Skip to content

G
Gpdb

Greenplum / Gpdb

通知 7
Star 1
Fork 0
G
Gpdb

体验新版 GitCode,发现更多精彩内容 >>

提交 693b28e1 编写于 作者: S StanleySung 提交者: David Yozie
浏览文件
操作

docs: add active directory kerberos steps for pxf (#7055) 

* add ad steps in pxf krb doc

* From Lisa Owen

* distributing keytab using gpscp and gpssh

* Update gpdb-doc/markdown/pxf/pxf_kerbhdfs.html.md.erb
Co-Authored-By: NAlexander Denissov <denalex@users.noreply.github.com>

* Update gpdb-doc/markdown/pxf/pxf_kerbhdfs.html.md.erb
Co-Authored-By: NAlexander Denissov <denalex@users.noreply.github.com>

* misc formatting edits

* a few more formatting edits
上级 918fbd84
隐藏空白更改
内联 并排
Showing with 80 addition and 16 deletion
gpdb-doc/markdown/pxf/pxf_kerbhdfs.html.md.erb
浏览文件 @ 693b28e1
......@@ -22,12 +22,79 @@ Before you configure PXF for access to a secure HDFS filesystem, ensure that you
- Noted the name of the Kerberos \<realm\> in which your cluster resides.
- Installed the Kerberos client packages on **each** Greenplum Database segment host if they are not already installed. You must have superuser permissions to install operating system packages. For example:
``` shell
root@gphost$ rpm -qa | grep krb
root@gphost$ yum install krb5-libs krb5-workstation
```
## <a id="procedure"></a>Procedure
Perform the following steps to configure PXF for a secure HDFS. You will perform operations on the Kerberos KDC server and Greenplum Database segment hosts.
There are different procedures for configuring PXF for secure HDFS with a [Microsoft Active Directory KDC Server](#proc_ad) vs. with an [MIT Kerberos KDC Server](#proc_mit).
### <a id="proc_ad"></a>Configuring PXF with a Microsoft Active Directory Kerberos KDC Server
When you configure PXF for secure HDFS using an AD Kerberos KDC server, you will perform tasks on both the KDC server host and the Greenplum Database master host.
**Perform the following steps the Active Directory domain controller**:
1. Start **Active Directory Users and Computers**.
2. Expand the forest domain and the top-level UNIX organizational unit that describes your Greenplum user domain.
3. Select **Service Accounts**, right-click, then select **New->User**.
4. Type a name, eg. `ServiceGreenplumPROD1`, and change the login name to `gpadmin`. Note that the login name should be in compliance with POSIX standard and match hadoop.proxyuser.<name>.hosts/groups in the Hadoop `core-site.xml` and `PXF_PRINCIPAL` in `$PXF_CONF/conf/pxf-env.sh`.
5. Type and confirm the Active Directory service account password. Select the **User cannot change password** and **Password never expires** check boxes, then click **Next**. For security reasons, if you can't have **Password never expires** checked, you will need to generate new keytab file (step 7) every time you change the password of the service account.
6. Click **Finish** to complete the creation of the new user principal.
7. Open Powershell or a command prompt and run the `ktpass` command to generate the keytab file. For example:
``` shell
powershell#>ktpass -out pxf.service.keytab -princ gpadmin@EXAMPLE.COM -mapUser ServiceGreenplumPROD1 -pass ******* -crypto all -ptype KRB5_NT_PRINCIPAL
```
With Active Directory, the principal and the keytab file are shared by all Greenplum Database segment hosts.
8. Copy the `pxf.service.keytab` file to the Greenplum master host.
**Perform the following steps on the Greenplum Database master host**:
1. Log in to the Greenplum Database master host. For example:
``` shell
$ ssh gpadmin@<gpmaster>
```
2. Open the `$PXF_CONF/conf/pxf-env.sh` file in an editor. Update the `PXF_KEYTAB` and `PXF_PRINCIPAL` settings, if required, specifying the location of the keytab file and the Kerberos principal. Replace `EXAMPLE.COM` with your Kerberos realm.
