1)KnoxのLDAPが走っているか確認。ない場合はAmbariからStart Demo LDAP
[knox@node7 ~]$ ps auxwww | grep ldap
knox 13913 16.8 1.5 7471672 247728 ? Sl 04:11 0:12 /usr/jdk64/jdk1.8.0_77/bin/java -jar /usr/hdp/current/knox-server/bin/ldap.jar /usr/hdp/current/knox-server/conf
...
Curlで起動する場合:
curl 'http://sandbox.hortonworks.com:8080/api/v1/clusters/Sandbox/requests' --data '{"RequestInfo":{"context":"Start Demo LDAP","command":"STARTDEMOLDAP"},"Requests/resource_filters":[{"service_name":"KNOX","component_name":"KNOX_GATEWAY","hosts":"sandbox.hortonworks.com"}]}'
2)ldapsearchを使うためPortを確認
[knox@node7 ~]$ lsof -p 13913 | grep LISTEN
java 13913 knox 288u IPv6 587185915 0t0 TCP *:33389 (LISTEN)
3)同様にユーザ名とパスワードを確認
[knox@node7 ~]$ grep -E '^uid|^userPassword' /etc/knox/conf/users.ldif
uid: guest
userPassword:guest-password
uid: admin
userPassword:admin-password
uid: sam
userPassword:sam-password
uid: tom
userPassword:tom-password
4)Ldapsearchで接続テスト
[knox@node7 ~]$ ldapsearch -x -h `hostname -f`:33389 -D 'uid=admin,ou=people,dc=hadoop,dc=apache,dc=org' -w admin-password -s sub '(objectclass=person)' uid
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=person)
# requesting: uid
#
# admin, people, hadoop.apache.org
dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
uid: admin
# guest, people, hadoop.apache.org
dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
uid: guest
...
失敗する場合は、/etc/openldap/ldap.conf を確認してみる(変な設定があるかも)
5)BeelineでLDAPユーザで接続できるか確認
beeline --verbose
!connect "jdbc:hive2://node7.localdomain:8443/;ssl=true;sslTrustStore=/usr/hdp/current/knox-server/data/security/keystores/gateway.jks;trustStorePassword=hadoop;transportMode=http;httpPath=gateway/default/hive"
このあとユーザ名adiminとパスワードadmin-passwordを入力
または、
beeline --verbose -u "jdbc:hive2://node7.localdomain:8443/;ssl=true;sslTrustStore=/tmp/myNewTrustStore.jks;trustStorePassword=changeit;transportMode=http;httpPath=gateway/default/hive" -n admin -p admin-password -e 'SELECT from_unixtime(unix_timestamp());'
参考1)HiveServer2 (HTTP+Kerberos)
kinit -kt /etc/security/keytabs/smokeuser.headless.keytab ambari-qa-c6@LAB.HORTONWORKS.NET
beeline --verbose
!connect "jdbc:hive2://node7.localdomain:10001/;transportMode=http;httpPath=cliservice;principal=hive/_HOST@LAB.HORTONWORKS.NET"
参考2)ZK discovery
beeline --verbose
!connect "jdbc:hive2://node7.localdomain:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_HOST@LAB.HORTONWORKS.NET;transportMode=http;httpPath=cliservice"
参考3)ちなみにKnoxのtopologyのLDAP関連:
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://{{knox_host_name}}:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
[knox@node7 ~]$ ps auxwww | grep ldap
knox 13913 16.8 1.5 7471672 247728 ? Sl 04:11 0:12 /usr/jdk64/jdk1.8.0_77/bin/java -jar /usr/hdp/current/knox-server/bin/ldap.jar /usr/hdp/current/knox-server/conf
...
Curlで起動する場合:
curl 'http://sandbox.hortonworks.com:8080/api/v1/clusters/Sandbox/requests' --data '{"RequestInfo":{"context":"Start Demo LDAP","command":"STARTDEMOLDAP"},"Requests/resource_filters":[{"service_name":"KNOX","component_name":"KNOX_GATEWAY","hosts":"sandbox.hortonworks.com"}]}'
2)ldapsearchを使うためPortを確認
[knox@node7 ~]$ lsof -p 13913 | grep LISTEN
java 13913 knox 288u IPv6 587185915 0t0 TCP *:33389 (LISTEN)
3)同様にユーザ名とパスワードを確認
[knox@node7 ~]$ grep -E '^uid|^userPassword' /etc/knox/conf/users.ldif
uid: guest
userPassword:guest-password
uid: admin
userPassword:admin-password
uid: sam
userPassword:sam-password
uid: tom
userPassword:tom-password
4)Ldapsearchで接続テスト
[knox@node7 ~]$ ldapsearch -x -h `hostname -f`:33389 -D 'uid=admin,ou=people,dc=hadoop,dc=apache,dc=org' -w admin-password -s sub '(objectclass=person)' uid
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=person)
# requesting: uid
#
# admin, people, hadoop.apache.org
dn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org
uid: admin
# guest, people, hadoop.apache.org
dn: uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
uid: guest
...
失敗する場合は、/etc/openldap/ldap.conf を確認してみる(変な設定があるかも)
5)BeelineでLDAPユーザで接続できるか確認
beeline --verbose
!connect "jdbc:hive2://node7.localdomain:8443/;ssl=true;sslTrustStore=/usr/hdp/current/knox-server/data/security/keystores/gateway.jks;trustStorePassword=hadoop;transportMode=http;httpPath=gateway/default/hive"
このあとユーザ名adiminとパスワードadmin-passwordを入力
または、
beeline --verbose -u "jdbc:hive2://node7.localdomain:8443/;ssl=true;sslTrustStore=/tmp/myNewTrustStore.jks;trustStorePassword=changeit;transportMode=http;httpPath=gateway/default/hive" -n admin -p admin-password -e 'SELECT from_unixtime(unix_timestamp());'
参考1)HiveServer2 (HTTP+Kerberos)
kinit -kt /etc/security/keytabs/smokeuser.headless.keytab ambari-qa-c6@LAB.HORTONWORKS.NET
beeline --verbose
!connect "jdbc:hive2://node7.localdomain:10001/;transportMode=http;httpPath=cliservice;principal=hive/_HOST@LAB.HORTONWORKS.NET"
参考2)ZK discovery
beeline --verbose
!connect "jdbc:hive2://node7.localdomain:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_HOST@LAB.HORTONWORKS.NET;transportMode=http;httpPath=cliservice"
参考3)ちなみにKnoxのtopologyのLDAP関連:
<provider>
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
<param>
<name>sessionTimeout</name>
<value>30</value>
</param>
<param>
<name>main.ldapRealm</name>
<value>org.apache.hadoop.gateway.shirorealm.KnoxLdapRealm</value>
</param>
<param>
<name>main.ldapRealm.userDnTemplate</name>
<value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.url</name>
<value>ldap://{{knox_host_name}}:33389</value>
</param>
<param>
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
<value>simple</value>
</param>
<param>
<name>urls./**</name>
<value>authcBasic</value>
</param>
</provider>
0 件のコメント:
コメントを投稿