[2A5]하둡 보안 어떻게 해야 할까

정재화�� 책임��

Gruter�� Inc��

하둡�� 보안�� 어떻게�� 해야�� 할까?��

About�� me�� • �� Bigdata�� Platform,�� Gruter�� Inc�� (http://www.gruter.com)��

• �� Apache�� Tajo�� Committer�� • �� [email protected]�� • �� http://blrunner.com�� • �� 저서:�� 시작하세요!하둡�� 프로그래밍��

1.�� Hadoop�� Overview�� 2.�� Hadoop�� Security�� Concept�� 3.�� Kerberos�� 4.�� Hadoop�� Security�� Design�� 5.�� HOW�� TO��

AGENDA��

1.�� Hadoop�� Overview��

1.1�� 하둡이란?��

MapReduce�� (Distributed�� computation)��

HDFS�� (Distributed�� storage)��

출처:�� http://www.quuxlabs.com/wp-content/uploads/2010/08/Yahoo-hadoop-cluster_OSCON_2007.jpg��

1.1�� 하둡이란?��

OLTP,�� ERP,�� CRM��

Document,�� E-mail��

Web�� Log,Click�� Stream��

Social�� Networks��

Sensor�� Data��

Geo-location�� Data��

Identity��

클라이언트�� 어플리케이션을�� 실행하는�� OS�� 계정��

��

1.2�� 기존�� 방식의�� 문제점��

[hadoop@grute`r01~]$�� whoami�� hadoop�� [hadoop@gruter01~]$�� id�� uid=508(hadoop)�� gid=508(hadoop)�� groups=508(hadoop)��

Authorization��

MR�� ACL,�� HDFS�� Permission��

Simple�� Mode��

No�� Authentication�� (core-site.xml)��

��

1.2�� 기존�� 방식의�� 문제점��

<property>�� <name>hadoop.security.authentication</name>�� <value>simple</value>�� <description>Possible�� values�� are�� simple�� (no�� authentication),�� and�� kerberos�� </description>�� </property>��

1.2�� 기존�� 방식의�� 문제점��

[hadoop@localhost�� hadoop-2.4.0]$�� ./bin/hdfs�� dfs�� -copyToLocal�� /user/hadoop/crm/user�� /backup/crm/user�� [hadoop@localhost�� hadoop-2.4.0]$�� ./bin/hdfs�� dfs�� -rm�� -r�� /user/hadoop�� [mapreduce@localhost�� hadoop-2.4.0]$�� ./bin/hadoop�� jar�� Xyz.jar�� mypackage.Attack��

• �� Examples��

2.�� Hadoop�� Security�� Concept��

Security�� in�� Apache�� Hadoop�� is�� defined�� by�� four�� key�� pillars:�� authentication,�� authorization,�� accountability,�� and�� data�� protection.�� -�� 2014�� HadoopSummit:�� Vinay�� Shukla�� -��

2.1�� Hadoop�� Security�� Definition��

2.2�� Hadoop�� Security�� Layer��

• Simple�� • Kerberos�� Authentication��

• MR�� ACL�� • HDF�� Permission,�� ACLs�� • HBase�� ACL��

Authorization��

• All�� service�� Auditing��

• Hadoop2�� wire�� encryption�� • 3rd�� party�� Encryption��

3.�� Kerberos��

-�� 컴퓨터�� 네트워크�� 내에서�� 서비스�� 요구를�� 인증하기�� 위한�� 안전한��

방법으로,�� 미국�� MIT의�� Athena�� 프로젝트에서�� 개발��

- 사용자가�� 인증과정으로부터�� 암호화된�� '티켓'을�� 요청�� 할�� 수�� 있게�� 해주는데,�� 이�� 티켓은�� 서버에�� 특정�� 서비스를�� 요구하는데�� 사용될�� 수

