Help Center > > User Guide> Managing an Existing Cluster> MRS Multi-User Permission Management> Configuring Cross-Cluster Mutual Trust Relationships

Configuring Cross-Cluster Mutual Trust Relationships

Updated at: Mar 25, 2021 GMT+08:00

Scenario

If cluster A needs to access the resources of cluster B, the mutual trust relationship must be configured between these two clusters.

If no trust relationship is configured, resources of a cluster are available only for users in this cluster. MRS automatically assigns a unique domain name for each cluster to define the scope of resources for users.

The operations described in this section apply only to clusters of MRS 2.1.0 or earlier.

For clusters of MRS 3.0.2 or later, see Configuring Cross-Manager Cluster Mutual Trust Relationships.

Impact on the System

  • After cross-cluster mutual trust is configured, resources of a cluster become available for users in other cluster. User permission in the clusters must be regularly checked based on service and security requirements.
  • After cross-cluster mutual trust is configured, the KrbServer service needs to be restarted and the cluster becomes unavailable during the restart.
  • After cross-cluster mutual trust is configured, internal users krbtgt/Local cluster domain name@External cluster domain name and krbtgt/External cluster domain name@Local cluster domain name are added to the two clusters. The internal users cannot be deleted. The default password is Crossrealm@123.

Prerequisites

Both clusters are in the same VPC and subnet.

Procedure

  1. On the MRS management console, query all security groups of the two clusters.

    • If the security groups of the two clusters are the same, go to 3.
    • If the security groups of the two clusters are different, go to 2.

  2. On the VPC management console, add rules for each security group.

    Set Protocol to ANY, Transfer Direction to Inbound,

    and Source to Security Group. The source is the security group of the peer cluster.

    • For cluster A, add inbound rules to the security group, set Source to the security groups of cluster B (the peer cluster of cluster A).
    • For cluster B, add inbound rules to the security group, set Source to the security groups of cluster A (the peer cluster of cluster B).

    For a common cluster with Kerberos authentication disabled, perform step 1 to 2 to configure cross-cluster mutual trust. For a security cluster with Kerberos authentication enabled, after completing the preceding steps, proceed to the following steps for configuration.

  3. Log in to MRS Manager of the two clusters separately. For details, see Accessing MRS Manager (MRS 2.1.0 or Earlier). Click Service and check whether the Health Status of all components is Good.

    • If yes, go to 4.
    • If no, contact technical support personnel for troubleshooting.

  4. Query configuration information.

    1. On MRS Manager of the two clusters, choose Services > KrbServer > Instance. Query the OM IP Address of the two KerberosServer hosts.
    2. Click Service Configuration. Set Type to All. Choose KerberosServer > Port in the navigation tree on the left. Query the value of kdc_ports. The default value is 21732.
    3. Click Realm and query the value of default_realm.

  5. On MRS Manager of either cluster, modify the peer_realms parameter.

    Table 1 Parameter description

    Parameter

    Description

    realm_name

    Domain name of the mutual-trust cluster, that is, the value of default_realm obtained in step 4.

    ip_port

    KDC address of the peer cluster. Format: IP address of a KerberosServer node in the peer cluster:kdc_port

    The addresses of the two KerberosServer nodes are separated by a comma. For example, if the IP addresses of the KerberosServer nodes are 10.0.0.1 and 10.0.0.2 respectively, the value of this parameter is 10.0.0.1:21732,10.0.0.2:21732.

    • To deploy trust relationships with multiple clusters, click to add items and specify relevant parameters. To delete an item, click .
    • A cluster can have trust relationships with a maximum of 16 clusters. By default, no trust relationship exists between different clusters that are trusted by a local cluster.

  6. Click Save Configuration. In the dialog box that is displayed, select Restart the affected services or instances and click OK. If you do not select Restart the affected services or instances, manually restart the affected services or instances.

    After Operation successful is displayed, click Finish.

  7. Exit MRS Manager and log in to it again. If the login is successful, the configurations are valid.
  8. Log in to MRS Manager of the other cluster and repeat step 5 to 7.

Follow-up Operations

After cross-cluster mutual trust is configured, the service configuration parameters are modified on MRS Manager and the service is restarted. Therefore, you need to prepare the client configuration file again and update the client.

Scenario 1:

Cluster A and cluster B (peer cluster and mutually trusted cluster) are the same type, for example, analysis cluster or streaming cluster. Follow instructions in Updating a Client to update the client configuration files of cluster A and B respectively.

  • Update the client configuration file of cluster A.
  • Update the client configuration file of cluster B.

Scenario 2:

Cluster A and cluster B (peer cluster and mutually trusted cluster) are the different type. Perform the following steps to update the configuration files.

  • Update the client configuration file of cluster A to cluster B.
  • Update the client configuration file of cluster B to cluster A.
  • Update the client configuration file of cluster A.
  • Update the client configuration file of cluster B.
  1. Log in to MRS Manager of cluster A.
  2. Click Services, and then Download Client.
  3. Set Client Type to Only configuration files.
  4. Set Download to to Remote host.
  5. Set Host IP Address to the IP address of the active Master node of cluster B, Host Port to 22, and Save Path to /tmp.

    • If the default port 22 for logging in to cluster B using SSH is changed, set Host Port to a new port.
    • The value of Save Path contains a maximum of 256 characters.

  6. For clusters of MRS 1.6.2 or later, set Login User to root.

    If another user is used, ensure that the user has permissions to read, write, and execute the save path.

  7. select Password or SSH Private Key in Login Mode.

    • Password: Enter the password of user root set during cluster creation.
    • SSH Private Key: Select and upload the key file used for creating the cluster.

  8. Click OK to generate a client file.

    If the following information is displayed, the client file is saved. Click Close.

    Client files downloaded to the remote host successfully.

    If the following information is displayed, check the username, password, and security group configurations of the remote host. Ensure that the username and password are correct and an inbound rule of the SSH (22) port has been added to the security group of the remote host. And then, go to 2 to download the client again.

    Failed to connect to the server. Please check the network connection or parameter settings.

  9. Log in to the ECS of cluster B using VNC. For details, see Login Using VNC in the Elastic Cloud Server User Guide.

    All images support Cloud-Init. The preset username for Cloud-Init is root, and the password is the one set during cluster creation.

  10. Run the following command to go to the client directory:

    cd /opt/client

  11. Run the following command to update the client configuration of cluster A to cluster B:

    sh refreshConfig.sh Client installation directory Full path of the client configuration file package

    For example, run the following command:

    sh refreshConfig.sh /opt/client /tmp/MRS_Services_Client.tar

    If the following information is displayed, the configurations have been updated successfully.

    ReFresh components client config is complete.
    Succeed to refresh components client config.

    You can also refer to method 2 in Updating a Client to perform 1 to 11 for clusters of MRS 1.8.5 or later.

  12. Repeat step 1 to 11 to update the client configuration file of cluster B to cluster A.
  13. Follow instructions in Updating a Client to update the client configuration file of the local cluster.

    • Update the client configuration file of cluster A.
    • Update the client configuration file of cluster B.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel