HDFS的HTTPS配置

隶属于文章系列:大数据安全实战
https://www.jianshu.com/p/76627fd8399c


步骤:

  1. 在CA服务器上创建证书
  2. 在CA客户端导入证书
  3. 修改hdfs的hdfs-site.xml
  4. 配置hdfs的ssl配置文件

  • 在CA服务器上
    在部署成功了才发现CA服务器上并不是要运行什么服务。随便选一台就行。
openssl req -new -x509 -keyout /var/opt/ssl/CA/private/test_ca_key -out /var/opt/ssl/CA/private/test_ca_cert -days 9999 -subj '/C=CN/ST=zhejiang/L=hangzhou/O=dtdream/OU=security/CN=zelda.com'


Generating a 2048 bit RSA private key
.....................................................+++
...................................................................................................+++
writing new private key to '/etc/pki/CA/private/test_ca_key'
#1234
Enter PEM pass phrase:
#1234
Verifying - Enter PEM pass phrase:
-----

查看效果

[root@v-app2-cloud kduser]# ll /etc/pki/CA/private/
total 8
-rw-r--r-- 1 root root 1383 Mar 12 16:37 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 12 16:37 test_ca_key
[root@v-app2-cloud kduser]#
  • 分布创建的证书到各个客户单
[hadoop@vm10-247-24-53 hadoop]$ ansible hadoop --become -m copy  -a  "src=/var/opt/ssl dest=/var/opt/"
10.247.24.54 | SUCCESS => {
    "changed": true,
    "dest": "/var/opt/",
    "failed": false,
    "src": "/var/opt/ssl"
}
10.247.24.28 | SUCCESS => {
    "changed": true,
    "dest": "/var/opt/",
    "failed": false,
    "src": "/var/opt/ssl"
}
10.247.24.49 | SUCCESS => {
    "changed": true,
    "dest": "/var/opt/",
    "failed": false,
    "src": "/var/opt/ssl"
}
10.247.24.63 | SUCCESS => {
    "changed": true,
    "dest": "/var/opt/",
    "failed": false,
    "src": "/var/opt/ssl"
}
10.247.24.53 | SUCCESS => {
    "changed": false,
    "dest": "/var/opt/",
    "failed": false,
    "src": "/var/opt/ssl"
}

[hadoop@vm10-247-24-53 hadoop]$ ansible hadoop -m shell -a  "ls -l /var/opt/ssl/CA/private"
10.247.24.54 | SUCCESS | rc=0 >>
total 8
-rw-r--r-- 1 root root 1334 Mar 28 15:58 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 28 15:58 test_ca_key

10.247.24.28 | SUCCESS | rc=0 >>
total 8
-rw-r--r-- 1 root root 1334 Mar 28 15:56 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 28 15:56 test_ca_key

10.247.24.49 | SUCCESS | rc=0 >>
total 8
-rw-r--r-- 1 root root 1334 Mar 28 15:58 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 28 15:58 test_ca_key

10.247.24.63 | SUCCESS | rc=0 >>
total 8
-rw-r--r-- 1 root root 1334 Mar 28 15:59 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 28 15:59 test_ca_key

10.247.24.53 | SUCCESS | rc=0 >>
total 8
-rw-r--r-- 1 root root 1334 Mar 28 15:54 test_ca_cert
-rw-r--r-- 1 root root 1834 Mar 28 15:54 test_ca_key
  • 在各个客户端的节点上执行如下:
# 进入证书分发的目录
cd /var/opt/ssl/CA/private/ ;

keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=vm10-247-24-53.ksc.com, OU=test, O=test, L=hangzhou, ST=zhejiang, C=cn"

keytool -keystore truststore -alias CARoot -import -file test_ca_cert;
keytool -certreq -alias localhost -keystore keystore -file cert;
openssl x509 -req -CA test_ca_cert -CAkey test_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial;
keytool -keystore keystore -alias CARoot -import -file test_ca_cert ;
keytool -keystore keystore -alias localhost -import -file cert_signed ;

注意keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=vm10-247-24-53.ksc.com, OU=test, O=test, L=hangzhou, ST=zhejiang, C=cn" 中的CN=vm10-247-24-53.ksc.com替换为各自的主机名

  • 检验客户端证书
    123456为上一步设置的密码。
keytool  -list -v -keystore /var/opt/ssl/CA/private/keystore  -storepass 123456

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: caroot
Creation date: Mar 13, 2018
Entry type: trustedCertEntry

Owner: CN=zelda.com, OU=security, O=dtdream, L=hangzhou, ST=zhejiang, C=CN
Issuer: CN=zelda.com, OU=security, O=dtdream, L=hangzhou, ST=zhejiang, C=CN
Serial number: 9edcd7d2ea0b191e
Valid from: Mon Mar 12 16:56:18 CST 2018 until: Thu Jul 27 16:56:18 CST 2045
Certificate fingerprints:
        MD5:  6E:99:F2:B8:87:44:A1:2F:BD:48:05:1A:BC:42:00:2F
        SHA1: A1:67:DC:78:60:E0:AE:72:58:12:29:61:17:9F:D7:C4:88:F1:BD:62
        SHA256: 50:F2:2B:99:92:33:6B:D5:34:C1:51:BD:6B:CB:1C:72:A8:18:70:66:21:41:D1:E1:F5:24:71:87:B5:35:63:15
        Signature algorithm name: SHA1withRSA
        Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9D 5C A4 0F A8 CC 1B 29   49 BF 36 4B 02 60 E7 23  .\.....)I.6K.`.#
0010: BC 38 A0 BA                                        .8..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
 CA:true
 PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9D 5C A4 0F A8 CC 1B 29   49 BF 36 4B 02 60 E7 23  .\.....)I.6K.`.#
0010: BC 38 A0 BA                                        .8..
]
]



*******************************************
*******************************************


Alias name: localhost
Creation date: Mar 13, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=v-hadoop-kbds.sz.kingdee.net, OU=test, O=test, L=hangzhou, ST=zhejiang, C=cn
Issuer: CN=zelda.com, OU=security, O=dtdream, L=hangzhou, ST=zhejiang, C=CN
Serial number: ac53b1f8fbaf29ba
Valid from: Tue Mar 13 10:47:18 CST 2018 until: Fri Jul 28 10:47:18 CST 2045
Certificate fingerprints:
        MD5:  4D:35:81:68:07:27:A1:5E:A6:0D:C3:BE:13:BC:B5:BF
        SHA1: 0F:3F:FF:3C:CA:64:43:40:EA:2A:6C:79:85:8C:BB:BB:27:46:57:9E
        SHA256: 8B:D6:36:4F:A1:83:C9:79:C4:A2:DA:3D:A3:6D:87:1A:18:E8:E8:80:3B:AC:D3:00:0D:25:31:CD:7B:DC:14:80
        Signature algorithm name: SHA256withRSA
        Version: 1
Certificate[2]:
Owner: CN=zelda.com, OU=security, O=dtdream, L=hangzhou, ST=zhejiang, C=CN
Issuer: CN=zelda.com, OU=security, O=dtdream, L=hangzhou, ST=zhejiang, C=CN
Serial number: 9edcd7d2ea0b191e
Valid from: Mon Mar 12 16:56:18 CST 2018 until: Thu Jul 27 16:56:18 CST 2045
Certificate fingerprints:
        MD5:  6E:99:F2:B8:87:44:A1:2F:BD:48:05:1A:BC:42:00:2F
        SHA1: A1:67:DC:78:60:E0:AE:72:58:12:29:61:17:9F:D7:C4:88:F1:BD:62
        SHA256: 50:F2:2B:99:92:33:6B:D5:34:C1:51:BD:6B:CB:1C:72:A8:18:70:66:21:41:D1:E1:F5:24:71:87:B5:35:63:15
        Signature algorithm name: SHA1withRSA
        Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9D 5C A4 0F A8 CC 1B 29   49 BF 36 4B 02 60 E7 23  .\.....)I.6K.`.#
0010: BC 38 A0 BA                                        .8..
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
 CA:true
 PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9D 5C A4 0F A8 CC 1B 29   49 BF 36 4B 02 60 E7 23  .\.....)I.6K.`.#
0010: BC 38 A0 BA                                        .8..
]
]



