本文和之前的文集有较大交集,有不明确的术语、配置等,请参阅:Step by Step 实现基于 Cloudera 5.8.2 的企业级安全大数据平台 - 传输层加密配置 - Hadoop 组件传输层加密 和 Step by Step 实现基于 Cloudera 5.8.2 的企业级安全大数据平台 - 传输层加密配置 - Clouder Manager 组件传输层加密。
啰嗦的前言
今天上班发现 HUE 超级管理员登录时在提示页面报错:
hadoop.hdfs_clusters.default.webhdfs_url:
Current value: https://hostname:14000/webhdfs/v1 Failed to access filesystem root
Resource Manager:
Failed to contact an active Resource Manager: No Resource Manager are available.
Hive:
Failed to access Hive warehouse: /user/hive/warehouse
Impala:
Failed to authenticate to Impalad, check authentication configurations.
Oozie Editor/Dashboard:
The app won't work without a running Oozie Server.
Pig Editor:
The app won't work without a running Oozie Server.
蛋碎,基本所有服务都无法连接了,而事实上所有服务的服务端都工作的好好的。这次故障的影响面是:
- FileBrowser 服务不可用;
- JobBrowser 服务不可用;
- File ACLs 服务不可用;
查看 Server Log,都是一致的报错:
('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')
对,笔者的集群之前是开启了 TLS/SSL 加密传输,但是什么变更都没有,为什么突然报认证失败呢?参考这篇文章 Step by Step 实现基于 Cloudera 5.8.2 的企业级安全大数据平台 - 传输层加密配置 - Hadoop 组件传输层加密 回顾下是如何配置 HUE TLS/SSL 加密的。当时在使用 keytool -genkeypair 时没有指定有效期,所以默认是90天。也许是自签名SSL证书过期导致的,但是挖掘了所有可用的日志,都没有告诉笔者类似 Certificate Expired 的信息 ಥ_ಥ,开源就是要折腾,那么我们就来尝试更新证书吧,let's have a try。
然后事实证明笔者的判断是正确的。面对这样一个以后可以导致生产故障的原因(运维界因此诞生了一个新的笑话),笔者表示捂脸掩面,用一句话来开脱一下:I'm a newbie in SSL…...下面来说说如何去进行证书的更新。
证书的更新和配置一样,主要分为两块:Clouder Manager 组件证书更新、Hadoop 服务证书更新。这一次笔者希望生成一个1年期的证书,并且在第9个月的时候进行提前更新,本文主要阐述如何进行手动证书更新。
证书更新必备条件
- CM Server 和 所有 CM Agent 都进行了 ssh 免密钥登录配置,假设我们知道所有机器的用户名和密码,我们可以很方便的通过
ssh-copy-id来实现,假设我们不知道,那么可以使用nc进行公钥拷贝的方式进行打通;
# 在接收端打开一个可用端口以接收数据
nc -l ${port} | tar xf -
# 在发送端发送数据
tar cf - ${file} | nc ${reciever_ip} ${port}
- CM Server 安装了
pssh;
sudo yum install -y pssh
- 所有节点安装了
expect;
pssh -h list_all "sudo yum install -y expect tcl"
- Cloudera Manager 的超级管理员权限,用于登录控制台(也就是7183端口)进行配置管理和重启服务;
- 假设你已经按照 Step by Step 实现基于 Cloudera 5.8.2 的企业级安全大数据平台 - 传输层加密配置 - Clouder Manager 组件传输层加密 和 Step by Step 实现基于 Cloudera 5.8.2 的企业级安全大数据平台 - 传输层加密配置 - Hadoop 组件传输层加密 进行了 TLS/SSL 加密配置,因为下文的很多路径都是这两篇文章中
mkdir好的;
和前面所有系列文章一样,我们的操作是在 admin 用户下进行的。
自签名 SSL 证书更新
假设集群包含如下机器列表,其中 v001001.dc1.domain.com 为 Cloudera Server,我们有一个文件list_all 包含了所有这些机器,一行一台机器的 hostname,用于 pssh 时进行批处理,今天就假设我们只有3台机器:
v001001.dc1.domain.com
v001002.dc1.domain.com
v001003.dc1.domain.com
Step1. 生成密钥对和自签名证书(所有节点)
在所有节点生成密钥对和自签名证书,并将它们存储在 JKS 格式的密钥库(cms.keystore.${DATE}.${HOSTNAME})中,这样我们也方便计算过期时间。 将 -keypass 设置为与 -storepass 相同的值:
pscp -h list_all generate_jks.sh /tmp
pssh -h list_all "sudo /usr/bin/bash /tmp/generate_jks.sh"
其中脚本 generate_jks.sh 的内容如下,请对 JAVA_HOME、STORE_PASS进行赋值:
#!/bin/bash
JAVA_HOME=${JAVA_HOME}
STORE_PASS=${STORE_PASS}
BASE_SECURITY_PATH=/opt/cloudera/security/
HOSTNAME=`hostname -f`
DATE=`date "+%Y-%m-%d"`
KEYSTORE_NAME=cms.keystore.${DATE}
KEYSTORE_ALIAS=cms.${DATE}
sudo ${JAVA_HOME}/bin/keytool -genkeypair -keystore ${BASE_SECURITY_PATH}/jks/${KEYSTORE_NAME}.${HOSTNAME} -keyalg RSA -alias ${KEYSTORE_ALIAS}.${HOSTNAME} -dname "CN=${HOSTNAME},OU=Bigdata,O=Domain,L=Hangzhou,ST=Zhejiang,C=CN" -storepass ${STORE_PASS} -keypass ${STORE_PASS} -validity 365
# 修改证书名称,更为通用,用于 hadoop 服务
sudo cp ${BASE_SECURITY_PATH}/jks/${KEYSTORE_NAME}.${HOSTNAME} ${BASE_SECURITY_PATH}/jks/${KEYSTORE_NAME}.hadoopagent
Step2. 生成可信库并初始化密码(所有节点)
将缺省 Java 信任库(cacerts)复制到备用系统信任库(jssecacerts.${DATE}.${HOSTNAME}),自签名证书导入到 jssecacerts.${DATE}.${HOSTNAME},而不修改默认 cacerts 文件,并从密钥库(cms.keystore.${DATE}.${HOSTNAME})导出证书:
pscp -h list_all generate_ca.sh /tmp
pssh -h list_all "sudo /usr/bin/bash /tmp/generate_ca.sh"
其中脚本 generate_ca.sh 的内容如下,请对 JAVA_HOME、STORE_PASS进行赋值:
#!/bin/bash
JAVA_HOME=${JAVA_HOME}
BASE_SECURITY_PATH=/opt/cloudera/security/
STORE_PASS=${STORE_PASS}
HOSTNAME=`hostname -f`
DATE=`date "+%Y-%m-%d"`
KEYSTORE_NAME=cms.keystore.${DATE}
KEYSTORE_ALIAS=cms.${DATE}
SELF_CA_NAME=selfsigned.cer.${DATE}
PEM_NAME=cmhost.pem.${DATE}
TRUSTSTORE_NAME=jssecacerts.${DATE}
# 生成可信库
sudo cp ${JAVA_HOME}/jre/lib/security/cacerts ${JAVA_HOME}/jre/lib/security/${TRUSTSTORE_NAME}.${HOSTNAME}
# 导出自签名证书
sudo ${JAVA_HOME}/bin/keytool -export -alias ${KEYSTORE_ALIAS}.${HOSTNAME} -keystore ${BASE_SECURITY_PATH}/jks/${KEYSTORE_NAME}.${HOSTNAME} -rfc -file ${BASE_SECURITY_PATH}/${SELF_CA_NAME}.${HOSTNAME} -storepass ${STORE_PASS}
# 拷贝自签名证书至 x509 目录,并赋权
sudo cp ${BASE_SECURITY_PATH}/${SELF_CA_NAME}.${HOSTNAME} ${BASE_SECURITY_PATH}/x509/${PEM_NAME}.${HOSTNAME}
sudo chown cloudera-scm:cloudera-scm ${BASE_SECURITY_PATH}/x509/${PEM_NAME}.${HOSTNAME}
sudo cp ${BASE_SECURITY_PATH}/${SELF_CA_NAME}.${HOSTNAME} /tmp
修改默认 jssecacerts.${DATE}.${HOSTNAME} 库密码:
pscp -h list_all modify_jssecacerts_passwd.expect /tmp
pscp -h list_all modify_jssecacerts_passwd.sh /tmp
pssh -h list_all "sudo /bin/bash /tmp/modify_jssecacerts_passwd.sh"
其中脚本 modify_jssecacerts_passwd.expect 的内容如下,请对 JAVA_HOME进行赋值:
#!/usr/bin/expect -f
set JAVA_HOME ${JAVA_HOME}
set timeout 300
set current_passwd [lindex $argv 0]
set new_passwd [lindex $argv 1]
set hostname [lindex $argv 2]
set truststore_name [lindex $argv 3]
spawn sudo ${JAVA_HOME}/bin/keytool -storepasswd -keystore ${JAVA_HOME}/jre/lib/security/${truststore_name}.${hostname}
sleep 1
expect "Enter keystore password:"
send "${current_passwd}\r"
expect "New keystore password:"
send "${new_passwd}\r"
expect "Re-enter new keystore password:"
send "${new_passwd}\r"
expect eof
其中脚本 modify_jssecacerts_passwd.sh 的内容如下,${CURRENT_PASSWD} 为 changeit , ${NEW_PASSWD} 为新指定的密码,需要读者自行设置:
#/bin/bash
CURRENT_PASSWD=${CURRENT_PASSWD}
NEW_PASSWD=${NEW_PASSWD}
HOSTNAME=`hostname -f`
DATE=`date "+%Y-%m-%d"`
TRUSTSTORE_NAME=jssecacerts.${DATE}
sudo /usr/bin/expect /tmp/modify_jssecacerts_passwd.expect ${CURRENT_PASSWD} ${NEW_PASSWD} ${HOSTNAME} ${TRUSTSTORE_NAME}
Step3. 拷贝 Cloudera Server 的 PEM 格式证书至所有节点
上一步我们生成了 PEM 格式的证书 ${BASE_SECURITY_PATH}/x509/${PEM_NAME}.${HOSTNAME},我们需要把它拷贝至所有节点的相应目录下:
pscp -h list_all ${BASE_SECURITY_PATH}/x509/${PEM_NAME}.v001001.dc1.domain.com /tmp
pssh -h list_all "sudo cp /tmp/${PEM_NAME}.v001001.dc1.domain.com ${BASE_SECURITY_PATH}/x509/"
pssh -h list_all "sudo chown cloudera-scm:cloudera-scm ${BASE_SECURITY_PATH}/x509/${PEM_NAME}.v001001.dc1.domain.com"
Step4. 导入自签名证书至本地信任库(所有节点)
在每台机器上执行,把客户端的自签名证书导入到客户端本地的信任库:
pscp -h list_all import_ca.expect /tmp
pscp -h list_all import_ca.sh /tmp
pssh -h list_all "sudo /bin/bash /tmp/import_ca.sh"
其中脚本 import_ca.expect 的内容如下,请对 JAVA_HOME进行赋值:
#!/usr/bin/expect -f
set JAVA_HOME ${JAVA_HOME}
set timeout 300
set storepass [lindex $argv 0]
set hostname [lindex $argv 1]
set date [lindex $argv 2]
set keystore_alias cms.${date}
set self_ca_name selfsigned.cer.${date}
set truststore_name jssecacerts.${date}
spawn sudo ${JAVA_HOME}/bin/keytool -import -alias ${keystore_alias}.${hostname} -file /tmp/${self_ca_name}.${hostname} -keystore ${JAVA_HOME}/jre/lib/security/${truststore_name}.${hostname} -storepass ${storepass}
sleep 1
expect "Trust this certificate?"
send "yes\r"
expect eof
其中脚本 import_ca.sh 的内容如下,请对 PASSWD进行赋值,为之前我们新指定的 jssecacerts 信任库密码:
#!/bin/bash
PASSWD=${PASSWD}
HOSTNAME=`hostname -f`
DATE=`date "+%Y-%m-%d"`
sudo /usr/bin/expect /tmp/import_ca.expect ${PASSWD} ${HOSTNAME} ${DATE}
Step5. 生成 JKS 公共可信库( Cloudera Server 上执行)
把所有客户端的证书注入公共库,并且分发:
sudo /bin/bash modify_jssecacerts_public_passwd.sh
/bin/bash get_ca_from_slave.sh
sudo /bin/bash import_ca_public.sh
pscp -h list_agents_hostname ${JAVA_HOME}/jre/lib/security/jssecacerts.${DATE}.public /tmp
pssh -h list_agents_hostname "sudo cp /tmp/jssecacerts.${DATE}.public ${JAVA_HOME}/jre/lib/security/"
其中脚本modify_jssecacerts_public_passwd.sh 的内容如下,请对 JAVA_HOME、CURRENT_PASSWD、NEW_PASSWD进行赋值,CURRENT_PASSWD 为 changeit:
#!/bin/bash
JAVA_HOME=${JAVA_HOME}
CURRENT_PASSWD=${CURRENT_PASSWD}
NEW_PASSWD=${NEW_PASSWD}
DATE=`date "+%Y-%m-%d"`
TRUSTSTORE_NAME=jssecacerts.${DATE}
sudo cp ${JAVA_HOME}/jre/lib/security/cacerts ${JAVA_HOME}/jre/lib/security/${TRUSTSTORE_NAME}.public
sudo cp modify_jssecacerts_public_passwd.expect /tmp
sudo /usr/bin/expect /tmp/modify_jssecacerts_public_passwd.expect ${CURRENT_PASSWD} ${NEW_PASSWD} ${TRUSTSTORE_NAME}
其中脚本 get_ca_from_slave.sh 的内容如下:
#!/bin/bash
DATE=`date "+%Y-%m-%d"`
SELF_CA_NAME=selfsigned.cer.${DATE}
for slave in `cat list_agents_hostname`
do
scp ${slave}:/tmp/${SELF_CA_NAME}.${slave} /tmp
done
其中脚本 import_ca_public.sh 的内容如下:
#!/bin/bash
DATE=`date "+%Y-%m-%d"`
SELF_CA_NAME=selfsigned.cer.${DATE}
NEW_PASSWD=${new_passwd}
sudo cp import_ca_public.expect /tmp
for slave in `cat list_agents_hostname`
do
sudo /usr/bin/expect /tmp/import_ca_public.expect ${NEW_PASSWD} ${slave} ${DATE}
done
其中脚本 modify_jssecacerts_public_passwd.expect 的内容如下,请对 JAVA_HOME进行赋值:
#!/usr/bin/expect -f
set JAVA_HOME ${JAVA_HOME}
set timeout 300
set current_passwd [lindex $argv 0]
set new_passwd [lindex $argv 1]
set truststore_name [lindex $argv 2]
spawn sudo ${JAVA_HOME}/bin/keytool -storepasswd -keystore ${JAVA_HOME}/jre/lib/security/${truststore_name}.public
sleep 1
expect "Enter keystore password:"
send "${current_passwd}\r"
expect "New keystore password:"
send "${new_passwd}\r"
expect "Re-enter new keystore password:"
send "${new_passwd}\r"
expect eof
其中脚本 import_ca_public.expect 的内容如下,请对 JAVA_HOME进行赋值:
#!/usr/bin/expect -f
set JAVA_HOME ${JAVA_HOME}
set timeout 300
set storepass [lindex $argv 0]
set hostname [lindex $argv 1]
set date [lindex $argv 2]
set keystore_alias cms.${date}
set self_ca_name selfsigned.cer.${date}
set truststore_name jssecacerts.${date}
spawn sudo ${JAVA_HOME}/bin/keytool -import -alias ${keystore_alias}.${hostname} -file /tmp/${self_ca_name}.${hostname} -keystore ${JAVA_HOME}/jre/lib/security/${truststore_name}.public -storepass ${storepass}
sleep 1
expect "Trust this certificate?"
send "yes\r"
expect eof
Step6. 生成 PEM 格式证书和密钥(所有节点)
pscp -h list_all init_p12.sh /tmp
pssh -h list_all "sudo /bin/bash /tmp/init_p12.sh"
其中脚本init_p12.sh 内容如下,请对 JAVA_HOME PASSWD进行赋值,其中 PASSWD 为之前我们初始化的 JKS 密钥库密码:
#!/bin/bash
JAVA_HOME=${JAVA_HOME}
BASE_SECURITY_PATH=/opt/cloudera/security
HOSTNAME=`hostname -f`
PASSWD=${PASSWD}
DATE=`date "+%Y-%m-%d"`
KEYSTORE_NAME=cms.keystore.${DATE}
KEYSTORE_ALIAS=cms.${DATE}
P12_NAME=cms.pem.${DATE}
P12_KEY_NAME=cms.key.${DATE}
AGENTKEY_PW_NAME=agentkey.pw.${DATE}
sudo -u cloudera-scm ${JAVA_HOME}/bin/keytool -importkeystore -srckeystore ${BASE_SECURITY_PATH}/jks/${KEYSTORE_NAME}.${HOSTNAME} \
-srcstorepass ${PASSWD} -srckeypass ${PASSWD} -destkeystore /tmp/${KEYSTORE_NAME}.p12.${HOSTNAME} \
-deststoretype PKCS12 -srcalias ${KEYSTORE_ALIAS}.${HOSTNAME} -deststorepass ${PASSWD} -destkeypass ${PASSWD}
sudo -u cloudera-scm openssl pkcs12 -in /tmp/${KEYSTORE_NAME}.p12.${HOSTNAME} -passin pass:${PASSWD} -nokeys \
-out ${BASE_SECURITY_PATH}/x509/${P12_NAME}.${HOSTNAME}
sudo -u cloudera-scm openssl pkcs12 -in /tmp/${KEYSTORE_NAME}.p12.${HOSTNAME} -passin pass:${PASSWD} -nocerts \
-out ${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.${HOSTNAME} -passout pass:${PASSWD}
sudo echo "${PASSWD}" > /tmp/${AGENTKEY_PW_NAME}.${HOSTNAME}
sudo cp /tmp/${AGENTKEY_PW_NAME}.${HOSTNAME} ${BASE_SECURITY_PATH}/x509/
sudo chown root.root ${BASE_SECURITY_PATH}/x509/${AGENTKEY_PW_NAME}.${HOSTNAME}
sudo chmod 644 ${BASE_SECURITY_PATH}/x509/${AGENTKEY_PW_NAME}.${HOSTNAME}
sudo -u cloudera-scm cp ${BASE_SECURITY_PATH}/x509/${P12_NAME}.${HOSTNAME} ${BASE_SECURITY_PATH}/x509/${P12_NAME}.cmagent
sudo -u cloudera-scm cp ${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.${HOSTNAME} ${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.cmagent
