文章目录

登录Kerberos: kadmin.local

  • 使用kadmin.local命令登录
[root@manager ~]# kadmin.local 
Authenticating as principal root/admin@BIGDATA with password.
kadmin.local:  ?	# 查看命令列表i
Available kadmin.local requests:

add_principal, addprinc, ank
                         Add principal
delete_principal, delprinc
                         Delete principal
modify_principal, modprinc
                         Modify principal
rename_principal, renprinc
                         Rename principal
change_password, cpw     Change password
get_principal, getprinc  Get principal
list_principals, listprincs, get_principals, getprincs
                         List principals
add_policy, addpol       Add policy
modify_policy, modpol    Modify policy
delete_policy, delpol    Delete policy
get_policy, getpol       Get policy
list_policies, listpols, get_policies, getpols
                         List policies
get_privs, getprivs      Get privileges
ktadd, xst               Add entry(s) to a keytab
ktremove, ktrem          Remove entry(s) from a keytab
lock                     Lock database exclusively (use with extreme caution!)
unlock                   Release exclusive database lock
purgekeys                Purge previously retained old keys from a principal
get_strings, getstrs     Show string attributes on a principal
set_string, setstr       Set a string attribute on a principal
del_string, delstr       Delete a string attribute on a principal
list_requests, lr, ?     List available requests.
quit, exit, q            Exit program.

查看已存在凭据:list_principals, listprincs, get_principals, getprincs

kadmin.local:  listprincs
HTTP/manager.bigdata@BIGDATA
HTTP/master.bigdata@BIGDATA
HTTP/worker.bigdata@BIGDATA
K/M@BIGDATA
activity_analyzer/manager.bigdata@BIGDATA
activity_explorer/manager.bigdata@BIGDATA
admin/admin@BIGDATA
ambari-qa-gaia@BIGDATA
ambari-server-gaia@BIGDATA
……

添加凭据:add_principal, addprinc, ank

kadmin.local:  ank test@BIGDATA
WARNING: no policy specified for test@BIGDATA; defaulting to no policy
Enter password for principal "test@BIGDATA": 
Re-enter password for principal "test@BIGDATA": 
Principal "test@BIGDATA" created.

# 创建的时候指定密码
kadmin.local -q "addprinc -pw bigdata123 test"

根据添加的凭据生成keytab文件

kadmin.local # 登录
kadmin.local:  ktadd -k /etc/security/keytabs/student.keytab -norandkey test@BIGDATA

修改凭据密码:change_password, cpw

kadmin.local:  cpw test@BIGDATA
Enter password for principal "test@BIGDATA": 
Re-enter password for principal "test@BIGDATA": 
Password for "test@BIGDATA" changed.

删除凭据:delete_principal, delprinc

kadmin.local:  delprinc test@BIGDATA
Are you sure you want to delete the principal "test@BIGDATA"? (yes/no): yes
Principal "test@BIGDATA" deleted.
Make sure that you have removed this principal from all ACLs before reusing.

认证用户:kinit

[root@manager ~]# kinit admin/admin@BIGDATA
Password for admin/admin@BIGDATA:

查看当前认证用户:klist

[root@manager ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin/admin@BIGDATA

Valid starting       Expires              Service principal
10/30/2019 00:21:12  10/31/2019 00:21:12  krbtgt/BIGDATA@BIGDATA
	renew until 11/06/2019 00:21:12

删除当前认证的缓存

[root@manager ~]# kdestroy
[root@manager ~]# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)

切换Hadoop组内用户票据

  • 根据keytab文件查询用户
klist -kt /etc/security/keytabs/hdfs.headless.keytab
  • 切换票据
kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-hdv4@BIGDATA
Logo
开放原子开发者工作坊

开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!

更多推荐

OpenLoong项目通过技术监督委员会(TOC)评审

OpenLoong项目通过技术监督委员会(TOC)评审

avatar 开放原子开发者工作坊

开发者谈开源:KWDB开源数据库的未来路径与生态构建实践

开发者谈开源:KWDB开源数据库的未来路径与生态构建实践

avatar 开放原子开发者工作坊

开发者谈开源:洞悉协作创新背后的机遇与挑战

近日,在2024开放原子开发者大会暨首届开源技术学术大会开幕式上,开放原子开源基金会与openKylin、EasyAda、KWDB开源项目举行捐赠签约仪式。 一场捐赠签约仪式,让三个开源项目及其背后的开发者们受到瞩目。本次,我们与“龘”(EasyAda)核心维护者王伶卓开启了对话。

avatar 开放原子开发者工作坊