• java程序中获取kerberos登陆hadoop


    本文由作者周梁伟授权网易云社区发布。


    一般我们在使用kbs登陆hadoop服务时都直接在shell中调用kinit命令来获取凭证,这种方式简单直接,只要获取一次凭证之后都可以在该会话过程中重复访问。但是这种方式一个明显的问题就是如果在本次shell中会间隔调用不同的java程序,而这些程序需要访问不同权限的问题,需要在访问前调用各自的ktab文件获得授权。这中场景下情况会变得非常复杂,这时如果把kbs认证的过程移到java程序中就会简单很多,每个java程序中获取各自的凭证,及时多个进程同时运行也不会产生相互影响。我这里介绍两种java中获取kbs凭证的方法,分别使用 org.apache.hadoop.security.SecurityUtil 和 org.apache.hadoop.security.UserGroupInformation 两个类实现。

    一、    使用ktab文件简单登录方式

    登录操作函数

    /**

          * 尝试使用kerberos认证登录hfs

          *@params

          *       conf: 配置,其中带有keytab相关配置属性

          *       keytab_KEY: 表示conf中代表keytab文件属性的键值

          *       principal_KEY: 表示conf中代表principal属性的键值

          * @throws IOException

          */

         static void tryKerberosLogin(Configuration conf, String keytab_KEY, String principal_KEY) throws IOException {

              boolean useSec = true;

              LOG.info("Hadoop Security enabled: " + useSec);

              if (!useSec) {

                   return;

              }

              try {

                   @SuppressWarnings("rawtypes")

                   Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");

                   // get method login(Configuration, String, String);

                   @SuppressWarnings("unchecked")

                   Method m = c.getMethod("login", Configuration.class, String.class,

                             String.class);

                   m.invoke(null, conf,  keytab_KEY, principal_KEY);

                   LOG.info("successfully authenticated with keytab");

              } catch (Exception e) {

                   LOG.error(

                             "Flume failed when attempting to authenticate with keytab "

                                       + SimpleConfiguration.get().getKerberosKeytab()

                                       + " and principal '"

                                       + SimpleConfiguration.get().getKerberosPrincipal()

                                       + "'", e);

                   return;

              }

         }

    配置

    ...

     <property>

        <name>flume.security.kerberos.principal</name>

        <description></description>

    </property>

    <property>

        <name>flume.security.kerberos.keytab</name>

        <value>resources/flume.keytab</value>

        <description></description>

    </property>

    Sample

    //调用例子

    public  FileSystem getFileSystem(Configuration conf) {

                   String KEYFILE_key = "flume.security.kerberos.keytab";

                   String PRINCIPAL_key = "flume.security.kerberos.principal";

     

                   try {

                        // 尝试用kerberos登录

                        tryKerberosLogin(conf, KEYFILE_key, PRINCIPAL_key);

                        // 获取一个hdfs实例

                        instance = FileSystem.get( conf);

                   } catch (IOException e) {

                        LOG.error("try getFileSystem fail()", e);

                   } catch (URISyntaxException e) {

                        LOG.error("try getFileSystem fail()", e);

                   }

              }

              return instance;

         }

    二、    通过UserGroupInformation获取代理用户方式

      package com.netease.backend.bigdata.wa.jobs;

     

    import java.io.IOException;

     

    import org.apache.hadoop.conf.Configuration;

    import org.apache.hadoop.fs.Path;

    import org.apache.hadoop.security.UserGroupInformation;

    import org.apache.log4j.Logger;

    import org.hsqldb.lib.StringUtil;

     

    import com.netease.backend.bigdata.wa.core.ConfKeys;

     

    /**

     * 代理用户信息认证工具

     *

     * @author zhouliangwei

     *

     */

    public class ProxyUGI {

     

         private static Logger LOG = Logger.getLogger(ProxyUGI.class);

     

         private static UserGroupInformation instance = null;

         /**

          * 从Configuration中获取代理用户的相关配置,并获取UserGroupInformation

          * @return

          * @throws IOException

          */

         public synchronized static UserGroupInformation getProxyUGI(Configuration conf) {

              if (instance != null)

                   return instance;

              try {

                   String username = conf.get(ConfKeys.MR_USER_NAME, "");

                   String proxyPrincipal = conf.get(ConfKeys.WDA_PROXY_PRINCIPAL, "");

                   String proxyKtab = conf.get(ConfKeys.WDA_PROXY_KEYTAB, "");

                   if (StringUtil.isEmpty(username)

                             || StringUtil.isEmpty(proxyPrincipal)

                             || StringUtil.isEmpty(proxyKtab)) {

                        LOG.warn("config properties: ["

                                  + ConfKeys.MR_USER_NAME

                                  + ", "

                                  + ConfKeys.WDA_PROXY_PRINCIPAL

                                  + ", "

                                  + ConfKeys.WDA_PROXY_KEYTAB

                                  + "] in config file './conf/wda-core.xml' must be set!, quite use proxy mechanism");

                        return null;

                   }

                   instance = UserGroupInformation.createProxyUser(username,

                             UserGroupInformation.loginUserFromKeytabAndReturnUGI(

                                       proxyPrincipal, proxyKtab));

              } catch (IOException ex) {

                   //just ignore;

              }

              return instance;

         }

    }

    调用方式

    ...

    public static void main(final String[] args) throws Exception {

              UserGroupInformation ugi = ProxyUGI.getProxyUGI();

              if (ugi != null) {

                   ugi.doAs(new PrivilegedExceptionAction<EventJobClient>() {

                        public EventJobClient run() throws Exception {

                             EventJobClient mr = new EventJobClient();

                             int code = ToolRunner.run(mr, args);

                             System.exit(code);

                             return mr;

                        }

                   });

                   System.exit(1);

              } else {

                   int exitCode = ToolRunner.run(new EventJobClient(), args);

                   System.exit(exitCode);

              }

         }

    ….


    相关文章:
    【推荐】 质量报告之我见

  • 相关阅读:
    探秘小程序(9):父页面与自定义组件交互
    探秘小程序(8):scroll-view组件
    探秘小程序(7):view组件
    探秘小程序(6):微信支付
    探秘小程序(5):用户信息
    通向全栈之路(6)—无密码ssh连接
    探秘小程序(4):授权
    探秘小程序(3):登录
    探秘小程序(2):自定义组件
    [Python]json对象转换出错expected string or buffer python
  • 原文地址:https://www.cnblogs.com/163yun/p/10119424.html
Copyright © 2020-2023  润新知