Cloudera从CM6.3版本开始,引入了Red Hat IdM来做整个集群的认证,Red Hat IdM对应的软件为FreeIPA,在本文中描述如何使用FreeIPA来做CDP-DC集群的认证。关于FreeIPA服务器搭建参考<>。之前的文章包括<>,<>,<>,<>。
本篇文章主要介绍在CDP-DC平台上如何为Impala集成RedHat7的FreeIPA的LDAP认证。
3) CM和Cloudera Runtime版本为7.1.1
4) 集群已使用FreeIPA启用的Kerberos
2) CDP-DC集群已启用FreeIPA提供的Kerberos
|
|
|
|
|
|
ip-10-0-0-170.ap-southeast-1.compute.internal
|
|
这里我们将
10.0.0.170
做为FreeIPA服务器的节点。
|
|
|
|
|
|
ip-10-0-0-214.ap-southeast-1.compute.internal
|
|
修改LDAP相关配置,通过这里可以进行全局配置,配置后所有的Impala服务均使用该配置
|
|
|
|
|
|
|
|
|
|
ldaps://ip-10-0-0-170.ap-southeast-1.compute.internal:636
|
|
|
|
cn=accounts,dc=ap-southeast-1,dc=compute,dc=internal
|
|
|
|
uid={0},cn=users,cn=accounts,dc=ap-southeast-1,dc=compute,dc=internal
|
|
注意:
ldap_baseDN和ldap_bind_pattern两个参数不能同时配置,只需要配置一个即可。
2.在Impala Daemon命令行添加如下配置” --ldap_passwords_in_clear_ok”
1. 使用impala-shell命令登录Impala Daemon测试
[root@ip-10-0-0-214 cloudera-scm-server]Starting Impala Shell using LDAP-based authenticationLDAP password for superuser:Error connecting: TTransportException, TSocket read 0 bytesKerberos ticket found in the credentials cache, retrying the connection with a secure transport.Opened TCP connection to ip-10-0-0-214.ap-southeast-1.compute.internal:21000Connected to ip-10-0-0-214.ap-southeast-1.compute.internal:21000Server version: impalad version 3.4.0-SNAPSHOT RELEASE (build 9d706887f48ea336865d9cb7ddb266999668eb6e)***********************************************************************************Welcome to the Impala shell.(Impala Shell v3.4.0-SNAPSHOT (9d70688) built on Wed May 20 19:05:43 UTC 2020)
Run the PROFILE command after a query has finished to see a comprehensive summaryof all the performance and diagnostic information that Impala gathered for thatquery. Be warned, it can be very long!***********************************************************************************
LDAP authentication is enabled, but the connection to Impala is not secured by TLS.ALL PASSWORDS WILL BE SENT IN THE CLEAR TO IMPALA.[ip-10-0-0-214.ap-southeast-1.compute.internal:21000] default>
从日志中可以看到使用的LDAP认证方式,登录成功,可以正常执行SQL操作。
注意:在使用impala-shell命令登录Impala Daemon时需要增加参数“--auth_creds_ok_in_clear”,因为我们的OpenLDAP服务未启用TLS加密的原因。
在不带--auth_creds_ok_in_clear参数时执行上面的登陆命令:
[root@ip-10-0-0-214 cloudera-scm-server]# impala-shell -i ip-10-0-0-214.ap-southeast-1.compute.internal -l -u superuserLDAP credentials may not be sent over insecure connections. Enable SSL or set --auth_creds_ok_in_clear
impala-shell -i ip-10-0-0-214.ap-southeast-1.compute.internal -d default -k
[root@ip-10-0-0-214 cloudera-scm-server]# klistTicket cache: FILE:/tmp/krb5cc_0Default principal: [email protected]
Valid starting Expires Service principal06/17/2020 05:11:31 06/18/2020 05:11:29 krbtgt/[email protected] renew until 06/24/2020 05:11:2906/17/2020 05:24:25 06/18/2020 05:11:29 impala/ip-10-0-0-214.ap-southeast-1.compute.internal@AP-SOUTHEAST-1.COMPUTE.INTERNAL renew until 06/24/2020 05:11:29[root@ip-10-0-0-214 cloudera-scm-server]# impala-shell -i ip-10-0-0-214.ap-southeast-1.compute.internal -d default -kStarting Impala Shell using Kerberos authenticationUsing service name 'impala'Opened TCP connection to ip-10-0-0-214.ap-southeast-1.compute.internal:21000Connected to ip-10-0-0-214.ap-southeast-1.compute.internal:21000Server version: impalad version 3.4.0-SNAPSHOT RELEASE (build 9d706887f48ea336865d9cb7ddb266999668eb6e)Query: use `default`***********************************************************************************Welcome to the Impala shell.(Impala Shell v3.4.0-SNAPSHOT (9d70688) built on Wed May 20 19:05:43 UTC 2020)
Every command must be terminated by a ';'.***********************************************************************************Query: use `default`[ip-10-0-0-214.ap-southeast-1.compute.internal:21000] default>
Cloudera Manager-> 群集 -> Hue -> 配置,在范围中选择Hue Server,在类别中选择高级。
然后找到
Hue Server Advanced Configuration Snippet (Safety Valve) for hue_safety_valve_server.ini
,添加下面的属性。
[impala]auth_username=<LDAP username of Hue user to be authenticated>auth_password=<LDAP password of Hue user to be authenticated>
• 同一个Impala Daemon服务可以同时支持Kerberos和LDAP认证。
• 和Hive一样,一旦集群启用了Kerberos,Impala默认使用Kerberos认证,不需要单独配置。注意这里和LDAP认证配置的区别。
• 在OpenLDAP服务未启用TLS加密时,impala-shell访问Impala Daemon需要在增加参数--auth_creds_ok_in_clear,否则会报错“LDAP credentials may not besent over insecure connections. Enable SSL or set --auth_creds_ok_in_clear”
