRules=DEFAULT
# 用于签署HTTP cookie的密钥的位置
krbRealm.signatureSecretFile=/etc/security/http_secret
krbRealm.tokenValidity=36000
# 用于存储身份验证令牌的HTTP cookie的域
krbRealm.cookieDomain=henghe-049
# 用于存储身份验证令牌的HTTP cookie的路径。
krbRealm.cookiePath=/
authc = org.apache.zeppelin.realm.kerberos.KerberosAuthenticationFilter(4)将hadoop3.1.3/share/hadoop/common/hadoop-common-3.1.3.jar拷贝到zeppelin/lib下
(5)将hadoop3.1.3/share/hadoop/common/lib/ 下所有包拷贝到zeppelin/lib下
(6)启动zeppelin(zeppelin-0.9.0需要jdk1.8高版本,不然可能启动失败)
zeppelin-daemon.sh start(7)验证kerberos是否开启成功
打开zeppelinWebUI,发现页面401 需要认证
使用ZeppelinRESTApi进行验证
[root@henghe-049 bin] curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt "http://henghe-049:60066/api/notebook/"
{"status":"OK","message":"","body":[{"id":"2F2YS7PCE","path":"/Flink Tutorial/1. Flink Basics"},{"id":"2F7SKEHPA","path":"/Flink Tutorial/2. Three Essential Steps for Building Flink Job"},{"id":"2F5RKHCDV","path":"/Flink Tutorial/3. Flink Job Control Tutorial"},{"id":"2EYD56B9B","path":"/Flink Tutorial/4. Streaming ETL"},{"id":"2EYT7Q6R8","path":"/Flink Tutorial/5. Streaming Data Analytics"},{"id":"2EW19CSPA","path":"/Flink Tutorial/6. Batch ETL"},{"id":"2EZ9G3JJU","path":"/Flink Tutorial/7. Batch Data Analytics"},{"id":"2F4HJNWVN","path":"/Flink Tutorial/8. Logistic Regression (Alink)"},{"id":"2BYEZ5EVK","path":"/Miscellaneous Tutorial/Using Mahout"},{"id":"2C57UKYWR","path":"/Miscellaneous Tutorial/Using Pig for querying data"},{"id":"2EYDJKFFY","path":"/Python Tutorial/1. IPython Basic"},{"id":"2F1S9ZY8Z","path":"/Python Tutorial/2. IPython Visualization Tutorial"},{"id":"2F2AVWJ77","path":"/Python Tutorial/3. Keras Binary Classification (IMDB)"},{"id":"2C2AUG798","path":"/Python Tutorial/4. Matplotlib (Python, PySpark)"},{"id":"2BWJFTXKJ","path":"/R Tutorial/1. R Basics"},{"id":"2EZ66TM57","path":"/R Tutorial/2. Shiny App"},{"id":"2F8KN6TKK","path":"/Spark Tutorial/1. Spark Interpreter Introduction"},{"id":"2A94M5J1Z","path":"/Spark Tutorial/2. Spark Basic Features"},{"id":"2EWM84JXA","path":"/Spark Tutorial/3. Spark SQL (PySpark)"},{"id":"2EYUV26VR","path":"/Spark Tutorial/3. Spark SQL (Scala)"},{"id":"2EZFM3GJA","path":"/Spark Tutorial/4. Spark MlLib"},{"id":"2BWJFTXKM","path":"/Spark Tutorial/5. SparkR Basics"},{"id":"2F1CHQ4TT","path":"/Spark Tutorial/6. SparkR Shiny App"},{"id":"2F8VDBMMT","path":"/Spark Tutorial/7. Spark Delta Lake Tutorial"},{"id":"2G157XH1Q","path":"/Untitled Note 1"}]}
[root@henghe-049 bin]开启成功!!
有任何问题可在评论区留言,看到会回复~
Zeppelin-0.9.0 开启kerberos登陆认证相关推荐
- Kylin开启Kerberos安全认证
Kylin开启Kerberos安全认证, 由于Kylin是依赖Hbase启动的, Kylin启动脚本kylin.sh中就是调用的Hbase的启动脚本, 所以当Hbase开启了Keberos之后就等于K ...
