文档
我要评分
获取效率
正确性
完整性
易理解
提交关闭

Configuring the Keytab File and Trustlist

  • If you need to enable the security policy, perform the operations in this section.
  • For security purposes, you are advised to change the umask value of the O&M account of each node to 077 or larger.
  • If you have performed kmc_tool operations using an O&M account in the current environment, you need to delete the KMC semaphore of the O&M account from the cluster environment.
    • Query the semaphore.
      1
      ipcs -s -t
    • Delete the semaphore.
      1
      ipcrm -S 0x20161316

Prerequisites

A configured KDC server is ready. It is recommended that the KDC server be a third-party server (not a server in the OmniShuffle cluster).

Configuring the Keytab File and Trustlist

  1. Log in to all servers in the OmniShuffle cluster and modify the /etc/hosts file on each server.

    Add the mapping between the IP addresses and host names of the KDC server to the hosts file.

    IPaddress1 master
  2. Log in to the KDC server.
  3. Create a kdc folder.
  4. Copy the kdc_distribute.sh, kdc_kmc_encrypt_wt.sh, kdc_kmc_encrypt_zookeeper_kt.sh, kdc_kmc_encrypt_kt_client.sh, and kdc_kmc_encrypt_kt_server.sh files to the kdc folder.
  5. Create a node_list file in the kdc folder.
    1. Open the file.
      1
      vim node_list
    2. Press i to enter the insert mode and add the following content to the file:
      #xx.xx.xx.xx server1 1
#xx.xx.xx.xx agent1 0
#xx.xx.xx.xx agent2 0
#xx.xx.xx.xx agent3 0
      • Empty lines are not allowed in the file or at the end of the file.
      • In the command, xx.xx.xx.xx indicates the IP address of the node in the actual environment. 0 indicates the compute node and 1 indicates the management node.
        1
        #xx.xx.xx.xx 0 or 1
    3. Press Esc, type :wq!, and press Enter to save the file and exit.
  6. Add the OCK_HOME, OCK_VERSION, and OCK_BINARY_TYPE environment variables to ${HOME}/.bashrc of the ZooKeeper running user and the user who submits Spark tasks.
    1. Open the file.
      vim ~/.bashrc
    2. Press i to enter the insert mode and add the following content to the file:
      export OCK_HOME=/home/ockadmin/opt/ock
export OCK_VERSION=23.0.0
export OCK_BINARY_TYPE=linux-aarch64
    3. Press Esc, type :wq!, and press Enter to save the file and exit.
  7. Run the kdc_distribute.sh script. Before running the script, run the set +o history command to disable history recording. After running the script, run set -o history to enable history recording.
    1
    sh kdc_distribute.sh

    The following information is displayed. Enter related information as prompted.

    Enter OPS_USER: # Enter the O&M user name.
Enter OPS_PWD: # Enter the O&M user password.
Enter RUN_USER: # Enter the name of the user that runs OmniShuffle.
Enter RUN_GROUP:# Enter the owner group of the user that runs OmniShuffle.
Enter SPARK_USER: # Enter the name of the user that submits the Spark tasks.
Enter ZK_USER: # Enter the name of the user that runs ZooKeeper.
OCK_HOME: # Enter the home path where OmniShuffle is installed, for example, /home/ockadmin/opt/ock.
Enter REALM: # Enter the domain name, which must be the same as that set when the KDC server is deployed (that is, the same as that configured in /etc/krb5.conf).
    • When executing the kdc_distribute.sh script, you need to enter the user name and password that are sent to a server in the OCK cluster and the current Kerberos domain name.
    • The KDC script is not contained in the OmniShuffle installation package and can be directly obtained by users.

    After the script is executed, the following files are generated on each node.

    ksfa and ksfb. The two files are automatically generated in the ${HOME}/tools/pmt directory when the KDC script invokes kmc_tool. If the files already exist in the directory, they will not be generated again. The script copies the files to the specified location on each node.

    • Files generated by the OCK user are stored in ${OCK_HOME}/security/.

      ├── authorization

      │ └── whitelist_en

      ├── kdc

      │ └── krb5-server_en.keytab

      ├── pmt

      │ ├── master

      │ ├── ksfa

      │ └── standby

      │ ├── ksfb

    • Files generated by the user who submits the Spark tasks are stored in ${HOME}/huawei/ock/security of the user.

      ├── kdc

      │ └── krb5-client_en.keytab

      ├── pmt

      │ ├── master

      │ ├── ksfa

      │ └── standby

      │ ├── ksfb

    • Files generated by the ZooKeeper user are stored in ${HOME}/huawei/ock/security of the user.

      ├── kdc

      │ └── zookeeper_en.keytab

      ├── pmt

      │ ├── master

      │ ├── ksfa

      │ └── standby

      │ ├── ksfb