�� 있고,�� 사용자의�� 암호는�� 네트워크를�� 통할�� 필요가�� 없음��

- �� LDAP,�� 윈도우�� AD(Active�� Directory)와�� 같은�� 표준�� 엔터프라이

즈�� 디렉터리�� 서비스와�� 통합�� 가능��

3.1�� 커버로스란?��

3.2�� 커버로스�� 구성요소��

구성요소�� 내용��

KDC (Key Distribution Center)��

키 분배 서버, TGS와 AS 구성 모든 사용자와 서비스들의 암호화키를 보유 ��

AS (Authentication Service)�� 사용자에 대한 인증을 수행��

TGS (Ticket Granting Service)�� 티켓을 부여하고, 티켓을 분배��

티켓(Ticket)�� 사용자에 대한 신원과 인증을 확인하는 토큰 사용자가 서비스와 통신할 때, 패스워드를 입력하지 않게 함��

영역(Realm)�� 커버로스 시스템에 속해 있는 클라이언트와 서버들의 범위��

3.3�� 커버로스�� 아키텍처�� KDC��

AS��

TGS��

서버��

1.인증요청��

클라이언트��

2.티켓�� 승인�� 티켓(TGT)��

3.�� 티켓�� 승인�� 티켓��

4.�� 서비스�� 티켓�� (TGS)��

5.�� 서비스�� 티켓��

6.�� 접속�� 허락��

Principal��

- �� 티켓을�� 할당하기�� 위한�� 유니크한�� 식별자��

- �� 표현�� 형식�� - �� primary/instance@REALM��

- �� primary:�� 사용자�� 혹은�� 호스트�� - �� instance:�� primary를�� 서술,�� REALM:�� 커버로스�� 영역�� - �� ex)�� tajo/[email protected]��

KeyTabs��

- �� KDC에서�� 부여받은�� 암호화된�� 키와�� Princial로�� 구성�� - �� KeyTabs의�� 키는�� 티켓을�� 복호화할�� 때�� 사용함��

3.3�� 커버로스�� 아키텍처��

4.�� Hadoop�� Security�� Design��

4.1�� 사용자�� 서비스�� 인증��


�� 마스터�� 서버��

��

NameNode��

JobTracker��

ResourceManager�� KDC��

인증�� 및��

서비스�� 티켓�� 요청��

커버로스��

서비스�� 티켓��

4.2�� 개별�� 서비스�� 인증��

�� 마스터�� 서버��

��

NameNode��

JobTracker��

ResourceManager��

�� 슬레이브서버��

��

DataNode��

TaskTracker��

NodeManager��

커버로스��

KeyTab��

4.3�� Delegation�� Token��

��

�� 슬레이브�� 서버��

�� 마스터�� 서버��

NameNode�� JobTracker�� ResourceManager��

��

슬레이브�� 서버��

TaskTracker�� NodeManager��

Task�� Task�� Container�� Container��

접속��

요청�� 접속��

요청��

접속��

요청��

클라이언트�� 인증�� 및�� 토큰�� 생성��

4.3�� Delegation�� Token��

-�� NameNode가�� 커버로스�� 인증을�� 한�� 클라이언트에게�� 부여��

- �� 한�� 번의�� 접속으로�� 모든�� 작업을�� 수행��

- �� 클라이언트가�� 맵리듀스잡을�� 실행할�� 경우,�� JobTracker�� 및�� ResourceManager에게�� 공유함��

- �� 하나의�� 맵리듀스잡에�� 포함된�� 모든�� 태스크는�� 동일한�� DT를�� 사용함,�� 해당�� DT로�� NameNode에�� 접근��

- �� JobTracker와�� ResourceManager는�� DT�� 연장�� 가능��

- ��

4.4�� Job�� Token��

�� 마스터�� 서버��

��


TaskTracker��

Task�� Task��

JobTracker�� 토큰�� 공유��

��


TaskTracker��


클라이언트�� MR�� 실행�� 및��

토큰�� 생성��

토큰�� 공유��

토큰�� 인증��

4.4�� Job�� Token��

-�� MR�� Job�� 실행이�� 요청될�� 때,�� JobTraker가�� 생성��

- �� TaskTracker에�� 공유��

- �� Task가�� TaskTracker와�� 통신을�� 할�� 때�� 사용��

4.5�� Block�� Access�� Token��


��


TaskTracker��


DataNode��


토큰�� 인증�� NameNode��

토큰�� 인증��

토큰�� 부여��



4.5�� Block�� Access�� Token��

-�� 인증된�� 클라이언트의�� 블록�� 접근�� 허용��

- �� 인증된�� 클라이언트가�� HDFS의�� 파일을�� 접근할�� 때,�� NameNode

가�� 클라이언트에게�� 부여함��

- �� BAT는�� DataNode에�� 공유됨�� - �� 클라이언트(App,�� Map�� &�� Reduce�� Task)가�� DataNode�� 블록�� 접근시�� 토큰�� 제출��

