hive配置Kerbros安全认证 hive revoke权限

需求：
对新建hadoop集群和hive集群的安全认证安装部署。
?
版本：
centos 7.7
hadoop 2.7.6
hive 1.2.2
?
部署规划：
192.168.216.111 hadoop01 namenode、resourcemanager、datanode、nodemanager、hive、KDC服务
192.168.216.112 hadoop02 datanode、nodemanager、secondarynamenode、kerbros客户端 
192.168.216.113 hadoop03 datanode、nodemanager、kerbros客户端

第一章 kerbros认证

1.1 Kerbros概述

    Kerberos 是一种网络认证协议，其设计目标是通过密钥系统为客户机 / 服务器应用程序提供强大的认证服务。该认证过程的实现不依赖于主机操作系统的认证，无需基于主机地址的信任，不要求网络上所有主机的物理安全，并假定网络上传送的数据包可以被任意地读取、修改和插入数据。在以上情况下， Kerberos 作为一种可信任的第三方认证服务，是通过传统的密码技术（如：共享密钥）执行认证服务的。

1.2 Kerbros身份认证原理和机制

Kerberos的工作围绕着票据展开，票据类似于人的驾驶证，驾驶证标识了人的信息，以及其可以驾驶的车辆等级。

Kerberos是一种基于对称密钥技术的身份认证协议，它作为一个独立且可靠的的第三方的身份认证服务，可以为其它服务提供身份认证功能，且支持SSO（即客户端身份认证后，可以访问多个服务如HBase/HDFS等）。

Kerberos协议过程主要有两个阶段，第一个阶段是KDC对Client身份认证，第二个阶段是Service对Client身份认证。如下图：

俗语：

KDC：Kerberos的服务端程序;密钥分发中心，负责管理发放票据，记录授权。
Client：需要访问服务的用户（principal），KDC和Service会对用户的身份进行认证。
Service：集成了Kerberos的服务，如HDFS/YARN/HBase等。
principal：当每添加一个用户或服务的时候都需要向kdc添加一条principal，principl的形式为 主名称／实例名@领域名。
TGT : 票证授予票证。
SGT : 服务授予票证。

认证步骤：

• KDC对Client身份认证
  当客户端用户（principal）访问一个集成了Kerberos的服务之前，需要先通过KDC的身份认证。
  若身份认证通过，则客户端会获取到一个TGT（Ticket Granting Ticket,票据），后续就可以使用该TGT去访问集成了Kerberos的服务。
• Service对Client身份认证
  当用户获取TGT后，就可以继续访问Service服务。它会使用TGT以及需要访问的服务名称（如 HDFS）去KDC获取SGT（Service Granting Ticket），然后使用SGT去访问 Service，Service会利用相关信息对Client进行身份认证，认证通过后就可以正常访问Service服务。

1.3 Kerbros的安装部署

1.3.1 Kerbros服务端安装(KDC)

[root@hadoop01 ~]# yum install -y krb5-server krb5-lib krb5-workstation
或者使用下面这个：
yum install -y krb5-server krb5-libs krb5-auth-dialog krb5-workstation  

1.3.2 Kerbros客户端安装

客户机在hadoop的从节点上安装即可。
[root@hadoop02 ~]# yum install -y krb5-libs krb5-workstation
[root@hadoop03 ~]# yum install -y krb5-libs krb5-workstation

1.3.3 KDC的配置

在安装的kerbros服务端上修改即可。
?
[root@hadoop01 ~]# vi /var/kerberos/krb5kdc/kdc.conf
修改内容如下：
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
?
[realms]
# EXAMPLE.COM = {
#  #master_key_type = aes256-cts
#  acl_file = /var/kerberos/krb5kdc/kadm5.acl
#  dict_file = /usr/share/dict/words
#  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
#  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
# }
?
 HIVE.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  max_renewable_life = 7d
  supported_enctypes = aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

配置说明：

HIVE.COM:是设定的realms。名字随意。Kerberos可以支持多个realms，一般全用大写
master_key_type，supported_enctypes默认使用aes256-cts。由于，JAVA使用aes256-cts验证方式需要安装额外的jar包，这里暂不使用
acl_file:标注了admin的用户权限。文件格式是
Kerberos_principal permissions [target_principal] [restrictions]支持通配符等
admin_keytab:KDC进行校验的keytab
supported_enctypes:支持的校验方式。注意把aes256-cts去掉

1.3.4 krb5.conf配置

krb5.conf需要再kerbros的服务和客户端都配置。
kerbros服务端配置：
[root@hadoop01 ~]# vi /etc/krb5.conf
?
替换内容如下：
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
?
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
?
[libdefaults]
# dns_lookup_realm = false
# ticket_lifetime = 24h
# renew_lifetime = 7d
# forwardable = true
# rdns = false
# pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
## default_realm = EXAMPLE.COM
# default_ccache_name = KEYRING:persistent:%{uid}
 default_realm = HIVE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 clockskew = 120
 udp_preference_limit = 1
?
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }
 HIVE.COM = {
  kdc = hadoop01
  admin_server = hadoop01
 }
?
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 .hive.com = HIVE.COM
 hive.com = HIVE.COM
 
 
 kerbros客户端配置：
[root@hadoop02 ~]# vi /etc/krb5.conf
内容如上
[root@hadoop03 ~]# vi /etc/krb5.conf
内容如上

配置说明：

[logging]：表示server端的日志的打印位置
udp_preference_limit = 1 禁止使用udp可以防止一个Hadoop中的错误
ticket_lifetime： 表明凭证生效的时限，一般为24小时。
renew_lifetime： 表明凭证最长可以被延期的时限，一般为一个礼拜。当凭证过期之后，对安全认证的服务的后续访问则会失败。
clockskew：时钟偏差是不完全符合主机系统时钟的票据时戳的容差，超过此容差将不接受此票据，单位是秒
修改其中的realm，把默认的EXAMPLE.COM修改为自己要定义的值，如：HIVE.COM。其中，以下参数需要修改：
default_realm：默认的realm。设置为realm。如HIVE.COM
kdc：代表要kdc的位置。添加格式是 机器名
admin_server:代表admin的位置。格式是机器名
default_domain：代表默认的域名。（设置master主机所对应的域名，如hive.com）

