Enable HTTPS for HDFS

Enable HTTPS for HDFShadoophttps配置 在hadoop1生成ca并拷贝至hadoop2,hadoop2。(密码随便设置,大于6位即可。如adminadmin) 1 2 3 4 5 6 cd/etc/https opensslreq-new-x509-keyouthdfs_ca_key-outhdfs_…

hadoop https配置

 

在 hadoop1生成ca并拷贝至hadoop2,hadoop2。 (密码随便设置,大于6位即可。如adminadmin)

1

2

3

4

5

6

cd /etc/https

openssl req -new -x509 -keyout hdfs_ca_key -out hdfs_ca_cert -days 9999 -subj '/C=CN/ST=beijing/L=chaoyang/O=lecloud/OU=dt/CN=jenkin.com'

 

scp hdfs_ca_key  hdfs_ca_cert hadoop2:/etc/https/

 

scp hdfs_ca_key  hdfs_ca_cert hadoop3:/etc/https/

 

在每一条机器上生成 keystore,和trustores 

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

// 生成 keystore

keytool -keystore keystore -alias localhost -validity 9999 -genkey -keyalg RSA -keysize 2048 -dname "CN=${fqdn}, OU=DT, O=DT, L=CY, ST=BJ, C=CN"

 

 

// 添加 CA 到 truststore

keytool -keystore truststore -alias CARoot -import -file hdfs_ca_cert

 

// 从 keystore 中导出 cert

keytool -certreq -alias localhost -keystore keystore -file cert

 

// 用 CA 对 cert 签名

openssl x509 -req -CA hdfs_ca_cert -CAkey hdfs_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial

 

// 将 CA 的 cert 和用 CA 签名之后的 cert 导入 keystore

keytool -keystore keystore -alias CARoot -import -file hdfs_ca_cert

keytool -keystore keystore -alias localhost -import -file cert_signed

 

将最终keystore,trustores放入合适的目录,并机上后缀

1

2

cp keystore /etc/https/keystore.jks

cp truststore /etc/https/truststore.jks

 

hdfs-site.xml

1

2

3

4

5

6

// datanode与namenode混合部署是,需要 HTTPS_ONLY

<property>

                <name>dfs.http.policy</name>

                <value>HTTP_AND_HTTPS</value> <!-- namenode configure -->

                <!-- <value>HTTPS_ONLY</value> --><!-- datanode configure -->

</property>

  

配置ssl-client.xml

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

<configuration>

 

<property>

  <name>ssl.client.truststore.location</name>

  <value>/etc/https/truststore.jks</value>

  <description>Truststore to be used by clients like distcp. Must be

  specified.

  </description>

</property>

 

<property>

  <name>ssl.client.truststore.password</name>

  <value>adminadmin</value>

  <description>Optional. Default value is "".

  </description>

</property>

 

<property>

  <name>ssl.client.truststore.type</name>

  <value>jks</value>

  <description>Optional. The keystore file format, default value is "jks".

  </description>

</property>

 

<property>

  <name>ssl.client.truststore.reload.interval</name>

  <value>10000</value>

  <description>Truststore reload check interval, in milliseconds.

  Default value is 10000 (10 seconds).

  </description>

</property>

 

<property>

  <name>ssl.client.keystore.location</name>

  <value>/etc/https/keystore.jks</value>

  <description>Keystore to be used by clients like distcp. Must be

  specified.

  </description>

</property>

 

<property>

  <name>ssl.client.keystore.password</name>

  <value>adminadmin</value>

  <description>Optional. Default value is "".

  </description>

</property>

 

<property>

  <name>ssl.client.keystore.keypassword</name>

  <value>adminadmin</value>

  <description>Optional. Default value is "".

  </description>

</property>

 

<property>

  <name>ssl.client.keystore.type</name>

  <value>jks</value>

  <description>Optional. The keystore file format, default value is "jks".

  </description>

</property>

 

</configuration>

 

ssl-server.xml

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

<configuration>

 

<property>

  <name>ssl.server.truststore.location</name>

  <value>/etc/https/truststore.jks</value>

  <description>Truststore to be used by NN and DN. Must be specified.

  </description>

</property>

 

<property>

  <name>ssl.server.truststore.password</name>

  <value>adminadmin</value>

  <description>Optional. Default value is "".

  </description>

</property>

 

<property>

  <name>ssl.server.truststore.type</name>

  <value>jks</value>

  <description>Optional. The keystore file format, default value is "jks".

  </description>

</property>

 

<property>

  <name>ssl.server.truststore.reload.interval</name>

  <value>10000</value>

  <description>Truststore reload check interval, in milliseconds.

  Default value is 10000 (10 seconds).

  </description>

</property>

 

<property>

  <name>ssl.server.keystore.location</name>

  <value>/etc/https/keystore.jks</value>

  <description>Keystore to be used by NN and DN. Must be specified.

  </description>

</property>

 

<property>

  <name>ssl.server.keystore.password</name>

  <value>adminadmin</value>

  <description>Must be specified.

  </description>

</property>

 

<property>

  <name>ssl.server.keystore.keypassword</name>

  <value>adminadmin</value>

  <description>Must be specified.

  </description>

</property>

 

<property>

  <name>ssl.server.keystore.type</name>

  <value>jks</value>

  <description>Optional. The keystore file format, default value is "jks".

  </description>

</property>

 

</configuration>

今天的文章Enable HTTPS for HDFS分享到此就结束了,感谢您的阅读。

版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 举报,一经查实,本站将立刻删除。
如需转载请保留出处:https://bianchenghao.cn/7146.html

(0)
编程小号编程小号

相关推荐

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注