sudo cp ${BASE_SECURITY_PATH}/x509/${AGENTKEY_PW_NAME}.${HOSTNAME} ${BASE_SECURITY_PATH}/x509/${AGENTKEY_PW_NAME}.cmagent
sudo -u cloudera-scm cp ${BASE_SECURITY_PATH}/x509/${P12_NAME}.${HOSTNAME} ${BASE_SECURITY_PATH}/x509/${P12_NAME}.hadoopagent
sudo -u cloudera-scm cp ${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.${HOSTNAME} ${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.hadoopagent
sudo cp ${BASE_SECURITY_PATH}/x509/${AGENTKEY_PW_NAME}.${HOSTNAME} ${BASE_SECURITY_PATH}/x509/${AGENTKEY_PW_NAME}.hadoopagent
Step7. 生成 PEM 公共证书库( Cloudera Server上执行,并且分发至所有节点 )
#!/bin/bash
BASE_SECURITY_PATH=/opt/cloudera/security
DATE=`date "+%Y-%m-%d"`
P12_NAME=cms.pem.${DATE}
for slave in `cat list_agents_hostname`
do
scp ${slave}:${BASE_SECURITY_PATH}/x509/${P12_NAME}.${slave} /tmp
done;
for slave in `cat list_agents_hostname`
do
pem_list="${pem_list} /tmp/${P12_NAME}.${slave}"
done
cat ${pem_list} > /tmp/${P12_NAME}.public
pscp -h list_all /tmp/${P12_NAME}.public /tmp
pssh -h list_all "sudo cp /tmp/${P12_NAME}.public ${BASE_SECURITY_PATH}/x509"
pssh -h list_all "sudo chown cloudera-scm.cloudera-scm ${BASE_SECURITY_PATH}/x509/${P12_NAME}.public"
Step8. 生成免密码的 Nginx 的 PEM 格式证书和密钥( Nginx节点 )
假设 Nginx 服务器 (v001001.dc1.domain.com) 已经生成过 JKS 密钥,我们需要配置 Nginx 免密钥访问 HUE Server:
#!/bin/bash
BASE_SECURITY_PATH=/opt/cloudera/security
DATE=`date "+%Y-%m-%d"`
P12_NAME=cms.pem.${DATE}
P12_KEY_NAME=cms.key.${DATE}
sudo cp ${BASE_SECURITY_PATH}/x509/${P12_NAME}.${HOSTNAME} ${BASE_SECURITY_PATH}/x509/${P12_NAME}.nginx
sudo cp ${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.${HOSTNAME} ${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.nginx
sudo cp ${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.nginx ${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.nginx.bak
sudo openssl rsa -in ${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.nginx.bak -out ${BASE_SECURITY_PATH}x509/${P12_KEY_NAME}.nginx
重启前确认文件
重启前我们确保下,以下文件都已经生成:
- 所有节点上存在,本机的密钥对和自签名证书
${BASE_SECURITY_PATH}/jks/${KEYSTORE_NAME}.${HOSTNAME},其中只有 Cloudera Server 的该文件会用于 :Cloudera Admin Console 的 HTTPS 加密; - 所有节点上存在,本机的密钥对和自签名证书
${BASE_SECURITY_PATH}/jks/${KEYSTORE_NAME}.hadoopagent,用于 Hadoop 服务传输加密 (服务端),包括 HDFS、YARN、HBase、HiveServer2、Oozie、HDFS HTTPFS 等; - 所有节点上存在,包含本机自签名证书的可信库
${JAVA_HOME}/jre/lib/security/${TRUSTSTORE_NAME}.${HOSTNAME}; - 所有节点上存在,包含所有主机自签名证书的可信库
${JAVA_HOME}/jre/lib/security/${TRUSTSTORE_NAME}.public,用于 Cloudera Managaer Services 的 SSL 加密,及 Hadoop 服务传输加密 (客户端),包括 HDFS、YARN、Oozie、HDFS HTTPFS; - 所有节点上存在,包含本机 PEM 格式的证书、密钥、密钥key,用于 Cloudera Server 对 Agent 的 SSL 证书认证 或 Hadoop 服务传输加密,包括 HUE、 Impala:
-
${BASE_SECURITY_PATH}/x509/${P12_NAME}.cmagent; -
${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.cmagent; -
${BASE_SECURITY_PATH}/x509/${AGENTKEY_PW_NAME}.cmagent; -
