構建高可靠hadoop集群之4-保全模式

本文主要翻譯自 http://hadoop.apache.org/docs/r2.8.0/hadoop-project-dist/hadoop-common/SecureMode.html 譯註：之所以不翻譯為安全模式，是因為namenode啟動的時候有個safemode,如果都翻譯為安全模式，會有 ...

本文主要翻譯自 http://hadoop.apache.org/docs/r2.8.0/hadoop-project-dist/hadoop-common/SecureMode.html

譯註：之所以不翻譯為安全模式，是因為namenode啟動的時候有個safemode,如果都翻譯為安全模式，會有混淆的顧慮。

從重要程度看，本文所闡述的內容，無疑相當高。但從配置上看，kerberos的配置，可謂hadoop集群搭建中最為繁瑣，麻煩的部分。

引入一個kerberos認證，需要額外搭建一個kerberos伺服器，容易製造新的單點故障，這有違背ha的初衷。除非可以搭建kerberos集權，但這變得更加複雜了。

如果覺得kerberos太麻煩，可以只選擇服務級別授權、web控制台的認證和數據保密。

作者翻譯本文的時候，尚未有在hadoop上配置kerberos的經驗。所以本文僅僅作為一個學習筆記存在，用作加深記憶，用作日後的參考。日後如果有實際的操作，會把有關的配置附錄在後。

1.介紹

本文描述如何在保全模式下配置授權。當hadoop在保全模式下運行的時候，每個hadoop服務和每個用戶必須通過kerberos授權。

正確配置服務主機尋找，以便允許伺服器相互認證。主機尋找可以通過dns或者/etc/hosts來實現。我們推薦通過kerberos和dns來配置hadoop保全模式。

安全特性包含認證，服務級別授權，web控制台認證和數據保密

2.認證

2.1終端用戶賬戶

當服務級別的認證開啟後，終端用戶必須在和hadoop服務交互前線進行認證。對簡單的用戶認證途徑就是使用kerberos kinit命令。

如果無法使用kinit交互登錄，那麼可以使用kerberos keytab文件。

2.2hadoop守護程式用戶賬戶

確保hdfs和yarn的守護程式使用不同的unix用戶（或者是不同的操作系統用戶),例如分別使用hdfs,yarn。

此外，確保mr jobhistory 伺服器使用不用的用戶，例如mapred.

同時，我們推薦它們使用相同的unix組，例如hadoop.

下表就是推薦的用戶和分組：

User:Group	Daemons
hdfs:hadoop	NameNode, Secondary NameNode, JournalNode, DataNode
yarn:hadoop	ResourceManager, NodeManager
mapred:hadoop	MapReduce JobHistory Server

譯註：當原文“建議”的時候，通常就是“最好那麼做”的意思。如果不按照“建議”來做，可能也可以，但可能有許多曲折。

2.3hadoop守護程式的kerberos主體

每個hadoop服務實例必須配置對應kerberos主體和keytab文件位置。

服務主體的通用格式是:ServiceName/[email protected]. 例如dn/[email protected]

hadoop簡化了這種配置文件的部署，它允許各種主機的部分使用_HOST通配符。每個服務實例會再運行時，使用自己的主機全稱替代_HOST.這樣管理員就可以在所有節點上部署同套配置文件。

但，keytab文件還是必須定製-每台都不同。

2.3.1 HDFS的ketab文件

名稱節點的

$ klist -e -k -t /etc/security/keytab/nn.service.keytab
Keytab name: FILE:/etc/security/keytab/nn.service.keytab
KVNO Timestamp         Principal
   4 07/18/11 21:08:09 nn/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 nn/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 nn/[email protected] (ArcFour with HMAC/md5)
   4 07/18/11 21:08:09 host/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 host/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 host/[email protected] (ArcFour with HMAC/md5)

譯註：其中紅色字體是真實有用的。

第二名稱節點的

$ klist -e -k -t /etc/security/keytab/sn.service.keytab
Keytab name: FILE:/etc/security/keytab/sn.service.keytab
KVNO Timestamp         Principal
   4 07/18/11 21:08:09 sn/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 sn/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 sn/[email protected] (ArcFour with HMAC/md5)
   4 07/18/11 21:08:09 host/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 host/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 host/[email protected] (ArcFour with HMAC/md5)