1.3.5 database administrator的ACL权限

数据库管理员权限配置。在kerbros的服务端配置。
?
[root@hadoop01 ~]# vi /var/kerberos/krb5kdc/kadm5.acl
修改如下：
*/admin@HIVE.COM        *

配置说明：

kadm5.acl 文件更多内容可参考：kadm5.acl文档
想要管理 KDC 的资料库有两种方式， 一种直接在 KDC 本机上面直接执行，可以不需要密码就登入资料库管理；一种则是需要输入账号密码才能管理～这两种方式分别是：
kadmin.local：需要在 KDC server 上面操作，无需密码即可管理资料库
kadmin：可以在任何一台 KDC 领域的系统上面操作，但是需要输入管理员密码

1.3.6 配置Kerberos服务操作

1.3.6.1 创建kerbros数据库

创建Kerberos数据库，需要设置管理员密码，创建成功后会在/var/Kerberos/krb5kdc/下生成一系列文件，如果重新创建的话，需要先删除/var/kerberos/krb5kdc下面principal相关文件。

kerbros服务器上操作命令：

[root@hadoop01 ~]# kdb5_util create -s -r HIVE.COM

输入kdc的密码。一定要记住。我这儿设置为root,两次相同即可。

1.3.6.2 kerberos开机启动配置

kerbros的服务端执行即可。
?
[root@hadoop01 ~]# chkconfig krb5kdc on
[root@hadoop01 ~]# chkconfig kadmin on
[root@hadoop01 ~]# service krb5kdc start
[root@hadoop01 ~]# service kadmin start
[root@hadoop01 ~]# service krb5kdc status

1.3.6.3 kerberos的管理员创建

在kerbros服务端执行如下命令。
?
kadmin.local输入后，，添加规则：addprinc admin/admin@HIVE.COM。
[root@hadoop01 ~]# kadmin.local
Authenticating as principal root/admin@HIVE.COM with password.
继续如下图的填写：

输入规则和密码，，两次密码相同即可，我是用的是root。

最后使用q、quit或者exist退出即可。

第二章 hadoop集群配置Kerbros

一些概念：
Kerberos principal用于在kerberos加密系统中标记一个唯一的身份。
kerberos为kerberos principal分配tickets使其可以访问由kerberos加密的hadoop服务。
对于hadoop，principals的格式为username/fully.qualified.domain.name@YOUR-REALM.COM.

keytab是包含principals和加密principal key的文件。 keytab文件对于每个host是唯一的，因为key中包含hostname。keytab文件用于不需要人工交互和保存纯文本密码，实现到kerberos上验证一个主机上的principal。 因为服务器上可以访问keytab文件即可以以principal的身份通过kerberos的认证，所以，keytab文件应该被妥善保存，应该只有少数的用户可以访问。

hive配置kerberos的前提是Hadoop集群已经配置好Kerberos，因此我们先来配置Hadoop集群的认证。

2.1 添加用户

如下的创建用户，密码都是用户名。可以随意设置。
#创建hadoop用户
[root@hadoop01 hadoop]# useradd hadoop
[root@hadoop01 hadoop]# passwd hadoop
?
[root@hadoop02 hadoop]# useradd hadoop
[root@hadoop02 hadoop]# passwd hadoop
?
[root@hadoop03 hadoop]# useradd hadoop
[root@hadoop03 hadoop]# passwd hadoop
?
#新建用户yarn，其中需设定userID<1000，命令如下：
[root@hadoop01 ~]# useradd -u 502 yarn -g hadoop
#并使用passwd命令为新建用户设置密码
[root@hadoop01 ~]# passwd yarn
passwd yarn 输入新密码
?
#创建hdfs用户
[root@hadoop01 hadoop]# useradd hdfs -g hadoop
[root@hadoop01 hadoop]# passwd hdfs
?
[root@hadoop02 hadoop]# useradd hdfs -g hadoop
[root@hadoop02 hadoop]# passwd hdfs
?
[root@hadoop03 hadoop]# useradd hdfs -g hadoop
[root@hadoop03 hadoop]# passwd hdfs
?
#创建HTTP用户
[root@hadoop01 hadoop]# useradd HTTP
[root@hadoop01 hadoop]# passwd HTTP
?
[root@hadoop02 hadoop]# useradd HTTP
[root@hadoop02 hadoop]# passwd HTTP
?
[root@hadoop03 hadoop]# useradd HTTP
[root@hadoop03 hadoop]# passwd HTTP

2.2 创建 kerberos的普通用户及密钥文件，为配置 YARN kerberos security 时，各节点可以相互访问用

在服务端节点的root用户下分别执行以下命令：
?
[root@hadoop01 ~]# cd /var/kerberos/krb5kdc/
#登录管理用户
[root@hadoop01 krb5kdc]# kadmin.local
#创建用户
addprinc -randkey yarn/hadoop01@HIVE.COM
addprinc -randkey yarn/hadoop02@HIVE.COM
addprinc -randkey yarn/hadoop03@HIVE.COM
addprinc -randkey hdfs/hadoop01@HIVE.COM
addprinc -randkey hdfs/hadoop02@HIVE.COM
addprinc -randkey hdfs/hadoop03@HIVE.COM
addprinc -randkey HTTP/hadoop01@HIVE.COM
addprinc -randkey HTTP/hadoop02@HIVE.COM
addprinc -randkey HTTP/hadoop03@HIVE.COM
#生成密钥文件（生成到当前路径下）
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k yarn.keytab  yarn/hadoop01@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k yarn.keytab  yarn/hadoop02@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k yarn.keytab  yarn/hadoop03@HIVE.COM"
?
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k HTTP.keytab  HTTP/hadoop01@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k HTTP.keytab  HTTP/hadoop02@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k HTTP.keytab  HTTP/hadoop03@HIVE.COM"
?
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k hdfs-unmerged.keytab hdfs/hadoop01@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k hdfs-unmerged.keytab  hdfs/hadoop02@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst  -k hdfs-unmerged.keytab hdfs/hadoop03@HIVE.COM"
?
#合并成一个keytab文件，rkt表示展示,wkt表示写入
[root@hadoop01 krb5kdc]# ktutil
ktutil:  rkt hdfs-unmerged.keytab
ktutil:  rkt HTTP.keytab
ktutil:  rkt yarn.keytab
ktutil:  wkt hdfs.keytab
ktutil:  q
注意：ktutil：以后面的是输入的。
?
#查看
[root@hadoop01 krb5kdc]# klist -ket  hdfs.keytab
Keytab name: FILE:hdfs.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (aes128-cts-hmac-sha1-96)
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (des3-cbc-sha1)
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (arcfour-hmac)
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (camellia256-cts-cmac)
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (camellia128-cts-cmac)
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (des-hmac-sha1)
   3 04/14/2020 15:48:21 hdfs/hadoop01@HIVE.COM (des-cbc-md5)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (aes128-cts-hmac-sha1-96)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (des3-cbc-sha1)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (arcfour-hmac)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (camellia256-cts-cmac)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (camellia128-cts-cmac)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (des-hmac-sha1)
   3 04/14/2020 15:48:21 hdfs/hadoop02@HIVE.COM (des-cbc-md5)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (aes128-cts-hmac-sha1-96)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des3-cbc-sha1)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (arcfour-hmac)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (camellia256-cts-cmac)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (camellia128-cts-cmac)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des-hmac-sha1)
   8 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des-cbc-md5)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (aes128-cts-hmac-sha1-96)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (des3-cbc-sha1)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (arcfour-hmac)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (camellia256-cts-cmac)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (camellia128-cts-cmac)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (des-hmac-sha1)
   6 04/14/2020 15:48:21 HTTP/hadoop01@HIVE.COM (des-cbc-md5)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (aes128-cts-hmac-sha1-96)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (des3-cbc-sha1)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (arcfour-hmac)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (camellia256-cts-cmac)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (camellia128-cts-cmac)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (des-hmac-sha1)
   6 04/14/2020 15:48:21 HTTP/hadoop02@HIVE.COM (des-cbc-md5)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (aes128-cts-hmac-sha1-96)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des3-cbc-sha1)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (arcfour-hmac)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (camellia256-cts-cmac)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (camellia128-cts-cmac)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des-hmac-sha1)
   7 04/14/2020 15:48:21 HTTP/hadoop03@HIVE.COM (des-cbc-md5)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (aes128-cts-hmac-sha1-96)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (des3-cbc-sha1)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (arcfour-hmac)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (camellia256-cts-cmac)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (camellia128-cts-cmac)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (des-hmac-sha1)
   4 04/14/2020 15:48:21 yarn/hadoop01@HIVE.COM (des-cbc-md5)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (aes128-cts-hmac-sha1-96)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (des3-cbc-sha1)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (arcfour-hmac)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (camellia256-cts-cmac)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (camellia128-cts-cmac)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (des-hmac-sha1)
   4 04/14/2020 15:48:21 yarn/hadoop02@HIVE.COM (des-cbc-md5)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (aes128-cts-hmac-sha1-96)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (des3-cbc-sha1)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (arcfour-hmac)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (camellia256-cts-cmac)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (camellia128-cts-cmac)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (des-hmac-sha1)
   4 04/14/2020 15:48:21 yarn/hadoop03@HIVE.COM (des-cbc-md5)

将生成的hdfs.keytab文件复制到hadoop配置路径下，并授权 后面经常会遇到使用keytab login失败的问题，首先需要检查的就是文件的权限。

[root@hadoop01 krb5kdc]# cp ./hdfs.keytab /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop01 krb5kdc]# cd /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop01 krb5kdc]# chown hdfs:hadoop hdfs.keytab && chmod 400 hdfs.keytab

2.3 配置hadoop集群

core-site.xml配置：

<!--添加以下配置-->
<property>
    <name>hadoop.security.authorization</name>
    <value>true</value>
</property>
<property>
    <name>hadoop.security.authentication</name>
    <value>kerberos</value>
</property>
?

yarn-site.xml

<!--添加以下内容，内存不足就不要配置
<property>
      <name>yarn.nodemanager.resource.memory-mb</name>
      <value>1024</value>
</property>
-->
<!-- ResourceManager security configs -->
<property>
  <name>yarn.resourcemanager.keytab</name>
  <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>
<property>
  <name>yarn.resourcemanager.principal</name>
  <value>hdfs/_HOST@HIVE.COM</value>
</property>
<!-- NodeManager security configs -->
<property>
  <name>yarn.nodemanager.keytab</name>
  <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>
<property>
  <name>yarn.nodemanager.principal</name>
  <value>hdfs/_HOST@HIVE.COM</value>
</property>
<property>
  <name>yarn.nodemanager.container-executor.class</name>
  <value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>
</property>
<property>
  <name>yarn.nodemanager.linux-container-executor.group</name>
  <value>yarn</value>
</property>
<property>
  <name>yarn.resourcemanager.proxy-user-privileges.enabled</name>
  <value>true</value>
</property>
<property>
  <name>yarn.nodemanager.local-dirs</name>
  <value>/usr/local/hadoop-2.7.6/tmp/nm-local-dir</value>
</property>
?

hdfs-site.xml

<!--添加以下内容-->
<property>
  <name>dfs.block.access.token.enable</name>
  <value>true</value>
</property>
<property>  
  <name>dfs.datanode.data.dir.perm</name>  
  <value>700</value>  
</property>
<property>
  <name>dfs.namenode.keytab.file</name>
  <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>
<property>
  <name>dfs.namenode.kerberos.principal</name>
  <value>hdfs/_HOST@HIVE.COM</value>
</property>
<property>
  <name>dfs.namenode.kerberos.https.principal</name>
  <value>HTTP/_HOST@HIVE.COM</value>
</property>
<property>
  <name>dfs.datanode.address</name>
  <value>0.0.0.0:1004</value>
</property>
<property>
  <name>dfs.datanode.http.address</name>
  <value>0.0.0.0:1006</value>
</property>
<property>
  <name>dfs.datanode.keytab.file</name>
  <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>
<property>
  <name>dfs.datanode.kerberos.principal</name>
  <value>hdfs/_HOST@HIVE.COM</value>
</property>
<property>
  <name>dfs.datanode.kerberos.https.principal</name>
  <value>HTTP/_HOST@HIVE.COM</value>
</property>
?
<property>
  <name>dfs.webhdfs.enabled</name>
  <value>true</value>
</property>
 
<property>
  <name>dfs.web.authentication.kerberos.principal</name>
  <value>HTTP/_HOST@HIVE.COM</value>
</property>
 
<property>
  <name>dfs.web.authentication.kerberos.keytab</name>
  <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>
?
<property>
<name>dfs.secondary.namenode.keytab.file</name>
<value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>
?
<property>
<name>dfs.secondary.namenode.kerberos.principal</name>
<value>hdfs/_HOST@HIVE.COM</value>
</property>
?
<property>
  <name>hadoop.tmp.dir</name>
  <value>/usr/local/hadoop-2.7.6/tmp</value>
</property>
?

mapred-site.xml:

<!--添加以下内容-->
<property>
  <name>mapreduce.jobhistory.keytab</name>
  <value>/usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab</value>
</property>
<property>
  <name>mapreduce.jobhistory.principal</name>
  <value>hdfs/_HOST@HIVE.COM</value>
</property>
<property>
  <name>mapreduce.jobhistory.http.policy</name>
  <value>HTTPS_ONLY</value>
</property>

container-executor.cfg

<!--覆盖以下内容-->
yarn.nodemanager.linux-container-executor.group=hadoop
?
#configured value of yarn.nodemanager.linux-container-executor.group
?
banned.users=hdfs
?
#comma separated list of users who can not run applications
?
min.user.id=0
?
#Prevent other super-users
?
allowed.system.users=root,yarn,hdfs,mapred,nobody
?
##comma separated list of system users who CAN run applications

2.4 编译安装JSVC

当设置了安全的datanode时,启动datanode需要root权限,需要修改hadoop-env.sh文件.且需要安装jsvc,同时重新下载编译包commons-daemon-1.0.15.jar,并把$HADOOP_HOME/share/hadoop/hdfs/lib下替换掉.
否则报错Cannot start secure DataNode without configuring either privileged resources

启动datanode具体报错如下：

2020-04-14 15:56:35,164 FATAL org.apache.hadoop.hdfs.server.datanode.DataNode: Exception in secureMain
java.lang.RuntimeException: Cannot start secure DataNode without configuring either privileged resources or SASL RPC data transfer protection and SSL for HTTP.  Using privileged resources in combination with SASL RPC data transfer protection is not supported.
        at org.apache.hadoop.hdfs.server.datanode.DataNode.checkSecureConfig(DataNode.java:1208)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.startDataNode(DataNode.java:1108)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.<init>(DataNode.java:429)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.makeInstance(DataNode.java:2414)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.instantiateDataNode(DataNode.java:2301)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.createDataNode(DataNode.java:2348)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.secureMain(DataNode.java:2530)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.main(DataNode.java:2554)
2020-04-14 15:56:35,173 INFO org.apache.hadoop.util.ExitUtil: Exiting with status 1
2020-04-14 15:56:35,179 INFO org.apache.hadoop.hdfs.server.datanode.DataNode: SHUTDOWN_MSG:

2.4.1 下载安装包

下载解压commons-daemon-1.2.2-src.tar.gz及commons-daemon-1.2.2-bin.tar.gz

2.4.2 安装操作

[root@hadoop01 hadoop]# cd /usr/local
[root@hadoop01 local]# cd ./JSVC_packages/
[root@hadoop01 JSVC_packages]# wget http://apache.fayea.com//commons/daemon/source/commons-daemon-1.2.2-src.tar.gz
[root@hadoop01 JSVC_packages]# wget http://apache.fayea.com//commons/daemon/binaries/commons-daemon-1.2.2-bin.tar.gz
[root@hadoop01 JSVC_packages]# tar xf commons-daemon-1.2.2-bin.tar.gz
[root@hadoop01 JSVC_packages]# tar xf commons-daemon-1.2.2-src.tar.gz
?
[root@hadoop01 JSVC_packages]# ll
total 472
drwxr-xr-x. 3 root root    278 Apr 14 16:25 commons-daemon-1.2.2
-rw-r--r--. 1 root root 179626 Apr 14 16:24 commons-daemon-1.2.2-bin.tar.gz
drwxr-xr-x. 3 root root    180 Apr 14 16:25 commons-daemon-1.2.2-src
-rw-r--r--. 1 root root 301538 Apr 14 16:24 commons-daemon-1.2.2-src.tar.gz
?
#编译生成jsvc，并拷贝至指定目录
[root@hadoop01 JSVC_packages]# cd commons-daemon-1.2.2-src/src/native/unix/
[root@hadoop01 unix]# ./configure
[root@hadoop01 unix]# make
[root@hadoop01 unix]# cp ./jsvc /usr/local/hadoop-2.7.6/libexec/
?
#拷贝commons-daemon-1.2.2.jar
[root@hadoop01 unix]# cd /usr/local/JSVC_packages/commons-daemon-1.2.2/
[root@hadoop01 commons-daemon-1.2.2]# cp /usr/local/hadoop-2.7.6/share/hadoop/hdfs/lib/commons-daemon-1.0.13.jar /usr/local/hadoop-2.7.6/share/hadoop/hdfs/lib/commons-daemon-1.0.13.jar.bak
?
[root@hadoop01 commons-daemon-1.2.2]# cp ./commons-daemon-1.2.2.jar /usr/local/hadoop-2.7.6/share/hadoop/hdfs/lib/
?
?
[root@hadoop01 /opt/JSVC_packages/commons-daemon-1.2.2]# cd /opt/hadoop-2.7.2/share/hadoop/hdfs/lib/
[root@hadoop01 /opt/hadoop-2.7.2/share/hadoop/hdfs/lib]# chown hdfs:hadoop commons-daemon-1.2.2.jar 

2.4.3 hadoop-env.sh

[root@hadoop01 hadoop-2.7.6]# vi ./etc/hadoop/hadoop-env.sh
?
追加如下内容：
export HADOOP_SECURE_DN_USER=hdfs
export JSVC_HOME=/usr/local/hadoop-2.7.6/libexec/

2.5 分发到其它服务器

[root@hadoop01 local]# scp -r /usr/local/hadoop-2.7.6/ hadoop02:/usr/local/
?
[root@hadoop01 local]# scp -r /usr/local/hadoop-2.7.6/ hadoop03:/usr/local/

2.6 启动hadoop集群

?
[root@hadoop01 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop01@HIVE.COM
[root@hadoop02 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop02@HIVE.COM
[root@hadoop03 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop03@HIVE.COM
?
[root@hadoop02 krb5kdc]# cd /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop02 krb5kdc]# chown hdfs:hadoop hdfs.keytab && chmod 400 hdfs.keytab
?
[root@hadoop03 krb5kdc]# cd /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop03 krb5kdc]# chown hdfs:hadoop hdfs.keytab && chmod 400 hdfs.keytab
?
[root@hadoop01 hadoop-2.7.6]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hdfs/hadoop01@HIVE.COM
?
Valid starting       Expires              Service principal
04/14/2020 16:49:17  04/15/2020 16:49:17  krbtgt/HIVE.COM@HIVE.COM
        renew until 04/21/2020 16:49:17
        
 
 
 
 [root@hadoop02 ~]# useradd hdfs
 [root@hadoop02 hadoop-2.7.6]# passwd hdfs
 [root@hadoop03 ~]# useradd hdfs
 [root@hadoop03 hadoop-2.7.6]# passwd hdfs
 
 #启动hdfs，，直接root用户
[root@hadoop01 hadoop-2.7.6]# start-dfs.sh
#启动DataNode，直接root用户
[root@hadoop01 hadoop-2.7.6]# start-secure-dns.sh
#启动yarn，直接root用户启动即可(亲测没有问题)
[root@hadoop01 hadoop-2.7.6]# start-yarn.sh
 #启动historyserver，，直接root用户
[root@hadoop01 hadoop-2.7.6]# mr-jobhistory-daemon.sh start historyserver
?
?
停止集群：
#停止DataNode，需要切换到root用户
[root@hadoop01 hadoop-2.7.6]# stop-secure-dns.sh
 #停止hdfs
[root@hadoop01 hadoop-2.7.6]# stop-dfs.sh
?
#停止yarn，直接root用户启动即可(亲测没有问题)
[root@hadoop01 hadoop-2.7.6]# stop-yarn.sh
?

2.7 测试hadoop集群

访问地址：http://hadoop01:50070

yarn的访问地址：http://hadoop01:8088

hdfs的测试：

[root@hadoop01 hadoop-2.7.6]# hdfs dfs -ls /
[root@hadoop01 hadoop-2.7.6]# hdfs dfs -put /home/words /
[root@hadoop01 hadoop-2.7.6]# hdfs dfs -cat /words
hello qianfeng
hello flink
wuhan jiayou hello wuhan wuhan hroe
?
?
# 如下使用hdfs测试，当hdfs未获取授权验证，是不能访问hdfs的文件系统的
[hdfs@hadoop02 hadoop]$ hdfs dfs -cat /words
20/04/15 15:04:41 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
cat: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "hadoop02/192.168.216.112"; destination host is: "hadoop01":9000;
?
#解决方法：
[hdfs@hadoop02 hadoop]$ kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop02@HIVE.COM
[hdfs@hadoop02 hadoop]$ hdfs dfs -cat /words
hello qianfeng
hello flink
wuhan jiayou hello wuhan wuhan hroe

