本文由作者周梁伟授权网易云社区发布。
一般我们在使用kbs登陆hadoop服务时都直接在shell中调用kinit命令来获取凭证,这种方式简单直接,只要获取一次凭证之后都可以在该会话过程中重复访问。但是这种方式一个明显的问题就是如果在本次shell中会间隔调用不同的java程序,而这些程序需要访问不同权限的问题,需要在访问前调用各自的ktab文件获得授权。这中场景下情况会变得非常复杂,这时如果把kbs认证的过程移到java程序中就会简单很多,每个java程序中获取各自的凭证,及时多个进程同时运行也不会产生相互影响。我这里介绍两种java中获取kbs凭证的方法,分别使用 org.apache.hadoop.security.SecurityUtil 和 org.apache.hadoop.security.UserGroupInformation 两个类实现。
一、 使用ktab文件简单登录方式
登录操作函数
/**
* 尝试使用kerberos认证登录hfs
*@params
* conf: 配置,其中带有keytab相关配置属性
* keytab_KEY: 表示conf中代表keytab文件属性的键值
* principal_KEY: 表示conf中代表principal属性的键值
* @throws IOException
*/
static void tryKerberosLogin(Configuration conf, String keytab_KEY, String principal_KEY) throws IOException {
boolean useSec = true;
LOG.info("Hadoop Security enabled: " + useSec);
if (!useSec) {
return;
}
try {
@SuppressWarnings("rawtypes")
Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");
// get method login(Configuration, String, String);
@SuppressWarnings("unchecked")
Method m = c.getMethod("login", Configuration.class, String.class,
String.class);
m.invoke(null, conf, keytab_KEY, principal_KEY);
LOG.info("successfully authenticated with keytab");
} catch (Exception e) {
LOG.error(
"Flume failed when attempting to authenticate with keytab "
+ SimpleConfiguration.get().getKerberosKeytab()
+ " and principal '"
+ SimpleConfiguration.get().getKerberosPrincipal()
+ "'", e);
return;
}
}
配置
…
<property>
<name>flume.security.kerberos.principal</name>
<description></description>
</property>
<property>
<name>flume.security.kerberos.keytab</name>
<value>resources/flume.keytab</value>
<description></description>
</property>
…
Sample
//调用例子
public FileSystem getFileSystem(Configuration conf) {
String KEYFILE_key = "flume.security.kerberos.keytab";
String PRINCIPAL_key = "flume.security.kerberos.principal";
try {
// 尝试用kerberos登录
tryKerberosLogin(conf, KEYFILE_key, PRINCIPAL_key);
// 获取一个hdfs实例
instance = FileSystem.get( conf);
} catch (IOException e) {
LOG.error("try getFileSystem fail()", e);
} catch (URISyntaxException e) {
LOG.error("try getFileSystem fail()", e);
}
}
return instance;
}
二、 通过UserGroupInformation获取代理用户方式
package com.netease.backend.bigdata.wa.jobs;
import java.io.IOException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.log4j.Logger;
import org.hsqldb.lib.StringUtil;
import com.netease.backend.bigdata.wa.core.ConfKeys;
/**
- 代理用户信息认证工具
*
- @author zhouliangwei
*
*/
public class ProxyUGI {
private static Logger LOG = Logger.getLogger(ProxyUGI.class);
private static UserGroupInformation instance = null;
/**
* 从Configuration中获取代理用户的相关配置,并获取UserGroupInformation
* @return
* @throws IOException
*/
public synchronized static UserGroupInformation getProxyUGI(Configuration conf) {
if (instance != null)
return instance;
try {
String username = conf.get(ConfKeys.MR_USER_NAME, "");
String proxyPrincipal = conf.get(ConfKeys.WDA_PROXY_PRINCIPAL, "");
String proxyKtab = conf.get(ConfKeys.WDA_PROXY_KEYTAB, "");
if (StringUtil.isEmpty(username)
|| StringUtil.isEmpty(proxyPrincipal)
|| StringUtil.isEmpty(proxyKtab)) {
LOG.warn("config properties: ["
+ ConfKeys.MR_USER_NAME
+ ", "
+ ConfKeys.WDA_PROXY_PRINCIPAL
+ ", "
+ ConfKeys.WDA_PROXY_KEYTAB
+ "] in config file './conf/wda-core.xml' must be set!, quite use proxy mechanism");
return null;
}
instance = UserGroupInformation.createProxyUser(username,
UserGroupInformation.loginUserFromKeytabAndReturnUGI(
proxyPrincipal, proxyKtab));
} catch (IOException ex) {
//just ignore;
}
return instance;
}
}
调用方式
…
public static void main(final String[] args) throws Exception {
UserGroupInformation ugi = ProxyUGI.getProxyUGI();
if (ugi != null) {
ugi.doAs(new PrivilegedExceptionAction<EventJobClient>() {
public EventJobClient run() throws Exception {
EventJobClient mr = new EventJobClient();
int code = ToolRunner.run(mr, args);
System.exit(code);
return mr;
}
});
System.exit(1);
} else {
int exitCode = ToolRunner.run(new EventJobClient(), args);
System.exit(exitCode);
}
}
….
文章来源: 网易云社区