${BASE_SECURITY_PATH}/x509/${P12_NAME}.hadoopagent; -
${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.hadoopagent; -
${BASE_SECURITY_PATH}/x509/${AGENTKEY_PW_NAME}.hadoopagent;
-
- 所有节点上存在,包含 Cloudera Server 的 PEM 格式的证书
${BASE_SECURITY_PATH}/x509/${PEM_NAME}.v001001.dc1.domain.com,用于 Cloudera Agent 对 Server 的 SSL 证书认证; - 所有节点上存在,包含所有主机 PEM 格式证书的公共证书库
${BASE_SECURITY_PATH}/x509/${P12_NAME}.public,用于 HUE、Impala 传输加密; - Nginx 节点上存在,包含本机 PEM 格式的证书和密钥
${BASE_SECURITY_PATH}/x509/${P12_NAME}.nginx${BASE_SECURITY_PATH}/x509/${P12_KEY_NAME}.nginx,密钥文件需要免密码,用于 负载均衡;
Cloudera Manager 组件重启
重启前确认配置
以下所有�除密码相关的配置项,笔者都进行了实体化,也就是带入了真实值,方便读者进行学习。${JAVA_HOME}路径请读者自行替换。
因为笔者的证书是在3月14日生成的,所以你需要把它替换成你的对应日期。
Admin Console 的 HTTPS 加密访问配置
- 登录到 Cloudera Manager Administration Console http://192.168.1.1:7183 ;
- 选择
Administration->Settings; - 点击
Security类目; - 确认如下配置:
Use TLS Encryption for Admin Console = true
Path to TLS Keystore File = /opt/cloudera/security/jks/cms.keystore.2017-03-14.v001001.dc1.domain.com
Keystore Password = ${KEYSTORE_PASSWORD}
Cloudera Management Services 的 SSL 加密配置
- 打开 Cloudera Manager Administration Console http://192.168.1.1:7183 选择
Cloudera Management Service;
- 点击
Configuration选项卡;
- 选择
Scope->Cloudera Management Service (Service-Wide);
- 选择
Category->Security;
- 确认以下 TLS/SSL 配置,其中
TRUSTSOTRE_FILE_PASSWORD为之前我们设置的jssecacerts.2017-03-14.public的新密码:
TLS/SSL Client Truststore File Location = $JAVA_HOME/jre/lib/security/jssecacerts.2017-03-14.public
TLS/SSL Client Truststore File Password = ${TRUSTSOTRE_FILE_PASSWORD}
Cloudera Agent 的 TLS 配置
登录 Cloudera Manager Admin Console 选择 Administration -> Settings -> Security 确认如下配置:
Use TLS Encryption for Agents = TRUE
确认每台 Cloudera Agent 配置是否正确:
pssh -h list_all -P "grep 'use_tls=1' /etc/cloudera-scm-agent/config.ini | wc -l"
如果返回值都为1,则表示OK。
Cloudera Agent 对 Server 的 SSL 证书认证相关配置
所有节点 /etc/cloudera-scm-agent/config.ini 配置文件,确认如下属性:
pssh -h list_all -P "grep 'verify_cert_file=/opt/cloudera/security/x509/cmhost.pem.2017-03-14.v001001.dc1.domain.com' /etc/cloudera-scm-agent/config.ini | wc -l"
如果返回值都为1,则表示OK。
Cloudera Server 对 Agent 的 SSL 证书认证相关配置
所有节点 /etc/cloudera-scm-agent/config.ini 配置文件,确认如下属性:
pssh -h list_all -P "grep 'client_cert_file=/opt/cloudera/security/x509/cms.pem.2017-03-14.cmagent' /etc/cloudera-scm-agent/config.ini | wc -l"
pssh -h list_all -P "grep 'client_key_file=/opt/cloudera/security/x509/cms.key.2017-03-14.cmagent' /etc/cloudera-scm-agent/config.ini | wc -l"
pssh -h list_all -P "grep 'client_keypw_file=/opt/cloudera/security/x509/agentkey.pw.2017-03-14.cmagent' /etc/cloudera-scm-agent/config.ini | wc -l"
如果返回值都为1,则表示OK。
- 登录 Cloudera Manager Admin Console;
- 选择
Administration->Settings;
- 点击
Security类目;
- 确认以下 TLS 属性:
Use TLS Authentication of Agents to Server = TRUE
重启服务
重启 Server 和 Agent:
sudo /opt/cm-5.8.2/etc/init.d/cloudera-scm-server restart
pssh -h list_agents "sudo /bin/systemctl restart cloudera-scm-agent"
在 Cloudera Manager Admin Console,打开 Hosts 页面。 如果 Agent 心跳正常,则说明TLS 加密正常工作。
重启 Cloudera Management Services, 这一步直接可以在 Cloudera Manager Administration Console 操作。
Hadoop 服务的自签名 SSL 证书更新
和 Cloudera 组件类似,我们需要确认配置后才能进行服务重启。
以下所有配置,请注意替换 ${JAVA_HOME} 为读者自己的路径;
以下所有配置�,除了 Nginx 配置之外,都是在 Cloudera Manager Admin Console 中进行配置的,也就是 http://192.168.1.1:7183;
重启前确认配置
HDFS 配置确认
PASSWD 为之前设置的 JKS 密码:
ssl.server.keystore.location=/opt/cloudera/security/jks/cms.keystore.2017-03-14.hadoopagent
ssl.server.keystore.password=${PASSWD}
ssl.server.keystore.keypassword=${PASSWD}
ssl.client.truststore.location=${JAVA_HOME}/jre/lib/security/jssecacerts.2017-03-14.public
ssl.client.truststore.password=${PASSWD}
hadoop.ssl.enabled=true
dfs.datanode.address = 1024
dfs.data.transfer.protection = privacy
Enable TLS/SSL for HttpFS = true
HttpFS TLS/SSL Server JKS Keystore File Location = /opt/cloudera/security/jks/cms.keystore.2017-03-14.hadoopagent
HttpFS TLS/SSL Server JKS Keystore File Password = ${PASSWD}
HttpFS TLS/SSL Certificate Trust Store File = ${JAVA_HOME}/jre/lib/security/jssecacerts.2017-03-14.public
HttpFS TLS/SSL Certificate Trust Store Password = ${PASSWD}
YARN 配置确认
PASSWD 为上一篇中设置的 JKS 密码:
ssl.server.keystore.location=/opt/cloudera/security/jks/cms.keystore.2017-03-14.hadoopagent
ssl.server.keystore.password=${PASSWD}
ssl.server.keystore.keypassword=${PASSWD}
ssl.client.truststore.location=${JAVA_HOME}/jre/lib/security/jssecacerts.2017-03-14.public
ssl.client.truststore.password=${PASSWD}
HBase 配置确认
PASSWD 为上一篇中设置的 JKS 密码:
hdaoop.ssl.enabled, hbase.ssl.enabled = true
ssl.server.keystore.location = /opt/cloudera/security/jks/cms.keystore.2017-03-14.hadoopagent
ssl.server.keystore.password=${PASSWD}
ssl.server.keystore.keypassword=${PASSWD}
hbase.rest.ssl.enabled = true
hbase.rest.ssl.keystore.store = /opt/cloudera/security/jks/cms.keystore.2017-03-14.hadoopagent
hbase.rest.ssl.keystore.password = ${PASSWD}
hbase.rest.ssl.keystore.keypassword = ${PASSWD}
hbase.thrift.ssl.enabled = true
hbase.thrift.ssl.keystore.store = /opt/cloudera/security/jks/cms.keystore.2017-03-14.hadoopagent
hbase.thrift.ssl.keystore.password = ${PASSWD}
hbase.thrift.ssl.keystore.keypassword = ${PASSWD}
Hive 配置确认
PASSWD 为上一篇中设置的 JKS 密码,请注意替换PASSWD:
hive.server2.enable.SSL, hive.server2.use.SSL = true
hive.server2.keystore.path = /opt/cloudera/security/jks/cms.keystore.2017-03-14.hadoopagent
hive.server2.keystore.password =${PASSWD}
hive.server2.webui.use.ssl = true
hive.server2.webui.keystore.password = ${PASSWD}
hive.server2.webui.keystore.path = /opt/cloudera/security/jks/cms.keystore.2017-03-14.hadoopagent
Impala 配置确认
请注意替换PASSWD:
webserver_certificate_file = /opt/cloudera/security/jks/cms.pem.2017-03-14.hadoopagent