yarn的测试：

[root@hadoop01 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab yarn/hadoop01@HIVE.COM
?
[root@hadoop01 hadoop-2.7.6]# yarn jar ./share/hadoop/mapreduce/hadoop-mapreduce-examples-2.7.6.jar wordcount /words /out/00
?
错误1：
20/04/15 23:42:45 INFO mapreduce.Job: Job job_1586934815492_0008 failed with state FAILED due to: Application application_1586934815492_0008 failed 2 times due to AM Container for appattempt_1586934815492_0008_000002 exited with  exitCode: -1000
For more detailed output, check application tracking page:http://hadoop01:8088/cluster/app/application_1586934815492_0008Then, click on links to logs of each attempt.
Diagnostics: Application application_1586934815492_0008 initialization failed (exitCode=255) with output: Requested user hdfs is banned
?
错误2：
Caused by: java.io.IOException: Exceeded MAX_FAILED_UNIQUE_FETCHES; bailing-out.
解决方案：
hdfs-site.xml中配置临时目录
yarn-site.xml中也要配置零食目录，，并且和hdfs中的前边一样，后边加一点固定的
?
#再次测试：
[root@hadoop01 hadoop-2.7.6]# yarn jar ./share/hadoop/mapreduce/hadoop-mapreduce-examples-2.7.6.jar wordcount /words /out/02
20/04/16 02:55:38 INFO client.RMProxy: Connecting to ResourceManager at hadoop01/192.168.216.111:8032
20/04/16 02:55:38 INFO hdfs.DFSClient: Created HDFS_DELEGATION_TOKEN token 61 for yarn on 192.168.216.111:9000
20/04/16 02:55:38 INFO security.TokenCache: Got dt for hdfs://hadoop01:9000; Kind: HDFS_DELEGATION_TOKEN, Service: 192.168.216.111:9000, Ident: (HDFS_DELEGATION_TOKEN token 61 for yarn)
20/04/16 02:55:39 INFO input.FileInputFormat: Total input paths to process : 1
20/04/16 02:55:39 INFO mapreduce.JobSubmitter: number of splits:1
20/04/16 02:55:39 INFO mapreduce.JobSubmitter: Submitting tokens for job: job_1586976916277_0001
20/04/16 02:55:39 INFO mapreduce.JobSubmitter: Kind: HDFS_DELEGATION_TOKEN, Service: 192.168.216.111:9000, Ident: (HDFS_DELEGATION_TOKEN token 61 for yarn)
20/04/16 02:55:41 INFO impl.YarnClientImpl: Submitted application application_1586976916277_0001
20/04/16 02:55:41 INFO mapreduce.Job: The url to track the job: http://hadoop01:8088/proxy/application_1586976916277_0001/
20/04/16 02:55:41 INFO mapreduce.Job: Running job: job_1586976916277_0001
20/04/16 02:56:11 INFO mapreduce.Job: Job job_1586976916277_0001 running in uber mode : false
20/04/16 02:56:11 INFO mapreduce.Job:  map 0% reduce 0%
20/04/16 02:56:13 INFO mapreduce.Job: Task Id : attempt_1586976916277_0001_m_000000_0, Status : FAILED
Application application_1586976916277_0001 initialization failed (exitCode=20) with output: main : command provided 0
main : user is yarn
main : requested yarn user is yarn
Permission mismatch for /usr/local/hadoop-2.7.6/tmp/nm-local-dir for caller uid: 0, owner uid: 502.
Couldn't get userdir directory for yarn.
20/04/16 02:56:20 INFO mapreduce.Job:  map 100% reduce 0%
20/04/16 02:56:28 INFO mapreduce.Job:  map 100% reduce 100%
20/04/16 02:56:28 INFO mapreduce.Job: Job job_1586976916277_0001 completed successfully
20/04/16 02:56:28 INFO mapreduce.Job: Counters: 51
        File System Counters
                FILE: Number of bytes read=81
                FILE: Number of bytes written=251479
                FILE: Number of read operations=0
                FILE: Number of large read operations=0
                FILE: Number of write operations=0
                HDFS: Number of bytes read=154
                HDFS: Number of bytes written=51
                HDFS: Number of read operations=6
                HDFS: Number of large read operations=0
                HDFS: Number of write operations=2
        Job Counters
                Failed map tasks=1
                Launched map tasks=2
                Launched reduce tasks=1
                Other local map tasks=1
                Data-local map tasks=1
                Total time spent by all maps in occupied slots (ms)=4531
                Total time spent by all reduces in occupied slots (ms)=3913
                Total time spent by all map tasks (ms)=4531
                Total time spent by all reduce tasks (ms)=3913
                Total vcore-milliseconds taken by all map tasks=4531
                Total vcore-milliseconds taken by all reduce tasks=3913
                Total megabyte-milliseconds taken by all map tasks=4639744
                Total megabyte-milliseconds taken by all reduce tasks=4006912
        Map-Reduce Framework
                Map input records=3
                Map output records=10
                Map output bytes=103
                Map output materialized bytes=81
                Input split bytes=91
                Combine input records=10
                Combine output records=6
                Reduce input groups=6
                Reduce shuffle bytes=81
                Reduce input records=6
                Reduce output records=6
                Spilled Records=12
                Shuffled Maps =1
                Failed Shuffles=0
                Merged Map outputs=1
                GC time elapsed (ms)=192
                CPU time spent (ms)=2120
                Physical memory (bytes) snapshot=441053184
                Virtual memory (bytes) snapshot=4211007488
                Total committed heap usage (bytes)=277348352
        Shuffle Errors
                BAD_ID=0
                CONNECTION=0
                IO_ERROR=0
                WRONG_LENGTH=0
                WRONG_MAP=0
                WRONG_REDUCE=0
        File Input Format Counters
                Bytes Read=63
        File Output Format Counters
                Bytes Written=51

错误1：

2020-04-15 14:38:36,457 INFO org.apache.hadoop.security.UserGroupInformation: Login successful for user hdfs/hadoop02@HIVE.COM using keytab file /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab
2020-04-15 14:38:36,961 WARN org.apache.hadoop.hdfs.server.datanode.DataNode: Invalid dfs.datanode.data.dir /home/hdfs/hadoopdata/dfs/data :
?
解决方案(如果满足下面的要求，不用做)
第1步：
[root@hadoop02 ~]#  useradd hdfs -g hadoop
[root@hadoop02 ~]#  passwd hdfs
?
[root@hadoop03 ~]#  useradd hdfs -g hadoop
[root@hadoop03 ~]#  passwd hdfs
?
第2步(那一台报错在那一台执行)：
[root@hadoop02 hadoop]# chown -R hdfs:hadoop /home/hdfs/hadoopdata/
[root@hadoop02 hadoop]# chown -R hdfs:hadoop /home/hdfs/hadoopdata/
[root@hadoop03 hadoop]# chown -R hdfs:hadoop /home/hdfs/hadoopdata/

错误2：

启动datanode报错：
java.io.IOException: All directories in dfs.datanode.data.dir are invalid: "/home/hdfs/hadoopdata/dfs/data"
?
解决方案(确定没有手动创建都可以)：
[root@hadoop02 hadoop-2.7.6]# mkdir -p /home/hdfs/hadoopdata/dfs/data
[root@hadoop03 hadoop-2.7.6]# mkdir -p /home/hdfs/hadoopdata/dfs/data
?

