Hadoop KMS环境安装

环境介绍：

Hadoop HDFS 环境安装

1. Java环境准备：

   wget https://repo.huaweicloud.com/java/jdk/8u202-b08/jdk-8u202-linux-x64.tar.gz
   tar -xzvf jdk-8u202-linux-x64.tar.gz
   

   Java 环境配置：vim /etc/profile

   export JAVA_HOME=/root/jdk1.8.0_202
   export JRE_HOME=${JAVA_HOME}/jre
   export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib:$CLASSPATH
   export JAVA_PATH=${JAVA_HOME}/bin:${JRE_HOME}/bin
   export PATH=$PATH:${JAVA_PATH}
   
   

2. Hadoop3.3.4 下载

   wget https://mirrors.tuna.tsinghua.edu.cn/apache/hadoop/common/hadoop-3.3.4/hadoop-3.3.4.tar.gz
   tar -xzvf hadoop-3.3.4.tar.gz
   

3. Hadoop环境配置

   export HADOOP_HOME=/root/hadoop-3.3.4
   export HADOOP_CONF_DIR=$HADOOP_HOME/etc/hadoop
   export HADOOP_HDFS_HOME=$HADOOP_HOME
   export PATH=$PATH:$HADOOP_HOME/sbin:$HADOOP_HOME/bin
   

4. Lacalhost SSH 免密登录

     ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
     cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
     chmod 0600 ~/.ssh/authorized_keys
     ssh localhost
   

   执行 ssh localhost，会弹出安全提示，填写yes即可。

   如果是docker环境下，需要手动启动sshd服务。

    /usr/sbin/sshd
   

5. core-site.xml配置

   [root@17a5da45700b hadoop]# cat etc/hadoop/core-site.xml
   <configuration>
      <property>
           <name>fs.defaultFS</name>
           <value>hdfs://localhost:9000</value>
   </property>
   <property>
     <name>hadoop.proxyuser.root.hosts</name>
     <value>*</value>
   </property>
   
   <property>
     <name>hadoop.proxyuser.root.groups</name>
     <value>*</value>
   </property>
   <property>
     <name>hadoop.security.key.provider.path</name>
     <value>kms://http@localhost:9600/kms</value>
     <description>
       The KeyProvider to use when interacting with encryption keys used
       when reading and writing to an encryption zone.
     </description>
   </property>
           <property>
   		<name>hadoop.proxyuser.kms.groups</name>
   		<value>*</value>
   	</property>
   </configuration>
   
   

6. hdfs-site.xml配置

   [root@VM-0-62-centos hadoop-3.3.4]# cat etc/hadoop/hdfs-site.xml 
   <?xml version="1.0" encoding="UTF-8"?>
   <?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
   <!--
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
     You may obtain a copy of the License at
   
       http://www.apache.org/licenses/LICENSE-2.0
   
     Unless required by applicable law or agreed to in writing, software
     distributed under the License is distributed on an "AS IS" BASIS,
     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     See the License for the specific language governing permissions and
     limitations under the License. See accompanying LICENSE file.
   -->
   
   <!-- Put site-specific property overrides in this file. -->
   
   <configuration>
    <property>
           <name>dfs.replication</name>
           <value>1</value>
   </property>
   
   <property>
     <name>hadoop.security.key.provider.path</name>
     <value>kms://http@localhost:9600/kms</value>
     <description>
       The KeyProvider to use when interacting with encryption keys used
       when reading and writing to an encryption zone.
     </description>
   </property>
   </configuration>
   

7. hadoop-env.sh配置：添加如下配置到hadoop-env.sh。

   export JAVA_HOME=/root/jdk1.8.0_202
   export HDFS_NAMENODE_USER=root
   export HDFS_DATANODE_USER=root
   export HDFS_SECONDARYNAMENODE_USER=root
   export YARN_RESOURCEMANAGER_USER=root
   export YARN_NODEMANAGER_USER=root
   export HADOOP_SHELL_EXECNAME=root
   

8. 格式化hdfs文件系统

   bin/hdfs namenode -format
   

9. 启动hadoop服务

    ./start-all.sh
   

   查看进程

   [root@VM-0-62-centos sbin]# jps
   83586 NameNode
   84005 SecondaryNameNode
   90937 Jps
   84283 ResourceManager
   84442 NodeManager
   83773 DataNode
   

