本操作流程中將KDC服務安裝在Cloudera Manager Server所在服務器上（KDC服務可根據自己需要安裝在其他服務器）。

前提條件

1. CDP集群正常運行

2. 集群未啟用Kerberos

操作流程

1. 安裝及配置KDC服務

2. CDP集群啟用Kerberos

集群環境

1. 操作系統：CentOS7.9

2. CDP版本：Cloudera Runtime 7.1.6 (Parcels)

3. 采用root用戶進行操作

KDC服務安裝及配置

1.修改/etc/krb5.conf配置

vim/etc/krb5.conf 配置模板

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = BDPHTSEC.COM
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 1d
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = aes256-cts aes128-cts
default_tkt_enctypes = aes256-cts aes128-cts
permitted_enctypes = aes256-cts aes128-cts
udp_preference_limit = 1
kdc_timeout = 3000

[realms]
BDPHTSEC.COM = {
  kdc = cdp-utility-1.c-a4542b55a0e64699.cn-hangzhou.cdp.aliyuncs.com
  admin_server = cdp-utility-1.c-a4542b55a0e64699.cn-hangzhou.cdp.aliyuncs.com
}

[domain_realm]
.c-a4542b55a0e64699.cn-hangzhou.cdp.aliyuncs.com = BDPHTSEC.COM
c-a4542b55a0e64699.cn-hangzhou.cdp.aliyuncs.com = BDPHTSEC.COM

2.修改/var/kerberos/krb5kdc/kadm5.acl配置

*/admin@BDPHTSEC.COM      *

3.修改/var/kerberos/krb5kdc/kdc.conf配置

[kdcdefaults]
  kdc_ports = 88
  kdc_tcp_ports = 88

[realms]
BDPHTSEC.COM = {
  database_name = /var/kerberos/krb5kdc/principal
  max_renewable_life = 7d
  master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts aes128-cts
}

4.創建Kerberos數據庫，并輸入密碼

 kdb5_util create –r BDPHTSEC.COM -s

5.創建Kerberos的管理賬號需要輸入管理員密碼

[root@cdp-utility-1 ~]# kadmin.local
Authenticating as principal root/admin@BDPHTSEC.COM with password.
kadmin.local:  addprinc admin/admin@BDPHTSEC.COM
WARNING: no policy specified for admin/admin@BDPHTSEC.COM; defaulting to no policy
Enter password for principal "admin/admin@BDPHTSEC.COM":
Re-enter password for principal "admin/admin@BDPHTSEC.COM":
Principal "admin/admin@BDPHTSEC.COM" created.
kadmin.local:  exit

6.將Kerberos服務添加到自啟動服務，并啟動krb5kdc和kadmin服務

[root@ ~]# systemctl enable krb5kdc
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
[root@ ~]# systemctl enable kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.
[root@~]# systemctl start krb5kdc
[root@ ~]# systemctl start kadmin

7.測試Kerberos的管理員賬號

[root@cdp-utility-1 ~]# kinit admin/admin@BDPHTSEC.COM
Password for admin/admin@BDPHTSEC.COM:
[root@cdp-utility-1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@BDPHTSEC.COM

Valid starting       Expires              Service principal
2021-10-15T16:26:47  2021-10-16T16:26:47  krbtgt/BDPHTSEC.COM@BDPHTSEC.COM
        renew until 2021-10-22T16:26:47

8.Cloudera Manager Server服務器上已經默認安裝了openldap-clients，如果沒有可以執行下面命令安裝

[root@cdp-utility-1 ~]# yum -y install openldap-client
已加載插件：fastestmirror
Loading mirror speeds from cached hostfile
沒有可用軟件包 openldap-client。
錯誤：無須任何處理

9.將KDC Server上的krb5.conf文件拷貝到所有Kerberos客戶端（分發到所有的節點）

scp /etc/krb5.conf cdp-master-1:/etc
scp /etc/krb5.conf cdp-core-1:/etc
scp /etc/krb5.conf cdp-core-2:/etc
scp /etc/krb5.conf cdp-core-3:/etc

CDH集群啟用Kerberos

1.在KDC中給Cloudera Manager添加管理員賬號，并輸入密碼確認。

[root@cdp-utility-1 ~]# kadmin.local
Authenticating as principal admin/admin@BDPHTSEC.COM with password.
kadmin.local:  addprinc cloudera/admin@BDPHTSEC.COM

2.進入Cloudera Manager的“管理”->“安全”界面，選擇“啟用Kerberos”。

3.確保如下列出的所有檢查項都已完成，點擊勾選并繼續。

4.Enter KDC Information

配置相關的KDC信息，包括類型、KDC服務器、KDC Realm、加密類型以及待創建的Service Principal（hdfs，yarn，hbase，hive等）的更新生命期等，并繼續。

5.不建議讓Cloudera Manager來管理krb5.conf, 點擊“繼續”。

6.輸入Cloudera Manager的Kerbers管理員賬號，一定得和之前創建的賬號一致，點擊“繼續”。

7.驗證通過，點擊下一步。

8.保持默認點擊繼續。

9.點擊“完成”，至此已成功啟用Kerberos。

等待服務安裝完成，查看各個服務都能正常啟動。