5.�� HOWTO��

5.1�� Overview��

1.�� 커버로스�� 설치��

2.�� Principal�� 및�� Keytab�� 생성��

3.�� Keytab�� 전체�� 배포��

4.�� 하둡�� 클러스트�� 설정��

5.�� 하둡�� 클러스터�� 실행��

1)�� 커버로스�� 서버�� 설치��

-�� yum�� install�� krb5-server�� krb5-libs�� krb5-workstation�� pam_k

rb5��

5.2�� 커버로스�� 설치��

[logging]�� default�� =�� FILE:/var/log/krb5libs.log�� kdc�� =�� FILE:/var/log/krb5kdc.log�� admin_server�� =�� FILE:/var/log/kadmind.log�� [libdefaults]�� default_realm�� =�� TAJO.ORG�� dns_lookup_realm�� =�� false�� dns_lookup_kdc�� =�� false��

• �� /etc/krb5.conf��

5.2�� 커버로스�� 설치��

ticket_lifetime�� =�� 24h�� renew_lifetime�� =�� 7d�� forwardable�� =�� true�� [realms]�� TAJO.ORG�� =�� {�� kdc�� =�� namenode01�� admin_server�� =�� namenode01�� }�� [domain_realm]�� .tajo.org�� =�� TAJO.ORG�� tajo.org�� =�� TAJO.ORG��

• �� /etc/krb5.conf��

5.2�� 커버로스�� 설치��

[kdcdefaults]�� kdc_ports�� =�� 88�� kdc_tcp_ports�� =�� 88�� [realms]�� TAJO.ORG�� =�� {�� profile�� =�� /etc/krb5.conf�� acl_file�� =�� /var/kerberos/krb5kdc/kadm5.acl�� allow-null-ticket-address�� =�� true�� database_name�� =�� /var/kerberos/krb5kdc/principal�� dict_file�� =�� /usr/share/dict/words�� admin_keytab�� =�� /var/kerberos/krb5kdc/kadm5.keytab��

• �� /var/kerberos/krb5kdc/kdc.conf��

5.2�� 커버로스�� 설치��

key_stash_file�� =�� /var/kerberos/krb5kdc/.k5stash�� kdc_ports�� =�� 88�� kadmind_port�� =�� 749�� max_life�� =�� 2d�� 0h�� 0m�� 0s�� max_renewable_life�� =�� 7d�� 0h�� 0m�� 0s�� supported_enctypes�� =�� aes256-cts:normal�� aes128-cts:normal�� des3-hmac-sha1:normal�� arcfour-hmac:normal�� des-hmac-sha1:normal�� des-cbc-md5:normal�� des-cbc-crc:normal�� }��

• �� /var/kerberos/krb5kdc/kdc.conf��

5.2�� 커버로스�� 설치��

Loading�� random�� data�� Initializing�� database�� '/var/kerberos/krb5kdc/principal'�� for�� realm�� 'TAJO.ORG',�� master�� key�� name�� 'K/[email protected]'�� You�� will�� be�� prompted�� for�� the�� database�� Master�� Password.�� It�� is�� important�� that�� you�� NOT�� FORGET�� this�� password.�� Enter�� KDC�� database�� master�� key:�� Re-enter�� KDC�� database�� master�� key�� to�� verify:��

2)�� 커버로스�� 데이터베이스�� 설치��

-�� kdb5_util�� create�� -r�� TAJO.ORG�� -s��

5.2�� 커버로스�� 설치��

ls�� –al�� /var/kerberos/krb5kdc/�� -rw-------.�� 1�� root�� root�� 69�� 2014-09-27�� 21:17�� .k5stash�� -rw-------.�� 1�� root�� root�� 22�� 2014-03-28�� 03:36�� kadm5.acl�� -rw-r--r--.�� 1�� root�� root�� 727�� 2014-09-27�� 20:29�� kdc.conf�� -rw-------.�� 1�� root�� root�� 8192�� 2014-09-27�� 21:17�� principal�� -rw-------.�� 1�� root�� root�� 8192�� 2014-09-27�� 21:17�� principal.kadm5�� -rw-------.�� 1�� root�� root�� 0�� 2014-09-27�� 21:17�� principal.kadm5.lock�� -rw-------.�� 1�� root�� root�� 0�� 2014-09-27�� 21:18�� principal.ok��

3)�� ACL�� 변경��

5.2�� 커버로스�� 설치��

*/[email protected] �� *��

• �� /var/kerberos/krb5kdc/kadm5.acl��

4)�� 커버로스�� 서버�� 구동��

-�� service�� kadmin�� start��

- �� service�� krb5kdc�� start�� - �� chkconfig�� krb5kdc�� on�� - �� chkconfig�� kadmin�� on��

5)�� SSH�� 설정�� 변경��

-�� authconfig-tui��

5.2�� 커버로스�� 설치��

-�� /usr/sbin/authconfig�� --update�� --enablekrb5�� --krb5kdc=namenode01�� --krb5realm=TAJO.ORG��

- �� /etc/ssh/sshd_config�� 변경��

��

��

-�� service�� sshd�� restart��

5.2�� 커버로스�� 설치��

PasswordAuthentication�� no�� KerberosAuthentication�� yes�� KerberosOrLocalPasswd�� no�� KerberosTicketCleanup�� yes�� GSSAPIAuthentication�� yes�� GSSAPICleanupCredentials�� yes�� GSSAPIKeyExchange�� yes�� UsePAM�� yes��

5.2�� 커버로스�� 설치��

6)�� 방화벽�� 정책�� 추가��

-�� iptables�� -I�� INPUT�� -m�� state�� --state�� NEW�� -m�� tcp�� -p�� tcp�� --dp

ort�� 88�� -j�� ACCEPT��

-�� iptables�� -I�� INPUT�� -m�� state�� --state�� NEW�� -m�� udp�� -p�� udp�� --d

port�� 88�� -j�� ACCEPT��

-�� iptables�� -I�� INPUT�� -m�� state�� --state�� NEW�� -m�� tcp�� -p�� tcp�� --dp

ort�� 749�� -j�� ACCEPT��

- �� service�� iptables�� save�� - ��

5.3�� 커버로스�� 코맨드��

구성요소�� 내용��

kadmin�� 원격의 커버로스 데이터베이스에 접속하여 principal 및 keytab을 관리함. 원격 접속 가능��

kadmin.local�� 로컬 커버로스 데이터베이스에 접속하여 principal 및 keytab을 관리함��

klist�� 로컬 호스트에 캐시되어 있는 티켓 목록 출력��

kinit�� 커버로스�� 로그인�� 수행��

kdestroy�� 로컬�� 티켓�� 캐시�� 삭제��

kpasswd�� 커버로스�� 패스워드�� 변경��

1)�� 쉘�� 스크립트�� 작성��

5.4�� principal�� 및�� keytab�� 생성��

namenode01�� datanode01��

• �� /usr/local/kerberos/slaves��

#!/bin/sh�� realm=TAJO.ORG�� for�� slave�� in�� $(cat�� slaves);�� do�� echo�� ${slave}�� install�� -o�� root�� -g�� root�� -m�� 0700�� -d�� ${slave}��

• �� /usr/local/kerberos/make_keytab.sh��

5.4�� principal�� 및�� keytab�� 생성��

kadmin.local�� <<EOF�� addprinc�� -randkey�� host/${slave}@${realm}�� addprinc�� -randkey�� hadoop/${slave}@${realm}�� ktadd�� -k�� ${slave}/hadoop.keytab�� -norandkey�� \�� hadoop/${slave}@${realm}�� host/${slave}@${realm}�� EOF�� done��

• �� /usr/local/kerberos/make_keytab.sh��

- �� 스크립스�� 실행:�� ./make_keytab.sh�� - �� 호스트명�� 디렉토리의�� 파일을�� 해당�� 호스트로�� 복사�� à�� scp,�� rsync,�� pssh�� 등�� 이용��

1)�� 배포��

- �� 생성된�� hadoop.keytab�� 파일을�� scp,�� rsync�� 등으로�� 배포��

- �� 각�� 서버의�� /home/hadoop/hadoop-2.5.1/etc/hadoop/security�� 디렉터리에�� 복사��

- -�� 배포�� 스크립트를�� 만들어서�� 배포할�� 것��

5.5�� keytab�� 배포��

2)�� Keytab�� 파일�� 권한�� 변경��

- �� chmod�� 400�� hadoop.keytab��

1)�� hadoop-env.sh��

5.6�� 하둡�� 클러스터�� 설정��

export�� JSVC_HOME=/usr/bin��

à 기존에�� 설치된�� jsvc가�� 없을�� 경우�� yum�� jsvc로�� 설치��

export�� HADOOP_SECURE_DN_USER=hadoop��

export�� HADOOP_SECURE_DN_PID_DIR�� =/home/hadoop/pids/secure��

export�� HADOOP_SECURE_DN_LOG_DIR=/home/hadoop/hadoop-2.