错误3：

启动yarn时报错：
Caused by: java.io.IOException: Login failure for hdfs/hadoop03@HIVE.COM from keytab /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab: javax.security.auth.login.LoginException: Unable to obtain password from user
?
解决(那一台报错就在那一台是对应执行)：
[root@hadoop02 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop02@HIVE.COM
[root@hadoop03 hadoop-2.7.6]# kinit -k -t /usr/local/hadoop-2.7.6/etc/hadoop/hdfs.keytab hdfs/hadoop03@HIVE.COM

错误4：

启动yarn时报错如下：
Caused by: ExitCodeException exitCode=24: File /usr/local/hadoop-2.7.6/etc/hadoop/container-executor.cfg must be owned by root, but is owned by 20415
?
将container-executor.cfg的所有父目录及本身文件都修改成root:root即可：
[root@hadoop01 hadoop-2.7.6]# chown  root:root /usr/local/hadoop-2.7.6/etc/
[root@hadoop01 hadoop-2.7.6]# chown  root:root /usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop01 hadoop-2.7.6]# chown  root:root /usr/local/hadoop-2.7.6/etc/hadoop/container-executor.cfg

错误5：

启动yarn时报错如下：
Caused by: ExitCodeException exitCode=22: Invalid permissions on container-executor binary.
?
解决方法：
[root@hadoop01 hadoop-2.7.6]# chown root:hadoop $HADOOP_HOME/bin/container-executor
[root@hadoop01 hadoop-2.7.6]# chmod 6050 $HADOOP_HOME/bin/container-executor
?
[root@hadoop02 hadoop-2.7.6]# chown root:hadoop $HADOOP_HOME/bin/container-executor
[root@hadoop02 hadoop-2.7.6]# chmod 6050 $HADOOP_HOME/bin/container-executor
?
[root@hadoop03 hadoop-2.7.6]# chown root:hadoop $HADOOP_HOME/bin/container-executor
[root@hadoop03 hadoop-2.7.6]# chmod 6050 $HADOOP_HOME/bin/container-executor

错误6：

#运行案例报错
java.io.IOException: org.apache.hadoop.yarn.exceptions.InvalidResourceRequestException: Invalid resource request, requested memory < 0, or requested memory > max configured, requestedMemory=1536, maxMemory=1024
?
?
#解决方案，修改yarn-site.xml:
<property>
      <name>yarn.nodemanager.resource.memory-mb</name>
      <value>2048</value>
</property>
?
#分发到别的服务器：
[root@hadoop02 hadoop-2.7.6]# scp -r ./etc/hadoop/yarn-site.xml hadoop02:/usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop03 hadoop-2.7.6]# scp -r ./etc/hadoop/yarn-site.xml hadoop03:/usr/local/hadoop-2.7.6/etc/hadoop/
?
#重启yarn服务
[root@hadoop01 hadoop-2.7.6]# start-yarn.sh
?

第三章 Hive配置Kerberos

3.1 创建hive用户

#新建用户hive，命令如下：
[root@hadoop01 hive-1.2.2]# useradd -u 503 hive -g hadoop
[root@hadoop01 hive-1.2.2]# passwd hive 输入新密码，我的密码为hive

3.2 生成 keytab

在主节点，即KDC server 节点上执行下面命令（root用户）：

[root@hadoop01 hive-1.2.2]# cd /var/kerberos/krb5kdc/
[root@hadoop01 krb5kdc]# kadmin.local -q "addprinc -randkey hive/hadoop01@HIVE.COM"
[root@hadoop01 krb5kdc]# kadmin.local -q "xst -k hive.keytab hive/hadoop01@HIVE.COM"
#查看
[root@hadoop01 krb5kdc]# klist -ket hive.keytab
Keytab name: FILE:hive.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (aes128-cts-hmac-sha1-96)
   2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (des3-cbc-sha1)
   2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (arcfour-hmac)
   2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (camellia256-cts-cmac)
   2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (camellia128-cts-cmac)
   2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (des-hmac-sha1)
   2 04/15/2020 23:52:46 hive/hadoop01@HIVE.COM (des-cbc-md5)
?
?
#将hive.keytab发送到hive目录的配置文件下：
[root@hadoop01 krb5kdc]# cp hive.keytab /usr/local/hive-1.2.2/conf/
#授权
[root@hadoop01 krb5kdc]# cd /usr/local/hive-1.2.2/conf/
[root@hadoop01 conf]# chown hive:hadoop hive.keytab && chmod 400 hive.keytab
?
由于 keytab 相当于有了永久凭证，不需要提供密码(如果修改 kdc 中的 principal 的密码，则该 keytab 就会失效)，所以其他用户如果对该文件有读权限，就可以冒充 keytab 中指定的用户身份访问 hadoop，所以 keytab 文件需要确保只对 owner 有读权限(0400)

3.3 修改配置文件

hive-site.xml：

[root@hadoop01 hive-1.2.1]# vi ./conf/hive-site.xml
<!--添加以下内容-->
<property>
    <name>hive.server2.authentication</name>
    <value>KERBEROS</value>
  </property>
  <property>
    <name>hive.server2.authentication.kerberos.principal</name>
    <value>hive/_HOST@HIVE.COM</value>
  </property>
<property>
  <name>hive.server2.authentication.kerberos.keytab</name>
  <value>/usr/local/hive-1.2.2/conf/hive.keytab</value>
</property>
?
<property>
  <name>hive.metastore.sasl.enabled</name>
  <value>true</value>
</property>
<property>
  <name>hive.metastore.kerberos.keytab.file</name>
  <value>/usr/local/hive-1.2.2/conf/hive.keytab</value>
</property>
<property>
  <name>hive.metastore.kerberos.principal</name>
  <value>hive/_HOST@HIVE.COM</value>
</property>

