Data transfer between two kerberos secured cluster
Question
I am trying to transfer data between two secured kerberos . Cluster. I am facing issue that I have no config change access to source cluster I need to change everything on destination cluster. Is any way that I can setup trust realm between both the cluster without edit any config on source cluster.
1 answers
solution1
0 2019-07-16 17:07:47
If you are using distcp, then you will have to make sure both the clusters KDC know each other, by editing krb5.conf to add [realms] and [domain_realms] on each cluster to know about the other cluster as follows:
[realms]
<CLUSTER2_REALM> = {
kdc = <cluster2_server_kdc_host>:88
admin_server = <cluster2_server_kdc_host>:749
default_domain = <cluster2_host>
}
[domain_realm]
Clustre2_NN1 = CLUSTER2_REALM
Cluster2_NN2= CLUSTER2_REALM
Similarly on cluster2 as well, with CLUSTER1 details.
Then you need to create principals on both the clusters
addprinc -e "aes128-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:normal" krbtgt/<CLUSTER1_REASLM>@<CLUSTER2_REALMS>
modprinc -maxrenewlife <n>day krbtgt/<CLUSTER1_REALM>@<CLUSTER2_REALM>
Below properties needs to be set for hadoop.security.auth_to_local
In Cluster1:
RULE:[1:$1@$0](.*@\Q<CLUSTER2_REALM>\E$)s/@\Q<CLUSTER2_REALM>\E$//
RULE:[2:$1@$0](.*@\Q<CLUSTER2_REALM>\E$)s/@\Q<CLUSTER2_REALM>\E$//
In Cluster2:
RULE:[1:$1@$0](.*@\Q<CLUSTER1_REALM>\E$)s/@\Q<CLUSTER1_REALM>\E$//
RULE:[2:$1@$0](.*@\Q<CLUSTER1_REALM>\E$)s/@\Q<CLUSTER1_REALM>\E$//
Restart kdc
/etc/init.d/krb5kdc stop
/etc/init.d/kadmin stop
/etc/init.d/krb5kdc start
/etc/init.d/kadmin start
Failover or Restart Namenodes
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.