如何使用HAProxy实现HiveServer2服务的LDAP和Kerberos认证负载均衡
如何使用HAProxy实现HiveServer2服务的LDAP和Kerberos认证负载均衡
温馨提示:要看高清无码套图,请使用手机打开并单击图片放大查看。
Fayson的github:https://github.com/fayson/cdhproject
提示:代码块部分可以左右滑动查看噢
1.文档编写目的
在CDH集群中启用了Kerberos并集成了OPenLDAP,在前面的文章中Fayson也介绍了在CDH集群中启用Kerberos与集成OPenLDAP,集群中HiveServer2服务需要同时支持Kerberos和OPenLDAP认证的负载均衡,本篇文章主要介绍如何使用HAProxy实现HiveServer2服务的两种认证方式的负载均衡。
- 内容概述
1.测试环境描述
2.HAproxy配置
3.HiveServer2集成OPenLDAP
4.验证HiveServer2负载均衡
5.Hue配置HAProxy及验证
6.总结
- 测试环境
1.RedHat7.3
2.OpenLDAP版本2.4.44
- 前置条件
1.OpenLDAP已安装且正常使用
2.测试环境描述
在Fayson的测试环境安装3个HiveServer2的服务:
IP地址 | HOSTNAME | 描述 |
|---|---|---|
172.31.30.69 | ip-172-31-30-69.ap-southeast-1.compute.internal | OPenLDAP认证 |
172.31.16.68 | ip-172-31-16-68.ap-southeast-1.compute.internal | OPenLDAP认证 |
172.31.21.83 | ip-172-31-21-83.ap-southeast-1.compute.internal | OPenLDAP认证 |
- OpenLDAP服务信息
IP地址 | HOSTNAME | 描述 |
|---|---|---|
172.31.24.169 | ip-172-31-24-169.ap-southeast-1.compute.internal | OpenLDAP已安装 |
172.31.16.68 | ip-172-31-16-68.ap-southeast-1.compute.internal | OpenLDAP已安装 |
这里我们将172.31.24.169做为OpenLDAP的主节点,172.31.16.68做为OpenLDAP的备节点,具体RedHat7下OpenLDAP的HA实现可以参考《3.如何RedHat7上实现OpenLDAP的主主同步》
3.HAProxy配置
1.修改/etc/haproxy/haproxy.cfg文件,内容如下:
[root@ip-172-31-24-169 ~]# more /etc/haproxy/haproxy.cfg
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
# option http-server-close
# option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
listen stats
bind 0.0.0.0:1080
mode http
option httplog
maxconn 5000
stats refresh 30s
stats uri /stats
listen hivejdbc-ldap
bind 0.0.0.0:10099
mode tcp
option tcplog
balance source
server ip-172-31-21-83.ap-southeast-1.compute.internal ip-172-31-21-83.ap-southeast-1.compute.internal:10000 check
server ip-172-31-16-68.ap-southeast-1.compute.internal ip-172-31-16-68.ap-southeast-1.compute.internal:10000 check
server ip-172-31-30-69.ap-southeast-1.compute.internal ip-172-31-30-69.ap-southeast-1.compute.internal:10000 check(可左右滑动)
2.保存配置文件并重启haproxy服务
[root@ip-172-31-24-169 ~]# systemctl restart haproxy
[root@ip-172-31-24-169 ~]# systemctl status haproxy (可左右滑动)
3.在浏览器访问如下地址查看是否配置成功
http://ip-172-31-24-169.ap-southeast-1.compute.internal:1080/stats(可左右滑动)
到此完成了HiveServer2服务的负载均衡。
4.配置HiveServer2集成OpenLDAP及Load Balancer
1.使用管理员账号登录CM配置HiveServer2集成OPenLDAP
从CDH5.8.3开始,HS2就又可以使用Kerberos又可以使用LDAP登录了,所以这里只需要配置全局的OpenLDAP配置即可
2.在第三步已经配置了HiveServer2的HAProxy,这里需要配置HiveServer2的Load Balancer
配置HiveServer2的Load Balancer地址为HAProxy的地址及端口。
配置完成LDAP及Load Balancer信息后,保存配置回到CM主页根据提示重启相应服务。
5.使用两种认证方式验证HiveServer2负载均衡
1.通过Beeline使用LDAP认证方式连接HiveServer2
[root@ip-172-31-16-68 ~]# beeline
beeline> !connect jdbc:hive2://ip-172-31-24-169.ap-southeast-1.compute.internal:10099
Enter username for jdbc:hive2://ip-172-31-24-169.ap-southeast-1.compute.internal:10099: testsentry
Enter password for jdbc:hive2://ip-172-31-24-169.ap-southeast-1.compute.internal:10099: ******
0: jdbc:hive2://ip-172-31-24-169.ap-southeast> select count(*) from tpcds_text_2.customer;(可左右滑动)
SQL执行成功
HAproxy负载显示,可以看到连接到的是ip-172-31-30-69.ap-southeast-1.compute.internal节点
2.通过beeline使用Kerberos方式登录HiveServer2负载均衡
[root@ip-172-31-24-169 ~]# kinit testsentry
Password for testsentry@FAYSON.COM:
[root@ip-172-31-24-169 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testsentry@FAYSON.COM
Valid starting Expires Service principal
04/13/2018 02:55:56 04/14/2018 02:55:56 krbtgt/FAYSON.COM@FAYSON.COM
renew until 04/20/2018 02:55:56
[root@ip-172-31-24-169 ~]# (可左右滑动)
[root@ip-172-31-16-68 ~]# beeline
beeline> !connect jdbc:hive2://ip-172-31-24-169.ap-southeast-1.compute.internal:10099/;principal=hive/ip-172-31-24-169.ap-southeast-1.compute.internal@FAYSON.COM
0: jdbc:hive2://ip-172-31-24-169.ap-southeast> select count(*) from tpcds_text_2.customer;(可左右滑动)
SQL执行成功
HAproxy负载显示,可以看到Kerberos认证方式连接的HiveServer2服务为ip-172-31-21-83.ap-southeast-1.compute.internal
6.配置Hue使用HAProxy配置及测试
1.登录CM服务,进入Hue服务搜索“hue_safety_valve.ini”
[beeswax]
hive_server_host=ip-172-31-24-169.ap-southeast-1.compute.internal
hive_server_port=10099(可左右滑动)
保存配置,回到CM主页重启相应服务。
2.使用testsentry账号登录Hue
HAProxy负载显示
7.总结
- 从CDH5.8.3开始,HIveServer2就又可以使用Kerberos又可以使用LDAP登录了,所以这里只需要配置全局的OPenLDAP配置即可。
- 在配置HiveServer2服务的负载均衡时相对简单些,不需要像CDH5.8之前版本需要单独的配置HiveServer2支持OPenLDAP。
原创文章,欢迎转载,转载请注明:转载自微信公众号Hadoop实操