在普通hadoop集群下网上已经有很多讲解,一般参考官方wiki就可以,整体安装也比较简单,这里可以参考。但是在安全集群中,需要通过keberos认证进行策略同步等使用,遇见主要有两个问题:1.策略同步失败;2.测试连接失败;下面提供自己遇见过后的处理方式。
策略同步失败
如果在install.properties中配置的ranger地址为http://...应该不会有这个问题,如果是https,则需要在策略同步时restClient中塞入用户信息;具体代码在RangerRestClient.java中,需要mUsername和mPassword分别有值,hive下:即是使用的hive用户名及其keytab认证文件的地址作为mPassword
hive测试连接失败
java通过keberos连接hive一般如下:
String hiveUserName = "test_hive";//kerberos认证的用户principal名称
String hiveKeytab = ".../xxxxx.keytab";//用户的keytab认证文件
String krbconf = ".../krb5.conf";//kerberos5的配置文件
System.setProperty("java.security.krb5.conf", krbconf);
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "Kerberos");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(hiveUserName, hiveKeytab);
查阅ranger连接处理核心类:SecureClientLogin,其调用函数:
public synchronized static Subject loginUserFromKeytab(String user, String path, String nameRules) throws IOException {
try {
Subject subject = new Subject();
SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
LoginContext login = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);
KerberosName.setRules(nameRules);
subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));
login.logout();
login.login();
return login.getSubject();
} catch (LoginException le) {
throw new IOException("Login failure for " + user + " from keytab " + path, le);
}
}
如上ranger源码可以看出并无krb.conf设置,因此在这里重载了这个login逻辑如下:
public synchronized static Subject loginUserFromKeytab(String user, String path, String nameRules, String krb5Conf) throws IOException {
try {
Subject subject = new Subject();
SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
loginConf.setConfiguration(new ZKSignerSecretProvider.JaasConfiguration("Client", user, path));
if (!StringUtil.isEmpty(krb5Conf)) {
System.setProperty("java.security.krb5.conf", krb5Conf);
}
System.setProperty("zookeeper.server.principal", "zookeeper/hadoop");
LoginContext login = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);
KerberosName.setRules(nameRules);
subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));
login.logout();
login.login();
return login.getSubject();
} catch (LoginException le) {
throw new IOException("Login failure for " + user + " from keytab " + path, le);
}
}
调整BaseClient login调用出代码:
protected void login() {
...
if(StringUtils.isEmpty(lookupPrincipal) || StringUtils.isEmpty(lookupKeytab)){
if (userName == null) {
throw createException("Unable to find login username for hadoop environment, [" + serviceName + "]", null);
}
String keyTabFile = configHolder.getKeyTabFile();
if (keyTabFile != null) {
if ( configHolder.isKerberosAuthentication() ) {
LOG.info("Init Login: security enabled, using username/keytab");
loginSubject = SecureClientLogin.loginUserFromKeytab(userName, keyTabFile, nameRules,
connectionProperties.get("java.security.krb5.conf"));
}
else {
LOG.info("Init Login: using username");
loginSubject = SecureClientLogin.login(userName);
}
}
...
service连接界面配置:
testConnection.PNG
在keytabfile和java.security.krb5.conf中指定相关配置地址即可;
网友评论