core-site.xml：

[root@hadoop01 hive-1.2.2]# vi ../hadoop-2.7.6/etc/hadoop/core-site.xml
<!--添加以下配置-->
<property>
    <name>hadoop.proxyuser.hive.hosts</name>
    <value>*</value>
</property>
<property>
    <name>hadoop.proxyuser.hive.groups</name>
    <value>*</value>
</property>
<property>
    <name>hadoop.proxyuser.hdfs.hosts</name>
    <value>*</value>
</property>
<property>
    <name>hadoop.proxyuser.hdfs.groups</name>
    <value>*</value>
</property>
<property>
    <name>hadoop.proxyuser.HTTP.hosts</name>
    <value>*</value>
</property>
<property>
    <name>hadoop.proxyuser.HTTP.groups</name>
    <value>*</value>
</property>
?
?
# 添加后同步到其它服务器
[root@hadoop01 hive-1.2.2]# scp -r ../hadoop-2.7.6/etc/hadoop/core-site.xml hadoop02:/usr/local/hadoop-2.7.6/etc/hadoop/
[root@hadoop01 hive-1.2.2]# scp -r ../hadoop-2.7.6/etc/hadoop/core-site.xml hadoop03:/usr/local/hadoop-2.7.6/etc/hadoop/

3.4 启动hive

[root@hadoop01 hive-1.2.2]# nohup hive --service metastore >> metastore.log 2>&1 &
[root@hadoop01 hive-1.2.2]# nohup hive --service hiveserver2 >> hiveserver2.log 2>&1 &
?
##也可以切换到hive执行。

3.5 连接测试

hive连接

[root@hadoop01 hive-1.2.2]# hive
?
Logging initialized using configuration in file:/opt/apache-hive-1.2.1-bin/conf/hive-log4j.properties
hive> 
?
Caused by: MetaException(message:Could not connect to meta store using any of the URIs provided. Most recent failure: org.apache.thrift.transport.TTransportException: GSS initiate failed
?
2020-04-16 00:47:11,335 ERROR [main]: transport.TSaslTransport (TSaslTransport.java:open(315)) - SASL negotiation failure
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)]
?

beeline连接

配置kerberos后，每次窗口连接都要登录：kinit -k -t /usr/local/hive-1.2.2/conf/hive.keytab hive/hadoop01@HIVE.COM
?
[root@hadoop01 hive-1.2.2]# kinit -k -t /usr/local/hive-1.2.2/conf/hive.keytab hive/hadoop01@HIVE.COM
?
[root@hadoop01 hive-1.2.2]# beeline
Beeline version 1.2.2 by Apache Hive
beeline> !connect jdbc:hive2://hadoop01:10000/default;principal=hive/hadoop01@HIVE.COM
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/local/hbase-1.2.1/lib/phoenix-4.14.1-HBase-1.2-client.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/local/hadoop-2.7.6/share/hadoop/common/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
Connecting to jdbc:hive2://hadoop01:10000/default;principal=hive/hadoop01@HIVE.COM
Enter username for jdbc:hive2://hadoop01:10000/default;principal=hive/hadoop01@HIVE.COM: hive
Enter password for jdbc:hive2://hadoop01:10000/default;principal=hive/hadoop01@HIVE.COM: ****
Connected to: Apache Hive (version 1.2.2)
Driver: Hive JDBC (version 1.2.2)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://hadoop01:10000/default> show databases;
这里登录的用户名和密码是最开始创建hive的时候的所用的 hive的用户名和密码，本次测试的用户名和密码为：hive/hive

3.6 hive操作测试

[root@hadoop01 hive-1.2.2]# hive
?
create table if not exists u1(
uid int,
age int
)
row format delimited fields terminated by ','
;
?
数据：
[root@hadoop01 hive-1.2.2]# vi /home/u1
1,18
2,20
3,20
4,32
5,18
6.20
?
#数据装载
load data local inpath '/home/u1' into table u1;
?
#查询
hive> select * from u1;
chmod: changing permissions of 'hdfs://hadoop01:9000/tmp/hive/hive/e9a76813-5c64-47f7-9a2b-5d7876111786/hive_2020-04-16_01-18-41_393_8778198899588815011-1/-mr-10000': Permission denied: user=hive, access=EXECUTE, inode="/tmp":hdfs:supergroup:drwx------
OK
1       18
2       20
3       20
4       32
5       18
6       NULL
?
?
hive> select count(*) from u1;
Query ID = root_20200416025824_e9adc8a8-7052-4ee9-8924-bf735461484b
Total jobs = 1
Launching Job 1 out of 1
Number of reduce tasks determined at compile time: 1
In order to change the average load for a reducer (in bytes):
  set hive.exec.reducers.bytes.per.reducer=<number>
In order to limit the maximum number of reducers:
  set hive.exec.reducers.max=<number>
In order to set a constant number of reducers:
  set mapreduce.job.reduces=<number>
Starting Job = job_1586976916277_0002, Tracking URL = http://hadoop01:8088/proxy/application_1586976916277_0002/
Kill Command = /usr/local/hadoop-2.7.6//bin/hadoop job  -kill job_1586976916277_0002
Hadoop job information for Stage-1: number of mappers: 1; number of reducers: 1
2020-04-16 02:58:39,528 Stage-1 map = 0%,  reduce = 0%
2020-04-16 02:58:45,992 Stage-1 map = 100%,  reduce = 0%, Cumulative CPU 2.03 sec
2020-04-16 02:58:52,547 Stage-1 map = 100%,  reduce = 100%, Cumulative CPU 4.51 sec
MapReduce Total cumulative CPU time: 4 seconds 510 msec
Ended Job = job_1586976916277_0002
MapReduce Jobs Launched:
Stage-Stage-1: Map: 1  Reduce: 1   Cumulative CPU: 4.51 sec   HDFS Read: 6381 HDFS Write: 2 SUCCESS
Total MapReduce CPU Time Spent: 4 seconds 510 msec
OK
6
Time taken: 30.518 seconds, Fetched: 1 row(s)
hive>

至此，hive的kerberos认证配置完成！