java程序中获取kerberos登陆hadoop

本文由作者周梁伟授权网易云社区发布。

一般我们在使用kbs登陆hadoop服务时都直接在shell中调用kinit命令来获取凭证，这种方式简单直接，只要获取一次凭证之后都可以在该会话过程中重复访问。但是这种方式一个明显的问题就是如果在本次shell中会间隔调用不同的java程序，而这些程序需要访问不同权限的问题，需要在访问前调用各自的ktab文件获得授权。这中场景下情况会变得非常复杂，这时如果把kbs认证的过程移到java程序中就会简单很多，每个java程序中获取各自的凭证，及时多个进程同时运行也不会产生相互影响。我这里介绍两种java中获取kbs凭证的方法，分别使用 org.apache.hadoop.security.SecurityUtil 和 org.apache.hadoop.security.UserGroupInformation 两个类实现。

一、    使用ktab文件简单登录方式

登录操作函数

/**

      * 尝试使用kerberos认证登录hfs

      *@params

      *       conf: 配置，其中带有keytab相关配置属性

      *       keytab_KEY: 表示conf中代表keytab文件属性的键值

      *       principal_KEY: 表示conf中代表principal属性的键值

      * @throws IOException

      */

     static void tryKerberosLogin(Configuration conf, String keytab_KEY, String principal_KEY) throws IOException {

          boolean useSec = true;

          LOG.info("Hadoop Security enabled: " + useSec);

          if (!useSec) {

               return;

          }

          try {

               @SuppressWarnings("rawtypes")

               Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");

               // get method login(Configuration, String, String);

               @SuppressWarnings("unchecked")

               Method m = c.getMethod("login", Configuration.class, String.class,

                         String.class);

               m.invoke(null, conf,  keytab_KEY, principal_KEY);

               LOG.info("successfully authenticated with keytab");

          } catch (Exception e) {

               LOG.error(

                         "Flume failed when attempting to authenticate with keytab "

                                   + SimpleConfiguration.get().getKerberosKeytab()

                                   + " and principal '"

                                   + SimpleConfiguration.get().getKerberosPrincipal()

                                   + "'", e);

               return;

          }

     }

配置

...

 <property>

    <name>flume.security.kerberos.principal</name>

    <description></description>

</property>

<property>

    <name>flume.security.kerberos.keytab</name>

    <value>resources/flume.keytab</value>

    <description></description>

</property>

…

Sample

//调用例子

public  FileSystem getFileSystem(Configuration conf) {

               String KEYFILE_key = "flume.security.kerberos.keytab";

               String PRINCIPAL_key = "flume.security.kerberos.principal";

 

               try {

                    // 尝试用kerberos登录

                    tryKerberosLogin(conf, KEYFILE_key, PRINCIPAL_key);

                    // 获取一个hdfs实例

                    instance = FileSystem.get( conf);

               } catch (IOException e) {

                    LOG.error("try getFileSystem fail()", e);

               } catch (URISyntaxException e) {

                    LOG.error("try getFileSystem fail()", e);

               }

          }

          return instance;

     }

二、    通过UserGroupInformation获取代理用户方式

  package com.netease.backend.bigdata.wa.jobs;

 

import java.io.IOException;

 

import org.apache.hadoop.conf.Configuration;

import org.apache.hadoop.fs.Path;

import org.apache.hadoop.security.UserGroupInformation;

import org.apache.log4j.Logger;

import org.hsqldb.lib.StringUtil;

 

import com.netease.backend.bigdata.wa.core.ConfKeys;

 

/**

 * 代理用户信息认证工具

 *

 * @author zhouliangwei

 *

 */

public class ProxyUGI {

 

     private static Logger LOG = Logger.getLogger(ProxyUGI.class);

 

     private static UserGroupInformation instance = null;

     /**

      * 从Configuration中获取代理用户的相关配置，并获取UserGroupInformation

      * @return

      * @throws IOException

      */

     public synchronized static UserGroupInformation getProxyUGI(Configuration conf) {

          if (instance != null)

               return instance;

          try {

               String username = conf.get(ConfKeys.MR_USER_NAME, "");

               String proxyPrincipal = conf.get(ConfKeys.WDA_PROXY_PRINCIPAL, "");

               String proxyKtab = conf.get(ConfKeys.WDA_PROXY_KEYTAB, "");

               if (StringUtil.isEmpty(username)

                         || StringUtil.isEmpty(proxyPrincipal)

                         || StringUtil.isEmpty(proxyKtab)) {

                    LOG.warn("config properties: ["

                              + ConfKeys.MR_USER_NAME

                              + ", "

                              + ConfKeys.WDA_PROXY_PRINCIPAL

                              + ", "

                              + ConfKeys.WDA_PROXY_KEYTAB

                              + "] in config file './conf/wda-core.xml' must be set!, quite use proxy mechanism");

                    return null;

               }

               instance = UserGroupInformation.createProxyUser(username,

                         UserGroupInformation.loginUserFromKeytabAndReturnUGI(

                                   proxyPrincipal, proxyKtab));

          } catch (IOException ex) {

               //just ignore;

          }

          return instance;

     }

}

调用方式

...

public static void main(final String[] args) throws Exception {

          UserGroupInformation ugi = ProxyUGI.getProxyUGI();

          if (ugi != null) {

               ugi.doAs(new PrivilegedExceptionAction<EventJobClient>() {

                    public EventJobClient run() throws Exception {

                         EventJobClient mr = new EventJobClient();

                         int code = ToolRunner.run(mr, args);

                         System.exit(code);

                         return mr;

                    }

               });

               System.exit(1);

          } else {

               int exitCode = ToolRunner.run(new EventJobClient(), args);

               System.exit(exitCode);

          }

     }

….

相关文章：
【推荐】 质量报告之我见