博客

ambari与knox

  • Post author:
  • Post category:其他


ambari server与knox不一定要安装在一台机器上,因为两个本来就可以是独立的

可以参考

Knox的安装与部署(五)



1 在knox的机器上


生成的

cert.pem

内容将被复制到

ambari-server

的机器上 

$JAVA_HOME/bin/keytool -export -alias gateway-identity -rfc -file /opt/key/cert.pem -keystore /usr/hdp/current/knox-server/data/security/keystores/gateway.jks


2 ambari-server
 

ambari-server setup-sso
Using python  /usr/bin/python
Setting up SSO authentication properties...
Enter Ambari Admin login: admin
Enter Ambari Admin password: 

SSO is currently not configured
Do you want to configure SSO authentication [y/n] (y)? y
Provider URL (https://knox.example.com:8443/gateway/knoxsso/api/v1/websso): https://bg8.test.com.cn:8443/gateway/knoxsso/api/v1/websso
Public Certificate PEM (empty line to finish input):

这里knox中cert.pem的内容都复制过来就可以

Use SSO for Ambari [y/n] (n)? y
Manage SSO configurations for eligible services [y/n] (n)? y
 Use SSO for all services [y/n] (n)? y
JWT Cookie name (hadoop-jwt): 
JWT audiences list (comma-separated), empty for any (): 
Ambari Server 'setup-sso' completed successfully.
You have new mail in /var/spool/mail/root

# 设置完毕后,重启一下
ambari-server restart

关闭掉setup-sso,也很简单。只是我找了半天,没人发表过类似,无意间发现的。 

[root@bg2 scrpits]# ambari-server setup-sso
Using python  /usr/bin/python
Setting up SSO authentication properties...
Enter Ambari Admin login: admin
Enter Ambari Admin password: 

SSO is currently enabled
Do you want to disable SSO authentication [y/n] (n)? y
Ambari Server 'setup-sso' completed successfully.

3 ldap

参考

HDP安全之集成kerberos/LDAP、ranger(knox自带LDAP)
 

cd /usr/hdp/current/knox-server/bin/
./ldap.sh  start

参考

LDAP报错:javax.naming.AuthenticationException: [LDAP: error codelid Credentials]


这篇文章说了应该输入LDAP正确的配置,可以正确的配置是什么呢,却没有说。 

经过研究发现,这里的admin应该是ldap的管理员用户
```sh
[root@bg2 scrpits]# ambari-server setup-ldap
Using python  /usr/bin/python
Enter Ambari Admin login: admin
Enter Ambari Admin password: 

Fetching LDAP configuration from DB.
Primary LDAP Host (bg8.test.com.cn): 
Primary LDAP Port (33389): 
Secondary LDAP Host <Optional>: 
Secondary LDAP Port <Optional>: 
Use SSL [true/false] (false): 
User object class (super): person
User ID attribute (dengjun): uid
Group object class (groupofnames): 
Group name attribute (super): cn
Group member attribute (memberUid): member
Distinguished name attribute (hadoop): cn
Search Base (dc=hadoop,dc=apache,dc=org): dc=hadoop,dc=apache,dc=org
Referral method [follow/ignore] (ignore): follow
Bind anonymously [true/false] (false): 
Bind DN (uid=hello,ou=test,dc=hadoop,dc=apache,dc=org): uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
Enter Bind DN Password: 
Confirm Bind DN Password: 
Handling behavior for username collisions [convert/skip] for LDAP sync (convert): convert
Force lower-case user names [true/false] (true):true
Results from LDAP are paginated when requested [true/false] (true):false      
====================
Review Settings
====================
Primary LDAP Host (bg8.test.com.cn):  bg8.test.com.cn
Primary LDAP Port (33389):  33389
Use SSL [true/false] (false):  false
User object class (super):  person
User ID attribute (hello):  uid
Group object class (groupofnames):  groupofnames
Group name attribute (super):  cn
Group member attribute (memberUid):  member
Distinguished name attribute (hadoop):  cn
Search Base (dc=hadoop,dc=apache,dc=org):  dc=hadoop,dc=apache,dc=org
Referral method [follow/ignore] (ignore):  follow
Bind anonymously [true/false] (false):  false
Handling behavior for username collisions [convert/skip] for LDAP sync (convert):  convert
Force lower-case user names [true/false] (true): true
Results from LDAP are paginated when requested [true/false] (true): false
ambari.ldap.connectivity.bind_dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
ambari.ldap.connectivity.bind_password: *****
Save settings [y/n] (y)? y
Saving LDAP properties...
Saving LDAP properties finished
Ambari Server 'setup-ldap' completed successfully.
You have new mail in /var/spool/mail/root
[root@bg2 scrpits]# ambari-server restart
Using python  /usr/bin/python
Restarting ambari-server
Waiting for server stop...
Ambari Server stopped
Ambari Server running with administrator privileges.
Organizing resource files at /var/lib/ambari-server/resources...
Ambari database consistency check started...
Server PID at: /var/run/ambari-server/ambari-server.pid
Server out at: /appdata/home/hadoop/logs/ambari-server/ambari-server.out
Server log at: /appdata/home/hadoop/logs/ambari-server/ambari-server.log
Waiting for server start...............................
Server started listening on 8080

DB configs consistency check found warnings. See /appdata/home/hadoop/logs/ambari-server/ambari-server-check-database.log for more details.
You have new mail in /var/spool/mail/root

接着,在ldapadmin中创建用户,执行下面的命令就可以同步到ambari的数据库中,ambari的用户存在mysql,但是这个时候同步过来用户是没有权限了,故而事先需要在ambari中将

groups



analyst,scientist

设置对应ambari的角色,这样人同步过来了,相应的权限也就有了 

######################
[root@bg2 scrpits]# vi users.txt 
hello,testuser

[root@bg2 scrpits]# cat groups.txt 
analyst,scientist

[root@bg2 scrpits]# ambari-server sync-ldap --users users.txt --groups groups.txt
Using python  /usr/bin/python
Syncing with LDAP...
Enter Ambari Admin login: admin
Enter Ambari Admin password: 

Fetching LDAP configuration from DB.
Syncing specified users and groups...

Completed LDAP Sync.
Summary:
  memberships:
    removed = 0
    created = 3
  users:
    skipped = 0
    removed = 0
    updated = 0
    created = 4
  groups:
    updated = 0
    removed = 0
    created = 2

Ambari Server 'sync-ldap' completed successfully


版权声明:本文为warrah原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。