# 命令行部署 --- ## 前提 ### HA集群依赖 HDFS集群需要依赖ZooKeeper集群。 ZooKeeper安装部署请参考:[ZooKeeper 安装](../zookeeper/installation-zookeeper.rst)。 ZooKeeper服务地址假定为`zookeeper1:2181,zookeeper2:2181,zookeeper3:2181` ### Kerberos认证依赖(可选) 若开启Kerberos认证,Kerberos安装部署请参考:[Kerberos 安装](../kerberos/installation-kerberos.rst)。 Kerberos 服务地址假定为`kdc1` ### Ranger认证依赖(可选) 若开启Ranger认证,Ranger安装部署请参考:[Ranger 安装](../ranger/ranger-start-installation-cli.md)。 Ranger 服务地址假定为`ranger1` ### 配置yum源并安装lava 登录到hdfs1,然后切换到root用户 ``` sh ssh hdfs1 su - root ``` 在开始前,请配置yum源,安装lava命令行管理工具 ```sh # 从yum源所在机器(假设为192.168.1.10)获取repo文件 scp root@192.168.1.10:/etc/yum.repos.d/oushu.repo /etc/yum.repos.d/oushu.repo # 追加yum源所在机器信息到/etc/hosts文件 # 安装lava命令行管理工具 yum clean all yum makecache yum install -y lava ``` 创建一个`hdfshosts`文件 ```shell touch ${HOME}/hdfshosts ``` 配置hdfshosts内容为HDFS的所有hostname,其中假设hdfs1到hdfs3机器上安装HDFS的服务,hdfs4到hdfs6是额外安装的HDFS Client。 如果不在没有HDFS服务端机器上使用HDFS,可以不添加hdfs4到hdfs6 ``` sh hdfs1 hdfs2 hdfs3 hdfs4 hdfs5 hdfs6 ``` 在首台机器上和集群内其他节点交换公钥,以便ssh免密码登陆和分发配置文件 ```sh # 和集群内其他机器交换公钥 lava ssh-exkeys -f ${HOME}/hdfshosts -p ******** # 将repo文件分发给集群内其他机器 lava scp -f ${HOME}/hdfshosts /etc/yum.repos.d/oushu.repo =:/etc/yum.repos.d ``` ## 安装 ### 准备 创建一个`hdfshost`文件 ```shell touch ${HOME}/hdfshost ``` 配置hdfshost内容为所有安装HDFS的服务的hostname ``` sh hdfs1 hdfs2 hdfs3 ``` 创建`nnhostfile`,包含HDFS NameNode节点 ```shell touch ${HOME}/nnhostfile ``` 配置nnhostfile内容为HDFS的NameNode节点hostname: ``` hdfs1 hdfs2 ``` 创建`jnhostfile`文件 ```shell touch ${HOME}/jnhostfile ``` 内容为配置JournalNode的节点hostname: ```sh hdfs1 hdfs2 hdfs3 ``` 创建`dnhostfile`文件 ```shell touch ${HOME}/dnhostfile ``` 配置dnhostfile内容为HDFS的DataNode节点hostname: ```sh hdfs1 hdfs2 hdfs3 ``` 安装HDFS ```sh lava ssh -f ${HOME}/hdfshost -e 'yum install -y hdfs' ``` 创建NameNode目录: ```sh lava ssh -f ${HOME}/nnhostfile -e 'mkdir -p /data1/hdfs/namenode' lava ssh -f ${HOME}/nnhostfile -e 'chmod -R 755 /data1/hdfs' lava ssh -f ${HOME}/nnhostfile -e 'chown -R hdfs:hadoop /data1/hdfs' ``` 创建DataNode目录: ```sh lava ssh -f ${HOME}/dnhostfile -e 'mkdir -p /data1/hdfs/datanode' lava ssh -f ${HOME}/dnhostfile -e 'mkdir -p /data2/hdfs/datanode' lava ssh -f ${HOME}/dnhostfile -e 'chmod -R 755 /data1/hdfs' lava ssh -f ${HOME}/dnhostfile -e 'chmod -R 755 /data2/hdfs' lava ssh -f ${HOME}/dnhostfile -e 'chown -R hdfs:hadoop /data1/hdfs' lava ssh -f ${HOME}/dnhostfile -e 'chown -R hdfs:hadoop /data2/hdfs' lava ssh -f ${HOME}/dnhostfile -e 'mkdir -p /var/lib/hadoop-hdfs/' lava ssh -f ${HOME}/dnhostfile -e 'chmod -R 755 /var/lib/hadoop-hdfs/' lava ssh -f ${HOME}/dnhostfile -e 'chown -R hdfs:hadoop /var/lib/hadoop-hdfs/' ``` #### Kerberos准备(可选) 如果开启Kerberos,则需要在所有HDFS节点安装Kerberos客户端。 ```shell lava ssh -f ${HOME}/hdfshost -e "yum install -y krb5-libs krb5-workstation" ``` 在hdfs1节点执行下登录到kdc1机器上 ```shell ssh kdc1 mkdir -p /etc/security/keytabs kadmin.local ``` 进入控制台后执行下列操作,后面参数配置为了更直观,配置principal实体名直接使用HDFS角色名,方便对比。 注意:这里对应的hostname不管大小写,都需要用小写 ``` addprinc -randkey namenode/hdfs2@OUSHU.COM addprinc -randkey namenode/hdfs1@OUSHU.COM addprinc -randkey datanode/hdfs1@OUSHU.COM addprinc -randkey datanode/hdfs2@OUSHU.COM addprinc -randkey datanode/hdfs3@OUSHU.COM addprinc -randkey journalnode/hdfs1@OUSHU.COM addprinc -randkey journalnode/hdfs2@OUSHU.COM addprinc -randkey journalnode/hdfs3@OUSHU.COM addprinc -randkey HTTP/hdfs1@OUSHU.COM addprinc -randkey HTTP/hdfs2@OUSHU.COM addprinc -randkey HTTP/hdfs3@OUSHU.COM addprinc -randkey hdfs@OUSHU.COM ktadd -k /etc/security/keytabs/hdfs.keytab hdfs@OUSHU.COM ktadd -k /etc/security/keytabs/hdfs.keytab namenode/hdfs1@OUSHU.COM ktadd -k /etc/security/keytabs/hdfs.keytab namenode/hdfs2@OUSHU.COM ktadd -k /etc/security/keytabs/hdfs.keytab datanode/hdfs1@OUSHU.COM ktadd -k /etc/security/keytabs/hdfs.keytab datanode/hdfs2@OUSHU.COM ktadd -k /etc/security/keytabs/hdfs.keytab datanode/hdfs3@OUSHU.COM ktadd -k /etc/security/keytabs/hdfs.keytab journalnode/hdfs1@OUSHU.COM ktadd -k /etc/security/keytabs/hdfs.keytab journalnode/hdfs2@OUSHU.COM ktadd -k /etc/security/keytabs/hdfs.keytab journalnode/hdfs3@OUSHU.COM ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab HTTP/hdfs1@OUSHU.COM ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab HTTP/hdfs2@OUSHU.COM ktadd -norandkey -k /etc/security/keytabs/hdfs.keytab HTTP/hdfs3@OUSHU.COM # 完成对应principal添加 ``` 生成的keytab进行分发: ```sh ssh hdfs1 lava ssh -f ${HOME}/hdfshost -e 'mkdir -p /etc/security/keytabs/' scp root@kdc1:/etc/krb5.conf /etc/krb5.conf scp root@kdc1:/etc/security/keytabs/hdfs.keytab /etc/security/keytabs/hdfs.keytab lava scp -r -f ${HOME}/hdfshost /etc/krb5.conf =:/etc/krb5.conf lava scp -r -f ${HOME}/hdfshost /etc/security/keytabs/hdfs.keytab =:/etc/security/keytabs/hdfs.keytab lava ssh -f ${HOME}/hdfshost -e 'chown hdfs:hadoop /etc/security/keytabs/hdfs.keytab' ``` ## 配置 ### HA配置 为**fs.defaultFS**替换ha相关节点信息。 对于配置文件core-site.xml: ``` vim /usr/local/oushu/conf/common/core-site.xml ``` 修改: ``` fs.defaultFS hdfs://oushu ha.zookeeper.quorum zookeeper1:2181,zookeeper2:2181,zookeeper3:2181 ``` 对配置文件hdfs-site.xml修改如下。 ```shell vim /usr/local/oushu/conf/common/hdfs-site.xml ``` 修改: ``` dfs.domain.socket.path /var/lib/hadoop-hdfs/dn_socket dfs.block.access.token.enable true dfs.nameservices oushu dfs.ha.namenodes.oushu nn1,nn2 dfs.namenode.rpc-address.oushu.nn1 hdfs2:9000 dfs.namenode.http-address.oushu.nn1 hdfs2:50070 dfs.namenode.rpc-address.oushu.nn2 hdfs1:9000 dfs.namenode.http-address.oushu.nn2 hdfs1:50070 dfs.namenode.shared.edits.dir qjournal://hdfs1:8485;hdfs2:8485;hdfs3:8485/oushu dfs.ha.automatic-failover.enabled.oushu true dfs.ha.fencing.methods shell(/bin/true) dfs.client.failover.proxy.provider.oushu org.apache.hadoop.hdfs.server.namenode.ha.ConfiguredFailoverProxyProvider dfs.journalnode.edits.dir /data1/hdfs/journaldata ``` 对于hadoop-env.sh配置,可根据自身情况修改,如: ``` vim /usr/local/oushu/conf/common/hadoop-env.sh ``` ``` export JAVA_HOME="/usr/java/default" export HADOOP_NAMENODE_OPTS="-Xmx6144m -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSInitiatingOccupancyFraction=70" export HADOOP_DATANODE_OPTS="-Xmx2048m -Xss256k" ``` conf中的配置文件同步到所有节点: ```sh lava scp -r -f ${HOME}/hdfshost /usr/local/oushu/conf/common/* =:/usr/local/oushu/conf/common/ ``` ### KDC配置(可选) 如果启用Kerberos配置,则执行下边配置 #### 修改 HDFS 配置 ``` vim /usr/local/oushu/conf/common/core-site.xml ``` ``` hadoop.security.authentication kerberos hadoop.security.authorization true hadoop.rpc.protection authentication ``` ```shell vim /usr/local/oushu/conf/common/hdfs-site.xml ``` ``` dfs.namenode.keytab.file /etc/security/keytabs/hdfs.keytab dfs.namenode.kerberos.principal namenode/_HOST@OUSHU.COM dfs.namenode.kerberos.internal.spnego.principal HTTP/_HOST@OUSHU.COM dfs.secondary.namenode.keytab.file /etc/security/keytabs/hdfs.keytab dfs.secondary.namenode.kerberos.principal namenode/_HOST@OUSHU.COM dfs.secondary.namenode.kerberos.internal.spnego.principal HTTP/_HOST@OUSHU.COM dfs.journalnode.kerberos.principal journalnode/_HOST@OUSHU.COM dfs.journalnode.keytab.file /etc/security/keytabs/hdfs.keytab dfs.journalnode.kerberos.internal.spnego.principal HTTP/_HOST@OUSHU.COM dfs.web.authentication.kerberos.principal HTTP/_HOST@OUSHU.COM dfs.web.authentication.kerberos.keytab /etc/security/keytabs/hdfs.keytab dfs.webhdfs.enabled true dfs.http.policy HTTPS_ONLY dfs.datanode.keytab.file /etc/security/keytabs/hdfs.keytab dfs.datanode.kerberos.principal datanode/_HOST@OUSHU.COM dfs.data.transfer.protection authentication dfs.block.access.token.enable true ``` #### DataNode ssl 配置 DataNode ssl 使用ca证书生成方式: - 我们在第一台hdfs1的${HOME}目录执行下面操作 ```xml openssl req -new -x509 -passout pass:password -keyout bd_ca_key -out bd_ca_cert -days 9999 -subj "/C=CN/ST=beijing/L=beijing/O=m1_hostname/OU=m1_hostname/CN=m1_hostname" ``` - 此时会生成两个文件bd_ca_key和bd_ca_cert。 **此为证书生成脚本,执行此脚本即可完成以上ssl配置步骤。** ```shell touch ${HOME}/sslca.sh ``` 其中涉及到ca证书生成过程中需要使用的密码,需要设置为强密码。下边以{password}为例标识需要修改为强密码选项。 编辑脚本 ```shell for node in $(cat ${HOME}/hdfshost); do lava ssh -h ${node} "mkdir -p /var/lib/hadoop-hdfs/" #将key 和 cert分发到其他机器 lava scp -r -h ${node} ${HOME}/bd_ca_cert =:${HOME} lava scp -r -h ${node} ${HOME}/bd_ca_key =:${HOME} #证书生成的六步 lava ssh -h ${node} "keytool -keystore keystore -alias localhost -validity 9999 -importpass -keypass {password} -importpass -storepass {password} -genkey -keyalg RSA -keysize 2048 -dname 'CN=${node}, OU=${node}, O=${node}, L=beijing, ST=beijing, C=CN'" lava ssh -h ${node} "keytool -keystore truststore -alias CARoot -importpass -storepass {password} -noprompt -import -file bd_ca_cert" lava ssh -h ${node} "keytool -importpass -storepass {password} -certreq -alias localhost -keystore keystore -file cert" lava ssh -h ${node} "openssl x509 -req -CA bd_ca_cert -CAkey bd_ca_key -in cert -out cert_signed -days 9999 -CAcreateserial -passin pass:{password}" lava ssh -h ${node} "keytool -importpass -storepass {password} -noprompt -keystore keystore -alias CARoot -import -file bd_ca_cert" lava ssh -h ${node} "keytool -importpass -storepass {password} -keystore keystore -alias localhost -import -file cert_signed" #把证书copy到对应目录下 赋权 lava ssh -h ${node} "cp ${HOME}/keystore /var/lib/hadoop-hdfs/" lava ssh -h ${node} "cp ${HOME}/truststore /var/lib/hadoop-hdfs/" done ``` 运行脚本生成证书 ```shell chmod 755 ${HOME}/sslca.sh ${HOME}/sslca.sh ``` 增加ssl配置 - 证书的路径设置的是/var/lib/hadoop-hdfs/,所以ssl-client.xml和ssl-server.xml里面配置的路径也是这里。 在/usr/local/oushu/conf/common/下 **ssl-client.xml** ```shell ssl.client.truststore.location /var/lib/hadoop-hdfs/truststore ssl.client.truststore.password {password} ssl.client.truststore.type jks ssl.client.truststore.reload.interval 10000 ssl.client.keystore.location /var/lib/hadoop-hdfs/keystore ssl.client.keystore.password {password} ssl.client.keystore.keypassword {password} ssl.client.keystore.type jks ``` **ssl-server.xml** ```shell ssl.server.truststore.location /var/lib/hadoop-hdfs/truststore ssl.server.truststore.password {password} ssl.server.truststore.type jks ssl.server.truststore.reload.interval 10000 ssl.server.keystore.location /var/lib/hadoop-hdfs/keystore ssl.server.keystore.password {password} ssl.server.keystore.keypassword {password} ssl.server.keystore.type jks ssl.server.exclude.cipher.list TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5 ``` 同步配置文件到所有节点: ```sh lava scp -r -f ${HOME}/hdfshost /usr/local/oushu/conf/common/* =:/usr/local/oushu/conf/common/ ``` ## 启动 在hdfs1节点,格式化ZKFailoverController ```sh sudo -u hdfs hdfs zkfc -formatZK ``` 使用下面的命令,启动JournalNode: ```sh lava ssh -f ${HOME}/jnhostfile -e 'sudo -u hdfs hdfs --daemon start journalnode' ``` 格式化并启动hdfs1上的NameNode: ```sh sudo -u hdfs hdfs namenode -format -clusterId ss sudo -u hdfs hdfs --daemon start namenode ``` 在另一个NameNode hdfs2中进行同步操作,并启动NameNode: ```sh lava ssh -h hdfs2 -e 'sudo -u hdfs hdfs namenode -bootstrapStandby' lava ssh -h hdfs2 -e 'sudo -u hdfs hdfs --daemon start namenode' ``` 启动所有DataNode节点: ```sh lava ssh -f ${HOME}/dnhostfile -e 'sudo -u hdfs hdfs --daemon start datanode' ``` 启动hdfs2上的ZKFC进程: ```sh lava ssh -h hdfs2 -e 'sudo -u hdfs hdfs --daemon start zkfc' ``` 启动hdfs1上的ZKFC进程,使其成为standby NameNode: ```sh lava ssh -h hdfs1 -e 'sudo -u hdfs hdfs --daemon start zkfc' ``` ## 检查状态 检查HDFS是否成功运行: 如果开启了Kerberos认证: ```shell su - hdfs kinit -kt /etc/security/keytabs/hdfs.keytab hdfs@OUSHU.COM # 一般情况下,没有报错提示就认为成功,也可以通过: echo $? 0 # 返回值为0则是成功 ``` HDFS集群状态确认: ``` su - hdfs hdfs haadmin -getAllServiceState 命令执行后可见: * hdfs1 active * hdfs2 standby hdfs dfsadmin -report 命令执行后能找到: * Live datanodes (3): ``` 为集群部署成功,下边进行基础功能验证 首先创建测试文本: ```shell echo 'oushu' > /home/hdfs/test.txt ``` 使用HDFS命令校验 ``` hdfs dfs -put /home/hdfs/test.txt / * 没有error hdfs dfs -cat /test.txt * oushu hdfs dfs -ls / * Found 1 items * drwxr-xr-x - hdfs hdfs 0 2022-11-07 17:16 /test.txt ``` ## 常用命令 停止所有DataNode ```shell lava ssh -f ${HOME}/dnhostfile -e 'sudo -u hdfs hdfs --daemon stop datanode' ``` 停止所有JournalNode ```shell lava ssh -f ${HOME}/jnhostfile -e 'sudo -u hdfs hdfs --daemon stop journalnode' ``` 停止所有NameNode ```shell lava ssh -f ${HOME}/nnhostfile -e 'sudo -u hdfs hdfs --daemon stop namenode' ``` ## 注册到Skylab(可选) Kerberos将要安装的机器需要通过机器管理添加到skylab中,如果您尚未添加,请参考[注册机器](../start/install-lava.md)。 在hdfs1上修改/usr/local/oushu/lava/conf配置`server.json`,替换localhost为skylab的服务器ip,具体skylab的基础服务lava安装步骤请参考:[lava安装](../start/start-installation.rst)。 然后创建`~/hdfs.json`文件,文件内容参考如下: ```json { "data": { "name": "HDFSCluster", "group_roles": [ { "role": "hdfs.activenamenode", "cluster_name": "namenode", "group_name": "namenode-id", "machines": [ { "id": 1, "name": "NameNode1", "subnet": "lava", "data_ip": "192.168.1.11", "manage_ip": "", "assist_port": 1622, "ssh_port": 22 } ] }, { "role": "hdfs.standbynamenode", "cluster_name": "namenode", "group_name": "namenode-id", "machines": [ { "id": 