HBase+Kerberos配置示例(一)

作者: 云计算机网 分类: 云计算知识 发布时间: 2015-02-26 06:10

用过hbase的朋友可能都有过这样的疑问,我写一个java client,好像就提供了zookeeper quorum地址就连上hbase了,那么是不是存在安全问题?的确是,如何解决?hbase中引入了kerberos认证。我准备用两篇博文介绍hbase + kerberos的相关内容,本篇主要介绍kerberos的配置。

环境准备kerberos简介kerberos server配置kerberos client配置环境准备

这里我准备了三台server,各自安装上centos 6.5 64bit

kb1: kerberos serverkbhbase1: kerberos client, 后续也用于安装运行HBasekbjavatest1: kerberos client, 后续将在其上部署java程序访问kbhbase1上的hbase数据库kerberos简介

kerberos简单来说就是一套完全控制机制,它有一个中心服务器(KDC),KDC中有数据库,你可以往里添加各种“人”以及各种“服务”的“身份证”,当某个人要访问某个服务时,他拿着自己的“身份证”联系KDC并告诉KDC他想要访问的服务,KDC经过一系列验证步骤,最终依据验证结果允许/拒绝这个人访问此服务。关于kerberos具体的工作流程,参见文章《Explain like I’m 5: Kerberos》

kerberos server配置

安装

#yum install krb5-libs krb5-server krb5-workstation

配置

1)#vim /etc/krb5.conf

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MH.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] MH.COM = {  kdc = kb1.mh.com:88  admin_server = kb1.mh.com:749 } [domain_realm] .mh.com = MH.COM mh.com = MH.COM

2)#vim /var/kerberos/krb5kdc/kdc.conf

[kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88[realms] MH.COM = {  #master_key_type = aes256-cts  acl_file = /var/kerberos/krb5kdc/kadm5.acl  dict_file = /usr/share/dict/words  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal } 
  • 以前我们只知道在Linux下构建ftp服务器可以使用wuftp,现在看看网上,几乎所有的人都使用proftpd,下面爱站技术频道小编详解安装配置proftpd搭建ftp服务器的教程。

    以前我们只知道在Linux下构建ftp服务器可以使用wuftp,现在看看网上,几乎所有的人都使用proftpd,下面爱站技术频道小编详解安装配置proftpd搭建ftp服务器的教程。

    proftpd全称:Professional FTP daemon,是针对Wu-FTP的弱项而开发的,除了改进的安全性,还具备许多Wu-FTP没有的特点,能以Stand-alone、xinetd模式运行等。ProFTP已经成为继Wu-FTP之后最为流行的FTP服务器软件,越来越多的站点选用它构筑安全高效的FTP站点,ProFTP配置方便,并有MySQL和Quota模块可供选择,利用它们的完美结合可以实现非系统账号的管理和用户磁盘的限制。lt;摘抄百度百科gt;

    本章通过下载源码的方式安装,可以到官网下载最新版本:http://www.proftpd.org/

    1、首先安装lrzsz方便拷贝文件到要搭建服务器的linux路径下

    yum install lrzsz

    2、上传文件解压

    将下载完成的proftpd-1.3.6.tar.gz文件上传到指定路径,使用tar zxvf proftpd-1.3.6.tar.gz解压

    3、由于使用源码安装,所以需要安装gcc编译环境

    yum install gcc gcc-c++ autoconf automake

    3、配置并制定安装和配置文件路径

    ./configure --prefix=/usr/local/proftpd --sysconfdir=/usr/local/proftpd

    4、安装

    makeamp;make install

    5、修改配置文件,限制匿名用户可以上传下载,但是不能删除(本章暂不详细描述权限控制部分内容)

    vi /usr/local/proftpd/proftpd.conf# This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server# and a single anonymous login. It assumes that you have a user/group# "nobody" and "ftp" for normal operation and anon.ServerName           "Welcome to FTP Server"ServerType           standaloneDefaultServer          on# Port 21 is the standard FTP port.Port              21# Don't use IPv6 support by default.UseIPv6             off# Umask 022 is a good standard umask to prevent new dirs and files# from being group and world writable.Umask              022# To prevent DoS attacks, set the maximum number of child processes# to 30. If you need to allow more than 30 concurrent connections# at once, simply increase this value. Note that this ONLY works# in standalone mode, in inetd mode you should use an inetd server# that allows you to limit maximum number of processes per service# (such as xinetd).MaxInstances          30# Set the user and group under which the server will run.User              nobodyGroup              nobody# To cause every FTP user to be "jailed" (chrooted) into their home# directory, uncomment this line.#DefaultRoot ~# Normally, we want files to be overwriteable.AllowOverwrite     onIdentLookups      offUseReverseDNS      off# Bar use of SITE CHMOD by default AllowAll#p#分页标题#e## A basic anonymous configuration, no upload directories. If you do not# want anonymous users, simply delete this entire  section. User             ftp Group             ftp # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias           anonymous ftp # Limit the maximum number of anonymous logins MaxClients          50 # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin         welcome.msg DisplayChdir         .message # Limit WRITE everywhere in the anonymous chroot   DenyAll 

    6、关闭防火墙

    systemctl stop firewalld.servicesystemctl disable firewalld.service

    7、启动服务器

    /usr/local/proftpd/sbin/proftpd

    查看进程是否已经启动

    [root@localhost ~]# ps -ef |grep proftpdnobody  1140   1 0 12:13 ?    00:00:00 proftpd: (accepting connections)root   3182 2270 0 12:50 pts/0  00:00:00 grep --color=auto proftpd 

    8、添加到启动项避免每次重启后都需要手动启动

    vi /etc/rc.d/rc.local#!/bin/bash# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES## It is highly advisable to create own systemd services or udev rules# to run scripts during boot instead of using this file.## In contrast to previous versions due to parallel execution during boot# this script will NOT be run after all other services.## Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure# that this script will be executed during boot.touch /var/lock/subsys/local/usr/local/proftpd/sbin/proftpd

    由于在centos7中/etc/rc.d/rc.local的权限被降低了,所以需要加上可执行的权限:

    chmod +x /etc/rc.d/rc.local

    总结

    以上所述是爱站技术频道小编给大家详解安装配置proftpd搭建ftp服务器的教程,希望对大家有所帮助,如果大家有任何疑问请给我留言。

  • 相关推荐:

  • 详解安装配置proftpd搭建
  • 带你了解vsftpd配置文件
  • 中小企业需要什么配置的
  • 中信证券:坚定看好计算
  • 电脑配置低,但是用云电
  • 中信证券:坚定看好计算
  • 思科加入人工智能阵营发
  • 【强劲性能,灵活配置】
  • Windows7iis配置办法window
  • 云主机什么配置好
  • 网站内容禁止违规转载,转载授权联系中国云计算网