5.1/logs/secure��

2)�� core-site.xml��

5.6�� 하둡�� 클러스터�� 설정��

<property>�� <name>hadoop.security.authorization</name>�� <value>true</value>�� </property>�� <property>�� <name>hadoop.security.authentication</name>�� <value>kerberos</value>�� </property>��

3)�� hdfs-site.xml��

5.6�� 하둡�� 클러스터�� 설정��

<property>�� <name>dfs.permissions</name>�� <value>true</value>�� </property>�� <property>�� <name>dfs.block.access.token.enable</name>�� <value>true</value>�� </property>�� <property>�� <name>dfs.namenode.keytab.file</name>�� <value>/home/hadoop/hadoop-2.5.1/etc/hadoop/security/hadoop.keytab</value>�� </property>��

5.6�� 하둡�� 클러스터�� 설정��

<property>�� <name>dfs.namenode.kerberos.principal</name>�� <value>hadoop/[email protected]</value>�� </property>�� <property>�� <name>dfs.namenode.kerberos.internal.spnego.principal</name>�� <value>${dfs.web.authentication.kerberos.principal}</value>�� </property>�� <property>�� <name>dfs.secondary.namenode.kerberos.internal.spnego.principal</name>�� <value>${dfs.web.authentication.kerberos.principal}</value>�� </property>��

5.6�� 하둡�� 클러스터�� 설정��

<property>�� <name>dfs.datanode.keytab.file</name>�� <value>/home/hadoop/hadoop-2.5.1/etc/hadoop/security/hadoop.keytab</value>�� </property>�� <property>�� <name>dfs.datanode.kerberos.principal</name>�� <value>hadoop/[email protected]</value>�� </property>�� <property>�� <name>dfs.datanode.kerberos.https.principal</name>�� <value>hadoop/[email protected]</value>�� </property>��

5.6�� 하둡�� 클러스터�� 설정��

<property>�� <name>dfs.datanode.data.dir.perm</name>�� <value>700</value>�� </property>�� <property>�� <name>dfs.datanode.address</name>�� <value>0.0.0.0:1004</value>�� </property>�� <property>�� <name>dfs.datanode.http.address</name>�� <value>0.0.0.0:1006</value>�� </property>��

5.6�� 하둡�� 클러스터�� 설정��

<property>�� <name>dfs.secondary.namenode.keytab.file</name>�� <value>/home/hadoop/hadoop-2.5.1/etc/hadoop/security/hadoop.keytab</value>�� </property>�� <property>�� <name>dfs.secondary.namenode.keytab.file</name>�� <value>/home/hadoop/hadoop-2.5.1/etc/hadoop/security/hadoop.keytab</value>�� </property>��

5.6�� 하둡�� 클러스터�� 설정��

<property>�� <name>dfs.web.authentication.kerberos.principal</name>�� <value>hadoop/[email protected]</value>�� </property>�� <property>�� <name>dfs.namenode.kerberos.internal.spnego.principal</name>�� <value>${dfs.web.authentication.kerberos.principal}</value>�� </property>�� <property>�� <name>dfs.secondary.namenode.kerberos.internal.spnego.principal</name>�� <value>${dfs.web.authentication.kerberos.principal}</value>�� </property>��

4)�� yarn-site.xml��

5.6�� 하둡�� 클러스터�� 설정��

<property>�� <name>yarn.resourcemanager.keytab</name>�� <value>/home/hadoop/hadoop-2.5.1/etc/hadoop/security/hadoop.keytab</value>�� </property>�� <property>�� <name>yarn.resourcemanager.principal</name>�� <value>hadoop/[email protected]</value>�� </property>��

5.6�� 하둡�� 클러스터�� 설정��

<property>�� <name>yarn.nodemanager.keytab</name>�� <value>/home/hadoop/hadoop-2.5.1/etc/hadoop/security/hadoop.keytab</value>�� </property>�� <property>�� <name>yarn.nodemanager.principal</name>�� <value>hadoop/[email protected]</value>�� </property>�� <property>�� <name>yarn.nodemanager.container-executor.class</name>�� <value>org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor</value>�� </property>��

5.6�� 하둡�� 클러스터�� 설정�� <property>�� <name>mapreduce.jobhistory.keytab</name>�� <value>/home/hadoop/hadoop-2.5.1/etc/hadoop/security/hadoop.keytab</value>�� </property>�� <property>�� <name>mapreduce.jobhistory.principal</name>�� <value>hadoop/[email protected]</value>�� </property>�� <property>�� <name>yarn.nodemanager.linux-container-executor.group</name>�� <value>hadoop</value>�� </property>��

5)�� mapred-site.xml��

5.6�� 하둡�� 클러스터�� 설정��

<property>�� <name>mapreduce.jobtracker.kerberos.principal</name>�� <value>hadoop/[email protected]</value>�� </property>�� <property>�� <name>mapreduce.jobtracker.keytab.file</name>�� <value>/home/hadoop/hadoop-2.5.1/etc/hadoop/security/hadoop.keytab</value>�� </property>�� <property>�� <name>mapreduce.tasktracker.kerberos.principal</name>�� <value>hadoop/[email protected]</value>�� </property>��

5.6�� 하둡�� 클러스터�� 설정��

property>�� <name>mapreduce.tasktracker.keytab.file</name>�� <value>/home/hadoop/hadoop-2.5.1/etc/hadoop/security/hadoop.keytab</value>�� </property>�� <property>�� <name>mapred.task.tracker.task-controller</name>�� <value>org.apache.hadoop.mapred.LinuxTaskController</value>�� </property>�� <property>�� <name>mapreduce.tasktracker.group</name>�� <value>hadoop</value>�� </property>��

5.6�� 하둡�� 클러스터�� 설정��

6)�� 하둡�� 컴파일��

- �� cd�� /home/hadoop/hadoop-2.5.1-src/hadoop-yarn-project/hadoop-yarn/had

oop-yarn-server/hadoop-yarn-server-nodemanager��

- �� mvn�� package�� -Dcontainer-executor.conf.dir=/usr/local/yarn_conf/�� -DskipTest

s�� –Pnative��

- �� cp�� target/native/target/usr/local/bin/*�� /home/hadoop/hadoop-2.5.1/bin/�� - �� cd�� /home/hadoop/hadoop-2.5.1/bin��

- �� sudo�� chmod�� 6050�� container-executor�� - �� sudo�� chown�� root:hadoop�� container-executor��

5.6�� 하둡�� 클러스터�� 설정��

7)�� container-executor.cnf�� 설정��

- �� root�� 로�� 작업�� 진행��

- �� mkdir�� /usr/local/yarn_conf��

- �� cd�� /usr/local/yarn_conf��

- �� vi�� container-executor.cfg��

��

- �� chmod�� 400�� container-executor.cfg��

#yarn.nodemanager.local-dirs=/tmp/yarn/local�� #yarn.nodemanager.log-dirs=/tmp/yarn/logs�� yarn.nodemanager.linux-container-executor.group=hadoop�� #banned.users=�� min.user.id=500�� #allowed.system.users=��

5.7�� 하둡�� 클러스터�� 실행��

1)�� NameNode��

- �� sbin/hadoop-daemon.sh�� start�� namenode�� 2)�� DataNode��

- �� sudo�� sbin/hadoop-daemon.sh�� start�� datanode��

##�� Allow�� root�� to�� run�� any�� commands�� anywhere�� root�� ALL=(ALL)�� ALL�� hadoop�� ALL=(ALL)�� ALL��

• �� visudo��

5.7�� 하둡�� 클러스터�� 실행��

3)�� 리소스�� 매니저��

- �� sbin/yarn-daemon.sh�� start�� resourcemanager�� 4)�� 노드�� 매니저��

- �� sbin/yarn-daemon.sh�� start�� nodemanager��

5)�� 잡�� 히스토리�� 서버��

- �� sbin/mr-jobhistory-daemon.sh�� start�� historyserver��

5.7�� Trouble�� Shooting��

1)�� 커버로스�� 설치��

- �� 기존에�� 설치된�� 커버로스를�� 함부로�� 삭제하지�� 말�� 것��

- �� python-krbV-1.0.90-3.el6.x86_64�� [root@namenode01�� local]#�� wget�� wget:�� error�� while�� loading�� shared�� libraries:�� libgssapi_krb5.so.2:�� cannot�� open�� shared�� object�� file:�� No�� such�� file�� or�� directory�� [root@namenode01�� lib]#�� yum�� clean�� all�� There�� was�� a�� problem�� importing�� one�� of�� the�� Python�� modules�� required�� to�� run�� yum.�� The�� error�� leading�� to�� this�� problem�� was:�� libgssapi_krb5.so.2:�� cannot�� open�� shared�� object�� file:�� No�� such�� file��


2)�� SSH�� 버전��

- �� SSH�� 버전마다�� 설정�� 파일�� 경로�� 및�� 파일명이�� 상이함��

- �� SSH1:�� /etc/ssh/ssh_config�� - �� SSH2:�� /etc/ssh/sshd_config�� 3)�� 커버로스�� 버전��

- �� 커버로스도�� 여러�� 배포�� 버전이�� 존재함�� - �� 커버로스�� 버전에�� 따라서�� kadmim,�� kadmin.local의�� 지원�� 옵션이�� 상이함��


java.io.IOException:�� Login�� failure�� for�� hadoop/[email protected]�� from�� keytab�� /home/hadoop/hadoop-2.5.1/etc/hadoop/hadoop.keytab��

�� at�� org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:921)��

�� at�� org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:242)��

�� at�� org.apache.hadoop.security.SecurityUtil.login(SecurityUtil.java:206)��

4)�� Keytab�� 파일에�� 이상이�� 있을�� 경우��

- �� 지정된�� 위치에�� 없거나��

- �� 다른�� 서버의�� Keytab�� 파일을�� 복사해온�� 경우��


14/09/28�� 06:33:49�� INFO�� security.UserGroupInformation:�� Login�� successful�� for�� user�� hadoop/[email protected]�� using�� keytab�� file�� /home/hadoop/hadoop-2.5.1/etc/hadoop/hadoop.keytab�� 14/09/28�� 06:33:49�� INFO�� impl.MetricsConfig:�� loaded�� properties�� from�� hadoop-metrics2.properties�� 14/09/28�� 06:33:50�� INFO�� impl.MetricsSystemImpl:�� Scheduled�� snapshot�� period�� at�� 10�� second(s).�� 14/09/28�� 06:33:50�� INFO�� datanode.DataNode:�� Configured�� hostname�� is�� datanode01�� 14/09/28�� 06:33:50�� FATAL�� datanode.DataNode:�� Exception�� in�� secureMain�� java.lang.RuntimeException:�� Cannot�� start�� secure�� cluster�� without�� privileged�� resources.��

�� at�� org.apache.hadoop.hdfs.server.datanode.DataNode.startDataNode(DataNode.java:737)��

5)�� DataNode�� 구동��

- �� 커버로스를�� 활성화�� 시킨�� 경우,�� 반드시�� root로�� 실행��


28/09/2014�� 23:22:00�� 3203�� jsvc.exec�� error:�� Cannot�� find�� daemon�� loader�� org/apache/commons/daemon/support/DaemonLoader��

6)�� JSVC�� 클래스�� 패스�� 설정��

- �� 클래스�� 패스가�� 문제�� 있는�� 경우��

- �� JSVC�� 버전�� 별로,�� -cp�� 에서�� *�� 설정이�� 적용안�� 될�� 수�� 있음��

java.lang.ClassNotFoundException:�� org.apache.hadoop.hdfs.server.datanode.SecureDataNodeStarter��

�� at�� java.net.URLClassLoader$1.run(URLClassLoader.java:366)�� at�� java.net.URLClassLoader$1.run(URLClassLoader.java:355)��


-�� bin/hdfs에�� 스크립트�� 추가�� (1/2)��

HADOOP_HOME=/home/hadoop/hadoop-2.5.1�� HADOOP_MODULE_DIRS="$HADOOP_HOME/share/hadoop/common/lib�� $HADOOP_HOME/share/hadoop/common�� $HADOOP_HOME/share/hadoop/hdfs/lib�� $HADOOP_HOME/share/hadoop/hdfs�� $HADOOP_HOME/share/hadoop/yarn/lib�� $HADOOP_HOME/share/hadoop/yarn�� $HADOOP_HOME/share/hadoop/mapreduce/lib�� $HADOOP_HOME/share/hadoop/mapreduce"��


-�� bin/hdfs에�� 스크립트�� 추가�� (2/2)��

JSVC_CLASSPATH=$HADOOP_HOME/etc/hadoop�� for�� d�� in�� $HADOOP_MODULE_DIRS;�� do�� for�� f�� in�� $d/*;�� do�� JSVC_CLASSPATH=${JSVC_CLASSPATH}:$f;�� done�� done;�� exec�� "$JSVC"�� \�� -Dproc_$COMMAND�� -outfile�� "$JSVC_OUTFILE"�� \�� -errfile�� "$JSVC_ERRFILE"�� \�� -pidfile�� "$HADOOP_SECURE_DN_PID"�� \�� -nodetach�� \�� -user�� "$HADOOP_SECURE_DN_USER"�� \�� -cp�� "$JSVC_CLASSPATH"�� \��


7)�� DataNode의�� 소유자는?��

- �� sudo로�� 실행했더라도,�� hadoop으로�� 소유자가�� 변경됨��

- �� hadoop�� 계정으로�� jps,�� kill,�� hadoop-deamon.sh�� stop�� 모두�� 적용�� 가능��

8)�� SSH�� 인증키�� 복사는?��

- �� 기존대로�� 마스터�� 서버의�� SSH�� 인증키를�� 슬레이브�� 서버에�� 복사�� à�� 데몬�� 제어는�� 여전히�� SSH�� 프로토콜��


8)�� AES-256�� 알고리즘�� 이슈��

- kdc.conf에서�� aes-256을�� 삭제하거나,�� 암호화�� 파일을�� 모든�� 서버

에�� 설치�� à�� $JAVA_HOME/jre/lib/security��

2014-09-29�� 02:51:11,641�� WARN�� SecurityLogger.org.apache.hadoop.ipc.Server:�� Auth�� failed�� for�� 192.168.56.101:60399:null�� (GSS�� initiate�� failed)�� 2014-09-29�� 02:51:11,643�� INFO�� org.apache.hadoop.ipc.Server:�� Socket�� Reader�� #1�� for�� port�� 9010:�� readAndProcess�� from�� client�� 192.168.56.101�� threw�� exception�� [javax.security.sasl.SaslException:�� GSS�� initiate�� failed�� [Caused�� by�� GSSException:�� Failure�� unspecified�� at�� GSS-API�� level�� (Mechanism�� level:�� Encryption�� type�� AES256�� CTS�� mode�� with�� HMAC�� SHA1-96�� is�� not�� supported/enabled)]]��


INFO�� mapred.TaskController:�� Failed�� to�� create�� directory�� /var/log/hadoop/cache/mapred/mapred/local1/taskTracker/atm�� -�� No�� such�� file�� or�� directory�� 11/08/17�� 14:44:06�� WARN�� mapred.TaskTracker:�� Exception�� while�� localization�� java.io.IOException:�� Job�� initialization�� failed�� (20)�� at�� org.apache.hadoop.mapred.LinuxTaskController.initializeJob(LinuxTaskController.java:191)�� at�� org.apache.hadoop.mapred.TaskTracker$4.run(TaskTracker.java:1199)�� at�� java.security.AccessController.doPrivileged(Native�� Method)�� at�� javax.security.auth.Subject.doAs(Subject.java:396)��

9)�� TaskTracker�� 로컬�� 디렉터리�� 생성�� 실패��

- �� mapred-site.xml의�� mapred.local.dir와�� taskcontroller.cfg의

�� yarn.nodemanager.local-dirs이�� 일치하지�� 않을�� 때�� 발생��


INFO�� mapred.TaskController:�� Failed�� to�� create�� directory�� /var/log/hadoop/cache/mapred/mapred/local1/taskTracker/atm�� -�� No�� such�� file�� or�� directory�� 14/09/27�� 14:44:06�� WARN�� mapred.TaskTracker:�� Exception�� while�� localization�� java.io.IOException:�� Job�� initialization�� failed�� (20)��

10)�� TaskTracker�� 로그�� 디렉터리�� 생성�� 실패��

- �� mapred-site.xml의�� mapred.local.dir와�� taskcontroller.cfg의

�� yarn.nodemanager.local-dirs이�� 일치하지�� 않을�� 때�� 발생��

결론��

1.�� 커버로스가�� 정말�� 필요한�� 환경인지,�� 진지하게�� 고민

하세요.��

2.�� 충분히�� 연습하세요.��

3.�� 관리도구를�� 적절히�� 활용하세요.��

4.�� 계정�� 관리는�� LDAP,�� 액티브�� 디렉터리와�� 연동하는��

것이�� 좋습니다.��

5.�� 게이트웨이�� 서버(Knox,�� Sentry)를�� 활용하세요.��

Q&A��

THANK�� YOU��

Technology

[2A5]하둡 보안 어떻게 해야 할까