1, "name": "NameNode1", "subnet": "lava", "data_ip": "192.168.1.11", "manage_ip": "", "assist_port": 1622, "ssh_port": 22 } ] }, { "role": "hdfs.journalnode", "cluster_name": "journalnode", "group_name": "journalnode-id", "machines": [ { "id": 1, "name": "journalnode1", "subnet": "lava", "data_ip": "192.168.1.11", "manage_ip": "", "assist_port": 1622, "ssh_port": 22 },{ "id": 2, "name": "journalnode2", "subnet": "lava", "data_ip": "192.168.1.12", "manage_ip": "", "assist_port": 1622, "ssh_port": 22 },{ "id": 3, "name": "journalnode3", "subnet": "lava", "data_ip": "192.168.1.13", "manage_ip": "", "assist_port": 1622, "ssh_port": 22 } ] }, { "role": "hdfs.datanode", "cluster_name": "datanode", "group_name": "datanode-id", "machines": [ { "id": 1, "name": "datanode1", "subnet": "lava", "data_ip": "192.168.1.11", "manage_ip": "", "assist_port": 1622, "ssh_port": 22 },{ "id": 2, "name": "datanode2", "subnet": "lava", "data_ip": "192.168.1.12", "manage_ip": "", "assist_port": 1622, "ssh_port": 22 },{ "id": 3, "name": "datanode3", "subnet": "lava", "data_ip": "192.168.1.13", "manage_ip": "", "assist_port": 1622, "ssh_port": 22 } ] } ] } } ``` 上述配置文件中,需要根据实际情况修改machines数组中的机器信息,在平台基础组件lava所安装的机器执行: ``` psql lavaadmin -p 4432 -U oushu -c "select m.id,m.name,s.name as subnet,m.private_ip as data_ip,m.public_ip as manage_ip,m.assist_port,m.ssh_port from machine as m,subnet as s where m.subnet_id=s.id;" ``` 获取到所需的机器信息,根据服务角色对应的节点,将机器信息添加到machines数组中。 例如hdfs1对应的HDFS NameNode角色,hdfs1的机器信息需要备添加到hdfs.namenode角色对应的machines数组中。 调用lava命令注册集群: ``` lava login -u oushu -p ******** -T {租户id} lava onprem-register service -s HDFS -f ~/hdfs.json ``` 如果返回值为: ``` Add service by self success ``` 则表示注册成功,如果有错误信息,请根据错误信息处理。 从页面登录后,在自动部署模块对应服务中可以查看到新添加的集群,同时列表中会实时监控HDFS进程在机器上的状态。 ![](./images/skylabui.png) ## HDFS集成Ranger认证(可选) ### Ranger安装 如果开启Ranger,则需要在所有HDFS节点安装Ranger客户端。 ```shell ssh hdfs1 sudo su root lava ssh -f ${HOME}/hdfshost -e "yum install -y ranger-hdfs-plugin" lava ssh -f ${HOME}/hdfshost -e 'mkdir /usr/local/oushu/hdfs/etc' lava ssh -f ${HOME}/hdfshost -e "ln -s /usr/local/oushu/conf/hdfs/ /usr/local/oushu/hdfs/etc/hadoop" ``` ### Ranger配置 在hdfs1节点下修改配置文件/usr/local/oushu/ranger-hdfs-plugin_2.3.0/install.properties ```shell POLICY_MGR_URL=http://ranger1:6080 REPOSITORY_NAME=hdfsdev COMPONENT_INSTALL_DIR_NAME=/usr/local/oushu/hdfs ``` 同步HDFS的Ranger配置,并执行初始化配置脚本 ```shell lava scp -r -f ${HOME}/hdfshost /usr/local/oushu/ranger-hdfs-plugin_2.3.0/install.properties =:/usr/local/oushu/ranger-hdfs-plugin_2.3.0/ lava ssh -f ${HOME}/hdfshost -e '/usr/local/oushu/ranger-hdfs-plugin_2.3.0/enable-hdfs-plugin.sh' ``` 执行完初始化脚本后,看到如下信息说明成功,并按照要求重启服务。 ```shell Ranger Plugin for hive has been enabled. Please restart hive to ensure that changes are effective. ``` 重新启动HDFS ```shell # 重启HDFS集群 lava ssh -f ${HOME}/nnhostfile -e 'sudo -E -u hdfs hdfs --daemon stop namenode' lava ssh -f ${HOME}/dnhostfile -e 'sudo -E -u hdfs hdfs --daemon stop datanode' lava ssh -f ${HOME}/jnhostfile -e 'sudo -E -u hdfs hdfs --daemon stop journalnode' lava ssh -f ${HOME}/nnhostfile -e 'sudo -E -u hdfs hdfs --daemon start namenode' lava ssh -f ${HOME}/dnhostfile -e 'sudo -E -u hdfs hdfs --daemon start datanode' lava ssh -f ${HOME}/jnhostfile -e 'sudo -E -u hdfs hdfs --daemon start journalnode' ``` ### 在rangerUI 上配置用户权限策略 ### 创建`HDFS Service`服务 - 登陆rangerUI http://ranger1:6080,点击➕号添加`HDFS Service` ![image](./images/hdfs-ranger-step-1.png) - 填写服务名,注意需要和`install.properties`文件里的`REPOSITORY_NAME`名称保持一致 ![image](./images/hdfs-ranger-step-2.png) - 用户名、密码自定义,URL使用master单点的形式填写如hdfs://master:9000,添加成功系统会识别到主备两台机。 ![image](./images/hdfs-ranger-3.png) - 运行测试查看是否配置正确,正确后点击添加保存。 ![image](./images/hdfs-ranger-step-4.png) ![image](./images/hdfs-ranger-step-5.png) - 回到首页查看刚刚添加服务 ![image](./images/hdfs-ranger-step-6.png) ### 创建访问测量 - 找到刚刚创建的服务,点击名称 ![image](./images/hdfs-policy-1.png) - 点击'Add New Policy'按钮 ![image](./images/hdfs-policy-2.png) - 设置访问策略,使得拒绝hdfs用户在'/'下的操作权限,同时,要确保 recursive 滑块处于开启状态。并配置权限类型为拒绝权限,设置完成后点击保存。 ![image](./images/hdfs-policy-3.png) ![image](./images/hdfs-policy-4.png) - 查看刚刚设置 ![image](./images/hdfs-policy-5.png) ### Ranger + Kerberos 注意项 当HDFS开启Kerberos配置时,需要对Ranger服务也开启Kerberos,同时在配置HDFS repo时,加入参数如下: ![image](./images/hdfs-ranger-kerberos.png) 参数值为配置的Kerberos实体用户名,如按照我们HDFS配置规则,为namenode。 ### 检查效果 登陆hdfs1机器,使用hdfs用户访问 ```shell sudo su hdfs hdfs dfs -ls / ``` 出下如下信息,证明生效(策略配置完可能需要一分钟生效,可以过会再试) ```shell ls: Permission denied: user=hdfs, access=EXECUTE, inode="/" ``` ## 安装HDFS Client端(可选) 如果需要在并没有部署HDFS的机器使用HDFS命令,需要安装HDFS Client端, HDFS Client地址假定为`hdfs4,hdfs5,hdfs6`,且我们已经在初始阶段配置了HDFS机器间的免密。 ### 准备 在hdfs1机器 ```shell ssh hdfs1 sudo su root ``` 添加下面主机名到hdfsclienthost: ``` sh hdfs4 hdfs5 hdfs6 ``` ### 安装 ```shell lava ssh -f ${HOME}/hdfsclienthost -e 'yum install -y hdfs' lava ssh -f ${HOME}/hdfsclienthost -e 'chown -R hdfs:hadoop /usr/local/oushu/conf/common/' lava scp -r -f ${HOME}/hdfsclienthost /usr/local/oushu/conf/common/* =:/usr/local/oushu/conf/common/ ``` ### 检查 ```shell ssh hdfs4 su hdfs hdfs dfsadmin -report #命令执行后能找到: * Live datanodes (3): ```