``` shell
export PXF_KEYTAB="${PXF_CONF}/keytabs/pxf.service.keytab"
export PXF_PRINCIPAL="gpadmin@EXAMPLE.COM"
```
4. Save the file and exit the editor.
5. Synchronize the PXF configuration to your Greenplum Database cluster and restart PXF. For example:
**Perform the following steps on Kerberos KDC server host**:
``` shell
gpadmin@master$ $GPHOME/pxf/bin/pxf cluster sync
gpadmin@master$ $GPHOME/pxf/bin/pxf cluster stop
gpadmin@master$ $GPHOME/pxf/bin/pxf cluster start
```
6. Step 5 does not synchronize the keytabs in `$PXF_CONF`. You must distribute the keytab file to `$PXF_CONF/keytabs/`. Locate the keytab file, copy the file to the `$PXF_CONF` user configuration directory, and set required permissions. For example:
``` shell
gpadmin@gpmaster$ gpscp -f hostfile_all pxf.service.keytab =:$PXF_CONF/keytabs/
gpadmin@gpmaster$ gpssh -f hostfile_all chmod 400 $PXF_CONF/keytabs/pxf.service.keytab
```
### <a id="proc_mit"></a>Configuring PXF with an MIT Kerberos KDC Server
When you configure PXF for secure HDFS using an MIT Kerberos KDC server, you will perform tasks on both the KDC server host and the Greenplum Database master host.
**Perform the following steps on the MIT Kerberos KDC server host**:
1. Log in to the Kerberos KDC server as the `root` user.
......@@ -89,28 +156,21 @@ Perform the following steps to configure PXF for a secure HDFS. You will perform
root@kdc-server$ ssh host3.example.com chmod 400 /usr/local/greenplum-pxf/keytabs/pxf.service.keytab
```
**Perform the following steps on each Greenplum Database segment host**:
**Perform the following steps on the Greenplum Database master host**:
1. Log in to the segment host. For example:
1. Log in to the master host. For example:
``` shell
$ ssh gpadmin@<seghost>
$ ssh gpadmin@<gpmaster>
```
2. Install the Kerberos client packages on **each** Greenplum Database segment host if they are not already installed. You must have superuser permissions to install operating system packages. For example:
``` shell
root@seghost$ rpm -qa | grep krb
root@seghost$ yum install krb5-libs krb5-workstation
```
4. Open the PXF `pxf-env.sh` user configuration file in the editor of your choice. For example, to open the file with `vi` when `PXF_CONF=/usr/local/greenplum-pxf`:
2. Open the PXF `pxf-env.sh` user configuration file in the editor of your choice. For example, to open the file with `vi` when `PXF_CONF=/usr/local/greenplum-pxf`:
``` shell
gpadmin@seghost$ vi /usr/local/greenplum-pxf/conf/pxf-env.sh
```
5. Update the `PXF_KEYTAB` and `PXF_PRINCIPAL` settings, if required. Specify the location of the keytab file and the Kerberos principal, substituting your realm. *The default values for these settings are identified below*:
3. Update the `PXF_KEYTAB` and `PXF_PRINCIPAL` settings, if required. Specify the location of the keytab file and the Kerberos principal, substituting your realm. *The default values for these settings are identified below*:
``` shell
export PXF_KEYTAB="${PXF_CONF}/keytabs/pxf.service.keytab"
......@@ -119,9 +179,13 @@ Perform the following steps to configure PXF for a secure HDFS. You will perform
PXF automatically replaces ` _HOST` with the FQDN of the segment host.
6. Restart PXF on the segment host:
4. Save the file and exit the editor.
5. Synchronize the PXF configuration to your Greenplum Database cluster and restart PXF. For example:
``` shell
gpadmin@seghost$ $GPHOME/pxf/bin/pxf restart
gpadmin@seghost$ $GPHOME/pxf/bin/pxf cluster sync
gpadmin@master$ $GPHOME/pxf/bin/pxf cluster stop
gpadmin@master$ $GPHOME/pxf/bin/pxf cluster start
```
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册