KMS配置和启动

1. 使用keytool生成秘钥文件:

   keytool -genkey  -alias 'key1';
   

   执行上面命令，密码为123456，其他都为空，遇到yes/no时输入yes

   [root@57f4b0d7c137 common]# keytool -genkey  -alias 'key1';
   Enter keystore password:  123456
   What is your first and last name?
     [Unknown]:  
   What is the name of your organizational unit?
     [Unknown]:  
   What is the name of your organization?
     [Unknown]:  
   What is the name of your City or Locality?
     [Unknown]:  
   What is the name of your State or Province?
     [Unknown]:  
   What is the two-letter country code for this unit?
     [Unknown]:  
   Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
     [no]:  yes
   
   Enter key password for <key2>
   	(RETURN if same as keystore password):  123456
   Re-enter new password:123456
   

   也可以使用如下命令：

   keytool -genkey -alias 'kmskey' -keystore /root/kms.keystore -dname "CN=localhost, OU=localhost, O=localhost, L=SH, ST=SH, C=CN" -keypass 123456 -storepass 123456 -validity 180
   

2. 在 etc/hadoop/下创建kms.keystore.password 文件，并写入密码123456

   [root@VM-0-62-centos hadoop-3.3.4]# cat etc/hadoop/kms.keystore.password 
   123456
   

3. kms-site.xml配置

4.  cat etc/hadoop/kms-site.xml
   <?xml version="1.0" encoding="UTF-8"?>
   <!--
     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
     You may obtain a copy of the License at
   
     http://www.apache.org/licenses/LICENSE-2.0
   
     Unless required by applicable law or agreed to in writing, software
     distributed under the License is distributed on an "AS IS" BASIS,
     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     See the License for the specific language governing permissions and
     limitations under the License.
   -->
   
   <!-- Put site-specific property overrides in this file. -->
   
   <configuration>
   	 <property>
        <name>hadoop.kms.key.provider.uri</name>
        <!--keytools生成的keystore文件 -->
        <value>jceks://file@/root/kms.keystore</value>
     </property>
   
     <property>
       <name>hadoop.security.keystore.java-keystore-provider.password-file</name>
       <!-- etc/hadoop/kms.keystore.password 文件名称，文件中包含了密码 -->
       <value>kms.keystore.password</value>
     </property>
   </configuration>
   

5. 启动KMS

    hadoop --daemon start kms
   

   查看kms进程

   [root@VM-0-62-centos hadoop-3.3.4]# ps axu|grep kms
   root       87089  0.3  3.4 3698484 270792 pts/1  Sl   17:52   0:07 /root/jdk1.8.0_202/bin/java -Dproc_kms -Djava.net.preferIPv4Stack=true -Dkms.config.dir=/root/hadoop-3.3.4/etc/hadoop -Dkms.log.dir=/root/hadoop-3.3.4/logs -Dyarn.log.dir=/root/hadoop-3.3.4/logs -Dyarn.log.file=hadoop-root-kms-VM-0-62-centos.log -Dyarn.home.dir=/root/hadoop-3.3.4 -Dyarn.root.logger=INFO,console -Djava.library.path=/root/hadoop-3.3.4/lib/native -Dhadoop.log.dir=/root/hadoop-3.3.4/logs -Dhadoop.log.file=hadoop-root-kms-VM-0-62-centos.log -Dhadoop.home.dir=/root/hadoop-3.3.4 -Dhadoop.id.str=root -Dhadoop.root.logger=INFO,RFA -Dhadoop.policy.file=hadoop-policy.xml -Dhadoop.security.logger=INFO,NullAppender org.apache.hadoop.crypto.key.kms.server.KMSWebServer
   root       93056  0.0  0.0   9208  1100 pts/2    S+   18:30   0:00 grep --color=auto kms
   

6. KMS使用

   #创建秘钥
   hadoop key create key1 
   #查询列表
   hadoop key list –metadata
   #创建目录
   hadoop fs -mkdir /sub    
   #使用key1加密sub目录
   hdfs crypto -createZone -keyName key1 -path /sub 
   #像加密区sub写入数据
   hdfs dfs -copyFromLocal  NOTICE.txt /sub
   #读取加密区sub的数据
   hdfs dfs -copyToLocal  /sub NOTICE.txt.1
   

参考：

1. https://blog.csdn.net/linlinv3/article/details/44963429

2. https://blog.csdn.net/yunduanyou/article/details/76461223