*******************************************
*******************************************
  • 在hdfs-site.xml 中修改配置:
<property>
  <name>dfs.datanode.address</name>
  <value>0.0.0.0:61004</value>
</property>
<property>
  <name>dfs.datanode.http.address</name>
  <value>0.0.0.0:61006</value>
</property>

<property>
  <name>dfs.http.policy</name>
  <value>HTTPS_ONLY</value>
</property>

dfs.http.policy必须为:HTTPS_ONLY

  • 修改etc/hadoop下的ssl-client.xml
<configuration>

<property>
  <name>ssl.client.truststore.location</name>
  <value>/var/opt/ssl/CA/private/truststore</value>
  <description>Truststore to be used by clients like distcp. Must be
  specified.
  </description>
</property>

<property>
  <name>ssl.client.truststore.password</name>
  <value>123456</value>
  <description>Optional. Default value is "".
  </description>
</property>

<property>
  <name>ssl.client.truststore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".
  </description>
</property>

<property>
  <name>ssl.client.truststore.reload.interval</name>
  <value>10000</value>
  <description>Truststore reload check interval, in milliseconds.
  Default value is 10000 (10 seconds).
  </description>
</property>

<property>
  <name>ssl.client.keystore.location</name>
  <value>/var/opt/ssl/CA/private/truststore/keystore</value>
  <description>Keystore to be used by clients like distcp. Must be
  specified.
  </description>
</property>

<property>
  <name>ssl.client.keystore.password</name>
  <value>123456</value>
  <description>Optional. Default value is "".
  </description>
</property>

<property>
  <name>ssl.client.keystore.keypassword</name>
  <value>123456></value>
  <description>Optional. Default value is "".
  </description>
</property>

<property>
  <name>ssl.client.keystore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".
  </description>
</property>

</configuration>
  • 修改etc/hadoop下的ssl-server.xml
<property>
  <name>ssl.server.truststore.location</name>
  <value>/var/opt/ssl/CA/private/truststore</value>
  <description>Truststore to be used by NN and DN. Must be specified.
  </description>
</property>

<property>
  <name>ssl.server.truststore.password</name>
  <value>123456</value>
  <description>Optional. Default value is "".
  </description>
</property>

<property>
  <name>ssl.server.truststore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".
  </description>
</property>

<property>
  <name>ssl.server.truststore.reload.interval</name>
  <value>10000</value>
  <description>Truststore reload check interval, in milliseconds.
  Default value is 10000 (10 seconds).
  </description>
</property>

<property>
  <name>ssl.server.keystore.location</name>
  <value>/var/opt/ssl/CA/private/keystore</value>
  <description>Keystore to be used by NN and DN. Must be specified.
  </description>
</property>

<property>
  <name>ssl.server.keystore.password</name>
  <value>123456</value>
  <description>Must be specified.
  </description>
</property>

<property>
  <name>ssl.server.keystore.keypassword</name>
  <value>123456</value>
  <description>Must be specified.
  </description>
</property>

<property>
  <name>ssl.server.keystore.type</name>
  <value>jks</value>
  <description>Optional. The keystore file format, default value is "jks".
  </description>
</property>

<property>
  <name>ssl.server.exclude.cipher.list</name>
  <value>TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
  SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,
  SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
  SSL_RSA_WITH_RC4_128_MD5</value>
  <description>Optional. The weak security cipher suites that you want excluded
  from SSL communication.</description>
</property>
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 205,386评论 6 479
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 87,939评论 2 381
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 151,851评论 0 341
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 54,953评论 1 278
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 63,971评论 5 369
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,784评论 1 283
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,126评论 3 399
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,765评论 0 258
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 43,148评论 1 300
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,744评论 2 323
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,858评论 1 333
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,479评论 4 322
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,080评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 30,053评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,278评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 45,245评论 2 352
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,590评论 2 343

推荐阅读更多精彩内容