數據節點的

$ klist -e -k -t /etc/security/keytab/dn.service.keytab
Keytab name: FILE:/etc/security/keytab/dn.service.keytab
KVNO Timestamp         Principal
   4 07/18/11 21:08:09 dn/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 dn/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 dn/[email protected] (ArcFour with HMAC/md5)
   4 07/18/11 21:08:09 host/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 host/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 host/[email protected] (ArcFour with HMAC/md5)

譯註：以上三種節點，都只對兩種service名稱進行定義，沒有關於http的。

2.3.2 yarn的

資源管理器

$ klist -e -k -t /etc/security/keytab/rm.service.keytab
Keytab name: FILE:/etc/security/keytab/rm.service.keytab
KVNO Timestamp         Principal
   4 07/18/11 21:08:09 rm/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 rm/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 rm/[email protected] (ArcFour with HMAC/md5)
   4 07/18/11 21:08:09 host/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 host/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 host/[email protected] (ArcFour with HMAC/md5)

節點管理器
$ klist -e -k -t /etc/security/keytab/nm.service.keytab
Keytab name: FILE:/etc/security/keytab/nm.service.keytab
KVNO Timestamp         Principal
   4 07/18/11 21:08:09 nm/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 nm/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 nm/[email protected] (ArcFour with HMAC/md5)
   4 07/18/11 21:08:09 host/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 host/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 host/[email protected] (ArcFour with HMAC/md5)

2.3.3 mapreduce

$ klist -e -k -t /etc/security/keytab/jhs.service.keytab
Keytab name: FILE:/etc/security/keytab/jhs.service.keytab
KVNO Timestamp         Principal
   4 07/18/11 21:08:09 jhs/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 jhs/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 jhs/[email protected] (ArcFour with HMAC/md5)
   4 07/18/11 21:08:09 host/[email protected] (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 host/[email protected] (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   4 07/18/11 21:08:09 host/[email protected] (ArcFour with HMAC/md5)

2.4kerberos主體和超級系統用戶賬戶的映射

Hadoop maps Kerberos principals to OS user (system) accounts using rules specified by hadoop.security.auth_to_local. These rules work in the same way as the auth_to_local in Kerberos configuration file (krb5.conf). In addition, Hadoop auth_to_local mapping supports the /L flag that lowercases the returned name.

The default is to pick the first component of the principal name as the system user name if the realm matches the default_realm (usually defined in /etc/krb5.conf). e.g. The default rule maps the principal host/[email protected] to system user host. The default rule will not be appropriate for most clusters.

In a typical cluster HDFS and YARN services will be launched as the system hdfs and yarn users respectively. hadoop.security.auth_to_local can be configured as follows:

hadoop使用hadoop.security.auth_to_local來映射kerberos主體到操作系統用戶。這個規則同kerberos配置文件(krb5.conf)

此外，auth_to_local映射支持/L標記--返回名稱會返回小寫的結果。

預設的操作是，取主體名稱中的第一個部分當作系統用戶名，如果領域匹配default_realm(通常定義在/etc/krb5.conf)中。例如，host/[email protected]映射操作系統用戶host。這個預設的規則並不適合於大部分集群。

在典型的集群中,hdfs和yarn服務通常使用系統用戶hdfs,yarn來啟動。於是hadoop.security.auth_to_local可以如下配置：

<property>
<name>hadoop.security.auth_to_local</name>
<value>
    RULE:[2:$1@$0](nn/.*@.*REALM.TLD)s/.*/hdfs/
    RULE:[2:$1@$0](jn/.*@.*REALM.TLD)s/.*/hdfs/
    RULE:[2:$1@$0](dn/.*@.*REALM.TLD)s/.*/hdfs/
    RULE:[2:$1@$0](nm/.*@.*REALM.TLD)s/.*/yarn/
    RULE:[2:$1@$0](rm/.*@.*REALM.TLD)s/.*/yarn/
    RULE:[2:$1@$0](jhs/.*@.*REALM.TLD)s/.*/mapred/
    DEFAULT
</value>
</property>

