Help Center > > User Guide> Managing Active Clusters> MRS Multi-User Permission Management> Configuring Cross-Cluster Mutual Trust Relationships

Configuring Cross-Cluster Mutual Trust Relationships

Updated at: Apr 28, 2020 GMT+08:00

Scenario

If two clusters need to access the resources of each other, the administrator must configure the mutual trust relationships between the clusters.

If no trust relationship is configured, resources of a cluster are available only for users in the cluster. MRS automatically assigns a unique domain name for each cluster to define the scope of resources for users.

Impact on the System

  • After cross-cluster mutual trust is configured, resources of a cluster become available for users in the other cluster. User permission in the clusters must be regularly checked based on service and security requirements.
  • After cross-cluster mutual trust is configured, the KrbServer needs to be restarted and the cluster becomes unavailable during the restart.
  • After cross-cluster mutual trust is configured, internal users krbtgt/Local cluster domain name@External cluster domain name and krbtgt/External cluster domain name@Local cluster domain name are added to the two clusters. The internal users cannot be deleted. The default password of the users is Crossrealm@123.

Prerequisites

Both clusters are in the same VPC and subnet.

Procedure

  1. On the MRS management console, query all security groups of the two clusters.

    • If the security groups of the two clusters are same, go to 3.
    • If the security groups of the two clusters are different, go to 2.

  2. On the VPC management console, add rules for each security group.

    Set Protocol to ANY, Transfer Direction to Inbound, and Source to Security Group. The source is the security group of the peer cluster.

    For a normal cluster with the Kerberos authentication disabled, perform 1 to 2 to configure cross-cluster mutual trust relationship. For a security cluster with the Kerberos authentication enabled, perform the following steps.

  3. Log in to MRS Manager of the two clusters separately. Click Services and check whether the Health Status of all components is Good.

    • If yes, go to 4.
    • If no, contact technical support personnel for troubleshooting.

  4. Query configuration information.

    1. On MRS Manager of the two clusters, choose Services > KrbServer > Instance. Query OM IP Address of the two KerberosServer hosts.
    2. Click Service Configuration. Set Type to All. Choose KerberosServer > Port in the navigation tree on the left. Query the value of kdc_ports. The default value is 21732.
    3. Click Realm and query the value of default_realm.

  5. On MRS Manager of either cluster, modify the peer_realms parameter.

    Table 1 Parameter description

    Parameter

    Description

    realm_name

    default_realm of the peer cluster obtained in step 4

    ip_port

    KDC address of the peer cluster. Format: IP address of a KerberosServer node in the peer cluster:kdc_port

    The addresses of the two KerberosServer nodes are separated by a comma. For example, if the IP addresses of the KerberosServer nodes are 10.0.0.1 and 10.0.0.2 respectively, the value of this parameter is 10.0.0.1:21732,10.0.0.2:21732.

    • To deploy trust relationships with multiple clusters, click to add items and specify relevant parameters. To delete an item, click .
    • A cluster can have trust relationships with a maximum of 16 clusters. By default, no trust relationship exists between different clusters that are trusted by a local cluster.

  6. Click Save Configuration. In the dialog box that is displayed, select Restart the affected services or instances and click OK. If you do not select Restart the affected services or instances, manually restart the affected services or instances.

    After Operation succeeded is displayed, click Finish.

  7. Exit MRS Manager and log in to it again. If the login is successful, the configurations are valid.
  8. Log in to MRS Manager of the other cluster and repeat 5 to 7.

Follow-up Operations

After you configure the cross-cluster mutual trust relationship, service configurations are modified and the service is restarted on MRS Manager. You need to prepare the client configuration file and update the client again.

Scenario 1:

If cluster A and cluster B (peer cluster and mutually trusted cluster) are the same type, for example, analysis cluster or streaming cluster, follow instructions in Updating a Client to update the client configuration files of cluster A and cluster B.

  • Update the client configuration file of cluster A.
  • Update the client configuration file of cluster B.

Scenario 2:

If cluster A and cluster B (peer cluster and mutually trusted cluster) are the different type, perform the following operations to update their clients.

  • Update the client configuration file of cluster A to cluster B.
  • Update the client configuration file of cluster B to cluster A.
  • Update the client configuration file of cluster A.
  • Update the client configuration file of cluster B.
  1. Log in to MRS Manager of cluster A.
  2. Click Services and then Download Client.
  3. In Client Type, select Only configuration files.
  4. In Save Path, select Remote host.
  5. Set Host IP Address to the active Master node IP address of cluster B, Host Port to 22, and Save Path to /tmp.

    • If the default port 22 for logging in to cluster B using SSH is changed, set Host Port to a new port.
    • The value of Save Path contains a maximum of 256 characters.

  6. Set Login User to root.

    If another user is used, ensure that the user has permissions to read, write, and execute the save path.

  7. Select Password or SSH Private Key in Login Mode.

    • Password: Enter the password of user root set during cluster creation.
    • SSH Private Key: Select and upload the key file used for creating the cluster.

  8. Click OK to generate a client file.

    If the following information is displayed, the client file is successfully saved. And then, click Close.

    Client files downloaded to the remote host successfully. 

    If the following information is displayed, check the username, password, and security group configurations of the remote host. Ensure that the username and password are correct and an inbound rule of the SSH(22) port has been added to the security group of the remote host. And then, go to 2 to download the client again.

    Failed to connect to the server. Please check the network connection or parameter settings.

  9. Log in to an ECS in cluster B using VNC. For details see Login Using VNC.

    All images support Cloud-init. The preset username for Cloud-init is root and the password is the one you set during cluster creation.

  10. Run the following command to go to the client directory.

    cd /opt/client

  11. Run the following commands to update client configurations of cluster A to cluster B.

    sh refreshConfig.sh Client installation directory Complete path of the client configuration file package

    The following provides an example.

    sh refreshConfig.sh /opt/client /tmp/MRS_Services_Client.tar

    If the following information is displayed, client configurations are successfully updated.

    ReFresh components client config is complete.
    Succeed to refresh components client config.

    For clusters of MRS 1.8.5 or later, you can also refer to method 2 in Updating a Client to perform operations in 1 to 11.

  12. Repeat 1 to 11 to update the client configuration file of cluster B to cluster A.
  13. Follow instructions in Updating a Client to perform the following operations to update the client configuration files of the local clusters.

    • Update the client configuration file of cluster A.
    • Update the client configuration file of cluster B.

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel