(Optional) Configuring the keytab and whitelist Files
You can configure the keytab and whitelist files to improve system security and reliability. The keytab file simplifies the Kerberos authentication process and improves system security, and the whitelist file enhances system access control. Before configuring the keytab and whitelist files, you need to use the KDC server. A third-party server (not the OmniShuffle cluster server) is recommended. Prepare the KDC server in advance.
- For security purposes, you are advised to change the umask value of the O&M account of each node to 077 or larger.
- If you have performed kmc_tool operations using an O&M account in the current environment, you need to delete the KMC semaphore of the O&M account from the cluster environment.
- Query the semaphore.
1ipcs -s -t
- Delete the semaphore.
1ipcrm -S 0x20161316
- Query the semaphore.
Procedure
- Log in to all servers in the OmniShuffle cluster and modify the /etc/hosts file on each server.
Add the mapping between the IP addresses and host names of the KDC server to the hosts file.
IPaddress1 server
- Log in to the KDC server.
- Add the OCK_HOME, OCK_VERSION, and OCK_BINARY_TYPE environment variables to ${HOME}/.bashrc of the ZooKeeper run user and the user who submits Spark tasks.
- Open the file.
vi ~/.bashrc
- Press i to enter the insert mode and add the following content to the file:
export OCK_HOME=/home/ockadmin/opt/ock export OCK_VERSION=24.0.0 export OCK_BINARY_TYPE=linux-aarch64
- Press Esc, type :wq!, and press Enter to save the file and exit.
- Open the file.
- You need to create the digital certificate file, whitelist file, and KMC key file required by the KDC server. Copy the files to the specified location of the corresponding user on each node.
- The generated files are stored in the ${OCK_HOME}/security/ directory.
- Change the owner of the directory or file to ockadmin:ockadmin, the directory permission to 700, and the file permission to 600.
├── authorization
│ └── whitelist_en
├── kdc
│ └── krb5-server_en.keytab
├── pmt
│ ├── master
│ │ └── ksfa
│ └── standby
│ └── ksfb
└── tls
├── client.crt.pem
├── client.pem
├── server
│ ├── ca.cert.pem
│ ├── server.cert.pem
│ ├── server.keypass.key
│ └── server.private.key.pem
└── server.crt.pem
The following table lists the configuration items.
Table 1 Configuration information User
File
Configuration Item
Example Path
ockadmin
whitelist_en
ock.ucache.rpc.author.file.path
/home/ockadmin/opt/ock/security/authorization/whitelist_en
ockadmin
krb5-server_en.keytab
ock.ucache.rpc.auth.kerb.server.keytab
/home/ockadmin/opt/ock/security/kdc/krb5-server_en.keytab
ockadmin
krb5-server_en.keytab
ock.zookeeper.security.client.keytab
/home/ockadmin/opt/ock/security/kdc/krb5-server_en.keytab
ockadmin
ksfa
ock.ucache.kmc.ksf.primary.path
/home/ockadmin/opt/ock/security/pmt/master/ksfa
ockadmin
ksfb
ock.ucache.kmc.ksf.standby.path
/home/ockadmin/opt/ock/security/pmt/standby/ksfb
ockadmin
client.crt.pem
ock.zookeeper.security.certs
/home/ockadmin/opt/ock/security/tls/client.crt.pem
ockadmin
client.pem
ock.zookeeper.security.certs
/home/ockadmin/opt/ock/security/tls/client.pem
ockadmin
ca.cert.pem
ock.ucache.rpc.tls.ca.cert.path
/home/ockadmin/opt/ock/security/tls/server/ca.cert.pem
ockadmin
server.cert.pem
ock.ucache.rpc.tls.cert.path
/home/ockadmin/opt/ock/security/tls/server/server.cert.pem
ockadmin
server.keypass.key
ock.ucache.rpc.tls.key.pass.path
/home/ockadmin/opt/ock/security/tls/server/server.keypass.key
ockadmin
server.private.key.pem
ock.ucache.rpc.tls.key.path
/home/ockadmin/opt/ock/security/tls/server/server.private.key.pem
ockadmin
server.crt.pem
ock.zookeeper.security.certs
/home/ockadmin/opt/ock/security/tls/server.crt.pem
- Files generated by the user who submits the Spark tasks are stored in the ${SPARK_HOME}/huawei/ock/security directory of the user.
- Change the owner of the directory or file to Sparkadmin:ockadmin, the directory permission to 700, and the file permission to 600.
├── authorization
│ └── whitelist_en
├── kdc
│ ├── krb5-client_en.keytab
│ └── krb5-server_en.keytab
├── pmt
│ ├── master
│ │ └── ksfa
│ └── standby
│ └── ksfb
│
└── tls
├── ca.cert.pem
├── client.crt.pem
├── client.pem
├── server.cert.pem
├── server.crt.pem
├── server.keypass.key
└── server.private.key.pem
The following table lists the configuration items.
Deploy the ca.cert.pem, client.crt.pem, and client.pem certificates on the Spark driver and Spark executor nodes separately. They need to be generated only on the Spark driver node but do not need to be generated on Spark executor nodes.
Table 2 Configuration information User
File
Configuration Item
Example Path
Sparkadmin
whitelist_en
ock.ucache.rpc.author.driver.file.path
/home/Sparkadmin/huawei/ock/security/authorization/whitelist_en
Sparkadmin
krb5-client_en.keytab
ock.ucache.rpc.auth.kerb.client.keytab
/home/Sparkadmin/huawei/ock/security/kdc/krb5-client_en.keytab
Sparkadmin
krb5-client_en.keytab
ock.zookeeper.sdk.security.client.keytab
/home/Sparkadmin/huawei/ock/security/kdc/krb5-client_en.keytab
Sparkadmin
krb5-server_en.keytab
ock.ucache.rpc.auth.driver.kerb.server.keytab
/home/Sparkadmin/huawei/ock/security/kdc/krb5-server_en.keytab
Sparkadmin
ksfa
ock.ucache.sdk.kmc.ksf.primary.path
/home/Sparkadmin/huawei/ock/security/pmt/master/ksfa
Sparkadmin
ksfb
ock.ucache.sdk.kmc.ksf.standby.path
/home/Sparkadmin/huawei/ock/security/pmt/standby/ksfb
Sparkadmin
client.crt.pem
ock.zookeeper.sdk.security.certs
/home/Sparkadmin/huawei/ock/security/tls/client.crt.pem
Sparkadmin
client.pem
ock.zookeeper.sdk.security.certs
/home/Sparkadmin/huawei/ock/security/tls/client.pem
Sparkadmin
ca.cert.pem
ock.ucache.rpc.tls.sdk.ca.cert.path
/home/Sparkadmin/huawei/ock/security/tls/ca.cert.pem
Sparkadmin
server.cert.pem
ock.ucache.rpc.tls.driver.cert.path
/home/Sparkadmin/huawei/ock/security/tls/server.cert.pem
Sparkadmin
server.keypass.key
ock.ucache.rpc.tls.driver.key.pass.path
/home/Sparkadmin/huawei/ock/security/tls/server.keypass.key
Sparkadmin
server.private.key.pem
ock.ucache.rpc.tls.driver.key.path
/home/Sparkadmin/huawei/ock/security/tls/server.private.key.pem
Sparkadmin
server.crt.pem
ock.zookeeper.sdk.security.certs
home/Sparkadmin/huawei/ock/security/tls/server.crt.pem
The files in the authorization directory are used for authorization, the files in the kdc directory are used for security authentication, the files in the tls directory are used for TLS secure transmission, and the files in the pmt directory are the encryption key used to encrypt certificate files. The files in the authorization, kdc, and tls directories are encrypted using the encryption key in the pmt directory. For details about how to encrypt files, see 4.2.
- Files generated by the ZooKeeper user are stored in the ${ZOOKEEPER_HOME}/huawei/ock/security directory of the user.
- Change the owner of the directory or file to Zookeeperadmin:ockadmin, the directory permission to 700, and the file permission to 600.
├── kdc
│ └── zookeeper_en.keytab
├── pmt
│ ├── master
│ │ └── ksfa
│ └── standby
│ └── ksfb
The configurations are as follows:
User
File
Configuration Item
Example Path
Zookeeperadmin
zookeeper_en.keytab
keytab
/home/Zookeeperadmin/huawei/ock/security/kdc/zookeeper_en.keytab
Zookeeperadmin
ksfa
kmc.ksf.primary.path
/home/Zookeeperadmin/huawei/ock/security/pmt/master/ksfa
Zookeeperadmin
ksfb
kmc.ksf.standby.path
/home/Zookeeperadmin/huawei/ock/security/pmt/standby/ksfb
For details about the ZooKeeper configuration, see 2.2.3.