定製的規則可以使用hadoop kername命令測試。這個命令允許使用auth_to_local的規則集來測試特定的規則。

譯註：以上的規則挺難理解的。

2.5把用戶映射到組

系統用戶和系統組的映射機制可以通過配置hadoop.security.group.mapping實現，具體參考hadoop組映射。

有的時候，需要在hadoop的保全模式下，使用kerberos和ldap配置單點登錄。

2.6代理用戶

有些產品，例如Apache Oozie需要訪問hadoop服務，這個時候會用到代理用戶。

2.7保全的數據節點

因為數據節點的數據傳輸協議並不使用hadoop rpc框架，數據節點必須使用特定的埠認證它們自己，這個可以通過設定dfs.datanode.address 和dfs.datanode.http.address來實現。這種認證是基於這樣的假設：攻擊者無法獲得數據節點主機的root許可權。

當以root執行hdfs datanode 命令的時候，伺服器進程首先綁定特定埠，然後使用HADOOP_SECURE_DN_USER設定的用戶賬戶運行。這個啟動的進程使用 jsvc程式（安裝在JSVC_HOME）。我們必須設定環境變數 HADOOP_SECURE_DN_USER,JSVC_HOME(在hadoop-env.sh中設定)。

從2.6.0版本之後，SASL可以用於認證數據傳輸協議。這樣，數據節點使用root啟動的時候，不再要求使用jsvc，並綁定特定埠。為了啟用SASL數據傳輸，在hdfs-site.xml中設定dfs.data.transfer.protection,為dfs.datanode.address設定普通埠即可（譯註：大於1024的埠），把dfs.http.policy設置為HTTPS_ONLY，並確保在hadoop-env.sh中不要設定HADOOP_SECURE_DN_USER。如果把dfs.datanode.address綁定在特定埠，那麼就無法在數據傳輸協議上啟用SASL。這麼做僅僅是為了向後相容.

為了從一個使用root認證的現有集群遷移到使用SASL,首先確保版本是2.6.0或者更高，其次外部應用也需要更新配置，以便啟用SASL。

啟用了SASL的客戶端可以連接到使用root認證或者SASL認證的數據節點。

最後，每個數據節點都需要修改配置，並重新啟動。在遷移期間，允許一些節點用root認證，一些使用sasl認證。

3.數據保密

3.1RPC傳輸加密

通過把修改core-site.xml中hadoop.rpc.protection的值為 privacy ，就可以開啟hadoop服務和客戶端之間的數據傳輸。

3.2數據塊傳輸加密

把hdfs-site.xml中dfs.encrypt.data.transfer設置為true，這樣就可以激活數據節點的數據傳輸協議。

此外，可以配置dfs.encrypt.data.transfer.algorithm為3des或者rc4,這是設置加密演算法。如果不設置，預設使用3des.

如果設置 dfs.encrypt.data.transfer.cipher.suites 為 AES/CTR/NoPadding，就可以激活AES加密。預設情況下，不設置這個，所以也不用AES.如果啟用這個，那麼在初始key交換的時候，依然會使用前一個參數的加密演算法。

dfs.encrypt.data.transfer.cipher.key.bitlength 的值可以是128, 192 or 256. 預設是128.這個用於設定AES鑰匙的長度.

AES可以提供最好的密碼長度和最佳的性能。現在，hadoop集群中更多使用3DES和RC4

譯註：數據加密加重了系統的負擔，部署的時候需要仔細權衡下。

3.3HTTP加密

客戶端和WEB控制台之間傳輸數據，可以通過SSL（https）保護。SSL配置是一個推薦，但並不是必須的。

為了啟用SSL，必須設置dfs.http.policy=HTTPS_ONLY或者是HTTP_AND_HTTPS（在hdfs-site.xml)。註意，這個不影響KMS和httpfs，因為它們是在tomcat之上實現，並不考慮這個參數。

如果想為KMS和httpFS啟用https,請參閱kms和httpfs.

如果要啟用yarn的，那麼設置yarn-site.xml中的yarn.http.policy=HTTPS_ONLY。

如果要啟用mapreduce 作業歷史伺服器的，設置mapred-site.xml中mapreduce.jobhistory.http.policy=HTTPS_ONLY

4.配置

譯註：以下設置相當繁雜，對於大集群而言，是不小的工作量.本章節羅列了保全設置的各個有關配置，並給出了一些示範值（有的也是唯一的值）

有些表格的內容和容易理解，所以對一些說明不再翻譯，僅僅是複製於此。

HDFS和本地文件系統的許可權

表格個數的推薦的許可權

Filesystem	Path	User:Group	Permissions
local	`dfs.namenode.name.dir`	hdfs:hadoop	`drwx------`
local	`dfs.datanode.data.dir`	hdfs:hadoop	`drwx------`
local	`$HADOOP_LOG_DIR`	hdfs:hadoop	`drwxrwxr-x`
local	`$YARN_LOG_DIR`	yarn:hadoop	`drwxrwxr-x`
local	`yarn.nodemanager.local-dirs`	yarn:hadoop	`drwxr-xr-x`
local	`yarn.nodemanager.log-dirs`	yarn:hadoop	`drwxr-xr-x`
local	container-executor	root:hadoop	`--Sr-s--*`
local	`conf/container-executor.cfg`	root:hadoop	`r-------*`
hdfs	`/`	hdfs:hadoop	`drwxr-xr-x`
hdfs	`/tmp`	hdfs:hadoop	`drwxrwxrwxt`
hdfs	`/user`	hdfs:hadoop	`drwxr-xr-x`
hdfs	`yarn.nodemanager.remote-app-log-dir`	yarn:hadoop	`drwxrwxrwxt`
hdfs	`mapreduce.jobhistory.intermediate-done-dir`	mapred:hadoop	`drwxrwxrwxt`
hdfs	`mapreduce.jobhistory.done-dir`	mapred:hadoop	`drwxr-x---`

通用配置

所有節點上core-site.xml中配置

Parameter	Value	Notes
`hadoop.security.authentication`	`kerberos`	`simple` : No authentication. (default) `kerberos` : Enable authentication by Kerberos.
`hadoop.security.authorization`	`true`	Enable RPC service-level authorization.
`hadoop.rpc.protection`	`authentication`	`authentication` : authentication only (default); `integrity` : integrity check in addition to authentication; `privacy` : data encryption in addition to integrity
`hadoop.security.auth_to_local`	`RULE:``exp1` `RULE:``exp2` … `DEFAULT`	The value is string containing new line characters. See Kerberos documentation for the format of exp.
`hadoop.proxyuser.`superuser`.hosts`		comma separated hosts from which superuser access are allowed to impersonation. `*` means wildcard.
`hadoop.proxyuser.`superuser`.groups`		comma separated groups to which users impersonated by superuser belong. `*` means wildcard.

名稱節點上配置

Parameter	Value	Notes
`dfs.block.access.token.enable`	`true`	Enable HDFS block access tokens for secure operations.
`dfs.namenode.kerberos.principal`	`nn/[email protected]`	Kerberos principal name for the NameNode.
`dfs.namenode.keytab.file`	`/etc/security/keytab/nn.service.keytab`	Kerberos keytab file for the NameNode.
`dfs.namenode.kerberos.internal.spnego.principal`	`HTTP/[email protected]`	The server principal used by the NameNode for web UI SPNEGO authentication. The SPNEGO server principal begins with the prefix `HTTP/` by convention. If the value is `'*'`, the web server will attempt to login with every principal specified in the keytab file `dfs.web.authentication.kerberos.keytab`. For most deployments this can be set to `${dfs.web.authentication.kerberos.principal}` i.e use the value of `dfs.web.authentication.kerberos.principal`.
`dfs.web.authentication.kerberos.keytab`	`/etc/security/keytab/spnego.service.keytab`	SPNEGO keytab file for the NameNode. In HA clusters this setting is shared with the Journal Nodes.

在名稱節點的web上啟用SSL.

