PrestoDB自定义安全认证

1 可行性分析

查看官方文档

 https://prestodb.io/docs/current/develop/password-authenticator.html

After a plugin that implements PasswordAuthenticatorFactory has been installed on the coordinator, it is configured using an etc/password-authenticator.properties file. All of the properties other than access-control.name are specific to the PasswordAuthenticatorFactory implementation.

大致意思：开发一个自定义的plugin，里面实现PasswordAuthenticatorFactory，部署在coordinator

password-authenticator.name=custom-access-control
custom-property1=custom-value1
custom-property2=custom-value2

2 执行逻辑分析

2.1 PrestoDB扫描插件

PluginManager

sudo vi /etc/presto/conf/node.properties 
plugin.dir=/usr/lib/presto/plugin

        for (File file : listFiles(installedPluginsDir)) {
            if (file.isDirectory()) {
                loadPlugin(file.getAbsolutePath());
            }
        }

        for (String plugin : plugins) {
            loadPlugin(plugin);
        }

 

2.2 扫描plugin实现类，并将里面实现PasswordAuthenticatorFactory的class注册到factory里面

原理：ServiceLoader 当外部程序装配该模块时，通过该jar包META-INF/services/里的配置文件找到具体的实现类名，从而完成模块的注入

        ServiceLoader<Plugin> serviceLoader = ServiceLoader.load(Plugin.class, pluginClassLoader);
        List<Plugin> plugins = ImmutableList.copyOf(serviceLoader);
        for (Plugin plugin : plugins) {
            log.info("Installing %s", plugin.getClass().getName());
            installPlugin(plugin);
        }

log.info("Registering password authenticator %s", authenticatorFactory.getName());
passwordAuthenticatorManager.addPasswordAuthenticatorFactory(authenticatorFactory);

factories.putIfAbsent(factory.getName(), factory)

2.3 通过在factory里面初始化一个实现PasswordAuthenticator的class，调用其createAuthenticatedPrincipal方法进行认证

public interface PasswordAuthenticator
{
    /**
     * Authenticate the provided user and password.
     *
     * @return the authenticated entity
     * @throws AccessDeniedException if not allowed
     */
    Principal createAuthenticatedPrincipal(String user, String password);
}

 

3 自定义认证开发

public class NbFilePasswordAuthenticatorPlugin implements Plugin {



public class NbFilePasswordAuthenticatorFactory implements PasswordAuthenticatorFactory {



public class NbFilePasswordAuthenticator implements PasswordAuthenticator {

 

 

4 打包和部署

需要用到dependencies

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jar-plugin</artifactId>
                <configuration>
                    <archive>
                        <addMavenDescriptor>false</addMavenDescriptor>
                    </archive>
                    <outputDirectory>${project.build.directory}/jars</outputDirectory>
                </configuration>
            </plugin>

            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-dependency-plugin</artifactId>
                <executions>
                    <execution>
                        <phase>package</phase>
                        <goals>
                            <goal>copy-dependencies</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>

 

部署

cd /usr/lib/presto/plugin/

sudo mkdir nxb-password-authenticators

复制打包好的jar和依赖到nb-password-authenticators目录里面 （coordinator）

 

sudo vi /usr/lib/presto/etc/password-authenticator.properties

password-authenticator.name=nxb-password-authenticator
file.password-file=/home/hadoop/xxxxx/password-auth.properties

 

打开外部访问的https服务，并配置认证方式

sudo vi /etc/presto/conf/config.properties

http-server.authentication.type=PASSWORD
http-server.https.enabled=true
http-server.https.port=8447
http-server.https.keystore.path=/home/hadoop/xxxxx/my_htpasswd/presto_keystore.jks
http-server.https.keystore.key=xxxxxxx

 

重启服务

sudo systemctl restart   presto-server.service

查看日志