webserver_private_key_file = /opt/cloudera/security/jks/cms.key.2017-03-14.hadoopagent
webserver_private_key_password_cmd = ${PASSWD}
ldap_ca_certificate = /opt/cloudera/security/jks/cms.pem.2017-03-14.hadoopagent
client_services_ssl_enabled = true
ssl_server_certificate = webserver_certificate_file = /opt/cloudera/security/x509/cms.pem.2017-03-14.hadoopagent
ssl_private_key = webserver_private_key_file = /opt/cloudera/security/x509/cms.key.2017-03-14.hadoopagent
ssl_private_key_password_cmd = webserver_private_key_password_cmd = ${PASSWD}
ssl_client_ca_certificate = /opt/cloudera/security/x509/cms.key.2017-03-14.public
HUE 配置确认
请注意替换 PASSWD:
ssl_cacerts = /opt/cloudera/security/x509/cms.pem.2017-03-14.public
Enable TLS/SSL for Hue = true
ssl_certificate = /opt/cloudera/security/x509/cms.pem.2017-03-14.hadoopagent
ssl_private_key = /opt/cloudera/security/x509/cms.key.2017-03-14.hadoopagent
ssl_password = ${PASSWD}
因为是自签名密钥,需要修改环境变量,在 Hue Service Environment Advanced Configuration Snippet 中添加:
REQUESTS_CA_BUNDLE = /opt/cloudera/security/x509/cms.pem.2017-03-14.public
确认已经配置 HUE Server 和 HiveServer2 之间的加密,通过 Cloudera Manager Admin Console 对 hue.ini 进行追加配置,配置项为 Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini:
[beeswax]
[[ssl]]
enabled = true
cacerts = /opt/cloudera/security/x509/cms.pem.2017-03-14.public
validate = true
确认 HUE 配置,在 hue.ini 中添加和 Impala 的传输加密配置,配置项为 Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini:
[impala]
[[ssl]]
enabled = true
cacerts = /opt/cloudera/security/x509/cms.pem.2017-03-14.public
validate = true
Nginx 配置确认
主要是阐述 Nginx 作为 Hue Load Balancer,其他组件需要做反向代理的配置都可以参考这块。
/etc/nginx/conf.d/test-cluster.conf ,用于实现 HUE LoadBalancer:
server {
server_name 192.168.1.1;
charset utf-8;
listen 8889 ssl;
ssl_certificate /opt/cloudera/security/x509/cms.pem.2017-03-14.nginx;
ssl_certificate_key /opt/cloudera/security/x509/cms.key.2017-03-14.nginx;
client_max_body_size 0;
location / {
proxy_pass https://hue;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
}
location /static/ {
alias /opt/cloudera/parcels/CDH/lib/hue/build/static/;
expires 30d;
add_header Cache-Control public;
}
}
upstream hue {
ip_hash;
# List all the Hue instances here for high availability.
server HUE_SERVER_HOSTNAME1:8888 max_fails=3;
server HUE_SERVER_HOSTNAME2:8888 max_fails=3;
...
}
Oozie 配置确认
请注意替换 PASSWD :
Enable TLS/SSL for Oozie = true
Oozie TLS/SSL Server JKS Keystore File Location = /opt/cloudera/security/jks/cms.keystore.2017-03-14.hadoopagent
Oozie TLS/SSL Server JKS Keystore File Password = ${PASSWD}
Oozie TLS/SSL Certificate Trust Store File = ${JAVA_HOME}/jre/lib/security/jssecacerts.2017-03-14.public
Oozie TLS/SSL Certificate Trust Store Password = ${PASSWD}
重启服务
使用 Cloudera Manager Admin Console 对服务进行重启。
BTW,别忘记重启 Nginx。
小结
本文阐述了,如何对一个已经服役的 Cloudera Manager 管理的集群进行自签名证书更新。有任何不明确的地方,可以微信联系我,或者直接简书留言。