Parameter	Value	Notes
`dfs.http.policy`	`HTTP_ONLY` or `HTTPS_ONLY` or `HTTP_AND_HTTPS`	`HTTPS_ONLY` turns off http access. This option takes precedence over the deprecated configuration dfs.https.enable and hadoop.ssl.enabled. If using SASL to authenticate data transfer protocol instead of running DataNode as root and using privileged ports, then this property must be set to `HTTPS_ONLY` to guarantee authentication of HTTP servers. (See `dfs.data.transfer.protection`.)
`dfs.namenode.https-address`	`0.0.0.0:50470`	This parameter is used in non-HA mode and without federation. See HDFS High Availability and HDFS Federation for details.
`dfs.https.enable`	`true`	This value is deprecated. `Use dfs.http.policy`

第二名稱節點

Parameter	Value	Notes
`dfs.namenode.secondary.http-address`	`0.0.0.0:50090`	HTTP web UI address for the Secondary NameNode.
`dfs.namenode.secondary.https-address`	`0.0.0.0:50091`	HTTPS web UI address for the Secondary NameNode.
`dfs.secondary.namenode.keytab.file`	`/etc/security/keytab/sn.service.keytab`	Kerberos keytab file for the Secondary NameNode.
`dfs.secondary.namenode.kerberos.principal`	`sn/[email protected]`	Kerberos principal name for the Secondary NameNode.
`dfs.secondary.namenode.kerberos.internal.spnego.principal`	`HTTP/[email protected]`	The server principal used by the Secondary NameNode for web UI SPNEGO authentication. The SPNEGO server principal begins with the prefix `HTTP/` by convention. If the value is `'*'`, the web server will attempt to login with every principal specified in the keytab file `dfs.web.authentication.kerberos.keytab`. For most deployments this can be set to `${dfs.web.authentication.kerberos.principal}` i.e use the value of `dfs.web.authentication.kerberos.principal`.

日誌節點(jns節點）

Parameter	Value	Notes
`dfs.journalnode.kerberos.principal`	`jn/[email protected]`	Kerberos principal name for the JournalNode.
`dfs.journalnode.keytab.file`	`/etc/security/keytab/jn.service.keytab`	Kerberos keytab file for the JournalNode.
`dfs.journalnode.kerberos.internal.spnego.principal`	`HTTP/[email protected]`	The server principal used by the JournalNode for web UI SPNEGO authentication when Kerberos security is enabled. The SPNEGO server principal begins with the prefix `HTTP/` by convention. If the value is `'*'`, the web server will attempt to login with every principal specified in the keytab file `dfs.web.authentication.kerberos.keytab`. For most deployments this can be set to `${dfs.web.authentication.kerberos.principal}` i.e use the value of `dfs.web.authentication.kerberos.principal`.
`dfs.web.authentication.kerberos.keytab`	`/etc/security/keytab/spnego.service.keytab`	SPNEGO keytab file for the JournalNode. In HA clusters this setting is shared with the Name Nodes.
`dfs.journalnode.https-address`	`0.0.0.0:8481`	HTTPS web UI address for the JournalNode.

數據節點

Parameter	Value	Notes
`dfs.datanode.data.dir.perm`	`700`
`dfs.datanode.address`	`0.0.0.0:1004`	Secure DataNode must use privileged port in order to assure that the server was started securely. This means that the server must be started via jsvc. Alternatively, this must be set to a non-privileged port if using SASL to authenticate data transfer protocol. (See `dfs.data.transfer.protection`.)
`dfs.datanode.http.address`	`0.0.0.0:1006`	Secure DataNode must use privileged port in order to assure that the server was started securely. This means that the server must be started via jsvc.
`dfs.datanode.https.address`	`0.0.0.0:50475`	HTTPS web UI address for the Data Node.
`dfs.datanode.kerberos.principal`	`dn/[email protected]`	Kerberos principal name for the DataNode.
`dfs.datanode.keytab.file`	`/etc/security/keytab/dn.service.keytab`	Kerberos keytab file for the DataNode.
`dfs.encrypt.data.transfer`	`false`	set to `true` when using data encryption
`dfs.encrypt.data.transfer.algorithm`		optionally set to `3des` or `rc4` when using data encryption to control encryption algorithm
`dfs.encrypt.data.transfer.cipher.suites`		optionally set to `AES/CTR/NoPadding` to activate AES encryption when using data encryption
`dfs.encrypt.data.transfer.cipher.key.bitlength`		optionally set to `128`, `192` or `256` to control key bit length when using AES with data encryption
`dfs.data.transfer.protection`		`authentication` : authentication only; `integrity` : integrity check in addition to authentication; `privacy` : data encryption in addition to integrity This property is unspecified by default. Setting this property enables SASL for authentication of data transfer protocol. If this is enabled, then `dfs.datanode.address` must use a non-privileged port, `dfs.http.policy` must be set to `HTTPS_ONLY` and the `HADOOP_SECURE_DN_USER` environment variable must be undefined when starting the DataNode process.

webHDFS

Parameter	Value	Notes
`dfs.web.authentication.kerberos.principal`	`http/[email protected]`	Kerberos principal name for the WebHDFS. In HA clusters this setting is commonly used by the JournalNodes for securing access to the JournalNode HTTP server with SPNEGO.
`dfs.web.authentication.kerberos.keytab`	`/etc/security/keytab/http.service.keytab`	Kerberos keytab file for WebHDFS. In HA clusters this setting is commonly used the JournalNodes for securing access to the JournalNode HTTP server with SPNEGO.

資源管理器

Parameter	Value	Notes
`yarn.resourcemanager.principal`	`rm/[email protected]`	Kerberos principal name for the ResourceManager.
`yarn.resourcemanager.keytab`	`/etc/security/keytab/rm.service.keytab`	Kerberos keytab file for the ResourceManager.
`yarn.resourcemanager.webapp.https.address`	`${yarn.resourcemanager.hostname}:8090`	The https adddress of the RM web application for non-HA. In HA clusters, use `yarn.resourcemanager.webapp.https.address.`rm-id for each ResourceManager. See ResourceManager High Availability for details.

節點管理器

Parameter	Value	Notes
`yarn.nodemanager.principal`	`nm/[email protected]`	Kerberos principal name for the NodeManager.
`yarn.nodemanager.keytab`	`/etc/security/keytab/nm.service.keytab`	Kerberos keytab file for the NodeManager.
`yarn.nodemanager.container-executor.class`	`org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor`	Use LinuxContainerExecutor.
`yarn.nodemanager.linux-container-executor.group`	`hadoop`	Unix group of the NodeManager.
`yarn.nodemanager.linux-container-executor.path`	`/path/to/bin/container-executor`	The path to the executable of Linux container executor.
`yarn.nodemanager.webapp.https.address`	`0.0.0.0:8044`	The https adddress of the NM web application.

web應用代理配置

Parameter	Value	Notes
`yarn.web-proxy.address`	`WebAppProxy` host:port for proxy to AM web apps.	`host:port` if this is the same as `yarn.resourcemanager.webapp.address` or it is not defined then the `ResourceManager` will run the proxy otherwise a standalone proxy server will need to be launched.
`yarn.web-proxy.keytab`	`/etc/security/keytab/web-app.service.keytab`	Kerberos keytab file for the WebAppProxy.
`yarn.web-proxy.principal`	`wap/[email protected]`	Kerberos principal name for the WebAppProxy.

LinuxContainerExecutor

這種東西為YARN所用，作用是定義容器如何啟動和控制

ContainerExecutor Description

DefaultContainerExecutor The default executor which YARN uses to manage container execution. The container process has the same Unix user as the NodeManager.

LinuxContainerExecutor Supported only on GNU/Linux, this executor runs the containers as either the YARN user who submitted the application (when full security is enabled) or as a dedicated user (defaults to nobody) when full security is not enabled. When full security is enabled, this executor requires all user accounts to be created on the cluster nodes where the containers are launched. It uses a setuid executable that is included in the Hadoop distribution. The NodeManager uses this executable to launch and kill containers. The setuid executable switches to the user who has submitted the application and launches or kills the containers. For maximum security, this executor sets up restricted permissions and user/group ownership of local files and directories used by the containers such as the shared objects, jars, intermediate files, log files etc. Particularly note that, because of this, except the application owner and NodeManager, no other user can access any of the local files/directories including those localized as part of the distributed cache.

ContainerExecutor	Description
`DefaultContainerExecutor`	The default executor which YARN uses to manage container execution. The container process has the same Unix user as the NodeManager.
`LinuxContainerExecutor`	Supported only on GNU/Linux, this executor runs the containers as either the YARN user who submitted the application (when full security is enabled) or as a dedicated user (defaults to nobody) when full security is not enabled. When full security is enabled, this executor requires all user accounts to be created on the cluster nodes where the containers are launched. It uses a `setuid` executable that is included in the Hadoop distribution. The NodeManager uses this executable to launch and kill containers. The setuid executable switches to the user who has submitted the application and launches or kills the containers. For maximum security, this executor sets up restricted permissions and user/group ownership of local files and directories used by the containers such as the shared objects, jars, intermediate files, log files etc. Particularly note that, because of this, except the application owner and NodeManager, no other user can access any of the local files/directories including those localized as part of the distributed cache.

使用以下語句構建可運行的容器：

$ mvn package -Dcontainer-executor.conf.dir=/etc/hadoop/

完成之後，可執行的內容必須放在$HADOOP_YARN_HOME/bin，其次這個可執行的程式必須授權6050,且其屬主通常是hadoop(應用的用戶不能屬於這個組）。這個主的屬性必須通過cong/yarn-site.xml,conf/container-executor.cfg的yarn.nodemanager.linux-container-executor.group中配置。

例如：如果使用yarn這個用戶運行nodemanager(yarn屬於組user和hadoop),那麼users和hadoop都是主要的組。user組還有其它用戶alice,但alice不屬於hadoop.

conf/container-executor.cfg中配置

Parameter	Value	Notes
`yarn.nodemanager.linux-container-executor.group`	`hadoop`	Unix group of the NodeManager. The group owner of the `container-executor` binary should be this group. Should be same as the value with which the NodeManager is configured. This configuration is required for validating the secure access of the `container-executor` binary.
`banned.users`	`hdfs,yarn,mapred,bin`	Banned users.
`allowed.system.users`	`foo,bar`	Allowed system users.
`min.user.id`	`1000`	Prevent other super-users.

和Linuxcontaierexecutor有關的路徑許可權

Filesystem	Path	User:Group	Permissions
local	`container-executor`	root:hadoop	`--Sr-s--*`
local	`conf/container-executor.cfg`	root:hadoop	`r-------*`
local	`yarn.nodemanager.local-dirs`	yarn:hadoop	`drwxr-xr-x`
local	`yarn.nodemanager.log-dirs`	yarn:hadoop	`drwxr-xr-x`

MR作業歷史伺服器

Parameter	Value	Notes
`mapreduce.jobhistory.address`	MapReduce JobHistory Server `host:port`	Default port is 10020.
`mapreduce.jobhistory.keytab`	`/etc/security/keytab/jhs.service.keytab`	Kerberos keytab file for the MapReduce JobHistory Server.
`mapreduce.jobhistory.principal`	`jhs/[email protected]`	Kerberos principal name for the MapReduce JobHistory Server.

5.多主連接

即一個地址對應多個主機名稱，這個通常通過dns來實現（譯註：這個就是開頭的時候原文推薦的緣故）。

這種多主連接導致kerberos配置會變複雜一些。具體參考多主網路

譯註：基本上很少人使用這個。

6.疑難解答

kerberos很難配置-很難調試。常見問題是：

1.網路和DNS配置

2.kerberos配置(/etc/krb5.conf)

3.keytab的創建和維護

4.環境設置：JVM，用戶登錄和系統鎖等等

事實是，jvm發送的錯誤信息毫無用處。（譯註：原文也開始吐槽了）

可以設置環境變數（客戶端和服務端）HADOOP_JAAS_DEBUG=true

修改hadoop的log4j.properties，設定 log4j.logger.org.apache.hadoop.security=DEBUG

設定系統屬性 export HADOOP_OPTS="-Djava.net.preferIPv4Stack=true -Dsun.security.krb5.debug=true -Dsun.security.spnego.debug" ，這樣可以啟用JVM級別的調試。

譯註：是否啟用 kerberos，是比較頭疼的一件事情。但安全不是只有一種方法。可以構建hadoop的孤立網路，然後通過一些介面機器來隔離特別網路。

目前的kerberos配置過於複雜，讓人望而生畏，尤其在一個大的hadoop集群上。如果是幾台機器，這樣的集群作用又相對有限。

或許將來的版本中，hadoop應該考慮學習windows的認證方式，大大減輕系統管理員的壓力。

7.使用kDiag進行疑難解答

hadoop提供了一個工具Kdiag,用於幫助配置。

這個工具包含了一系列的探測器，用於解決JVM配置和環境，並可以導出一些(dump)系統文件（例如/etc/krb5.conf ,/etc/ntp.conf),列印一些系統狀態，並試圖以當前用戶的身份在kerberos中記錄日誌，也可以是以特定keytab中主體身份。

命令的輸出可以用於本地診斷，或者提交給有關的人，例如集群管理員或者其它人。

KDiag命令有它自己的入口；當前並非通過hook的方式連接到終端用戶CLI上。

通過簡單的在hadoop,hdfs,yarn命令後帶上全類名即可。

hadoop org.apache.hadoop.security.KDiag
hdfs org.apache.hadoop.security.KDiag
yarn org.apache.hadoop.security.KDiag

如果返回0，表示成功運行-但僅僅表示這個類運行成功，不表示kerberos可用，僅僅表示KDiag的多個探測是成功的。它不連接到任何遠程的服務，也不確認客戶端是否被任意服務信任。

如果失敗：

-1: 失敗，原因未知。
41: 未授權 (== HTTP’s 401).

7.1KDiag的用法

KDiag: Diagnose Kerberos Problems
[-D key=value] : Define a configuration option.
[--jaas] : Require a JAAS file to be defined in java.security.auth.login.config.
[--keylen <keylen>] : Require a minimum size for encryption keys supported by the JVM. Default value : 256.
[--keytab <keytab> --principal <principal>] : Login from a keytab as a specific principal.
[--nofail] : Do not fail on the first problem.
[--nologin] : Do not attempt to log in.
[--out <file>] : Write output to a file.
[--resource <resource>] : Load an XML configuration resource.
[--secure] : Require the hadoop configuration to be secure.
[--verifyshortname <principal>]: Verify the short name of the specific principal does not contain '@' or '/'

--jaas

java.security.auth.login.config必須指向一個JAAS文件。文件必須存在，只要非0位元組即可，當前用戶可讀。hadoop自身不用這個文件，但zookeeper需要用這個做安全操作。

--keylen

如果JVM不支持這個長度，那麼會失敗。

預設的密匙長度是256。JVM必須安裝JAVA Cryptography Extensions,否則無法支持這樣的長度。或者配置一個比較短的長度，也可以的。

--keytab

以keytab中定義的特定主體登錄。

keytab文件必須包含特定的主體，包括任意的命名主機。換言之，不需要用_HOST來映射當前的主機名稱。
Ddiag會登出，並試圖再次登入。這樣可以捕獲一些過去的相容性問題。

--nofail

KDiag如果遇到第一個錯誤，那麼不會停止。但局限性，可能第一個問題就是關鍵問題。但這樣可以提供更多更詳細的報告。

--nologin

不登錄。意味著跳過keytab選項，也不以kinit用戶登入。

這僅僅是為了檢查一些基本的kerberos問題，例如一些kereros基本配置信息。

--out

示例： hadoop org.apache.hadoop.security.KDiag --out out.txt

原文建議我們按照以下方式來重定向Jre(stderr)和log4j(stdout)的輸出到同一個文件：

hadoop org.apache.hadoop.security.KDiag --keytab zk.service.keytab --principal zookeeper/devix.example.org@REALM > out.txt 2>&1

--resource

當使用hdfs和yarn命令的時候，這可以用於強制載入hdfs-site.xml和yarn-site.xml資源文件，以便獲取kerberos有關的配置。core-site.xml的配置總是會載入。

hdfs org.apache.hadoop.security.KDiag --resource hbase-default.xml --resource hbase-site.xml

yarn org.apache.hadoop.security.KDiag --resource yarn-default.xml --resource yarn-site.xml

--secure

檢查下麵這個配置：

<property>
<name>hadoop.security.authentication</name>
<value>simple</value>
</property>

Needless to say, an application so configured cannot talk to a secure Hadoop cluster. --譯註：原文說得很有意思，就不翻譯了。總有一些粗心的人忘了這個配置，而這種情況也不少見。

--verifyshortname

驗證主體中的短稱，這個主體不包含@和/字元。

示例

hdfs org.apache.hadoop.security.KDiag \
--nofail \
--resource hbase-default.xml --resource hbase-site.xml \
--keylen 1024 \
--keytab zk.service.keytab --principal zookeeper/devix.example.org@REALM

8.參考