- 【安全】CDH集群开启Kerberos安全认证
文章目录 1.安装kerberos 2.CDH集群开启Kerberos安全认证 1.安装kerberos 参考:https://blog.csdn.net/qq_21383435/article/de ...
- Storm集群安装Version1.0.1开启Kerberos
Storm集群安装,基于版本1.0.1, 同时开启Kerberos安全认证, 使用apache-storm-1.0.1.tar.gz安装包. 1.安装规划 角色规划 IP/机器名 安装软件 运行进程 ...
- 使用jdbc方式(token登陆)连接星环科技云平台TDC中的inceptor数据库(Kerberos安全认证)
使用jdbc方式连接星环科技云平台TDC中的inceptor数据库 大数据数据库inceptor开启Kerberos安全认证方式: 登陆时使用token令牌方式登录 token串写在这里 import ...
- [1067]CDH6.3.2之Kerberos安全认证
文章目录 Kerberos简介 Kerberos认证原理 Kerberos部署 Cloudera Manager平台上Kerberos的配置(在做此操作之前,请检查服务器时期是否正常) 常用命令 登录 ...
- SANGFOR V批N_v7.0如何开启硬件特征码认证
环境: SANGFOR SL VN.7.0 问题描述: SANGFOR V批N_v7.0如何开启硬件特征码认证 功能简介 硬件特征码是根据计算机的硬件特性按一定的算法生成的一个序号,由于硬件特性的唯一 ...
- mysql8.0.23解压版安装、开启远程登陆(用户创建和授权)以及卸载
官网下载MYSQL https://dev.mysql.com/downloads/mysql/ 解压 将下载下来的压缩包解压到硬盘 配置my.ini文件 进入安装目录(如 E:\RDC\DataBa ...
- hadoop2.7.2开启kerberos认证
环境介绍: 一共三台机器: hadoop11: 192.168.230.11 namenode .kerberos client hadoop12: 192.168.230.12 datanode . ...
- PHP —— 用 ThinkPHP5.0 实现微信小程序登陆
PHP -- 用 ThinkPHP5.0 实现微信小程序登陆 <工欲善其事,必先利其器> 大家好,之前学习了 原生 PHP 和框架,今天我们运用框架 TP5.0 来实现一下微信小程序的用户 ...
最新文章
- 前沿 | 历时十二年!曼彻斯特百万级神经元的类脑超算终开启
- 绘制半圆_超细致:Ai绘制萌蠢可爱卡通形象
- TIOBE 6月排行:C# 以微弱的优势超过了 Visual Basic .NET 的排名,再次进入 TOP 5
- 2013年3月编程语言排行榜:有毒的Java
- pytorch线性回归(笔记一)
- 计算机的数据库应用领域,【信息管理论文】信息管理中计算机数据库技术的应用(共4410字)...
- opencv3 与opencv2不同之处
- JMeter工具:场景设计,场景设置,场景运行,性能参数配置,测试监控
- java内存模型 infoq_深入理解 java 内存模型_程晓明_infoq.pdf
- Android下拉刷新完全解析,教你如何一分钟实现下拉刷新功能
- 安卓app之按键美化
- 携号转网手机号归属地查询
- 什么模式下不可使用曝光补偿_曝光的正确顺序是什么 曝光正确顺序介绍
- IE6下iframe里打开页面出现无法打开internet站点错误
- 抖音下拉框电脑版,同步移动端能上传视频!
- viper4android 音效,ViPer4android. FX顶级音效!
- 老版本Typora安装
- 关于“大局观”的一些思考
- Place Route相关
- 部分html转成pdf,4个把HTML转成PDF的实现方案
热门文章
- CSDN 2018博客之星活动报名开始了!
- 日本亚马逊海淘转运公司好?日亚转运公司攻略
- 【eCPRI】(1)基本概念
- Flutter之SharedPreferencesUtil初识
- win7防火墙例外设置方法_win7防火墙添加端口方法
- Illegal mix of collations (utf8mb4_general_ci,IMPLICIT) and (utf8mb4_0900_ai_ci,IMPLICIT) for operat
- “我转行做测试开发的这一年多,月薪5K变成了24K”,中文系萌妹的自白
- dpdk对虚拟化支持研究
- Java线程(五):Executors、ThreadFactory
- Questa CDC(安全性测试)