背景介绍
-
在部署完ranger admin及其ranger hive plugin和hdfs plugin两个插件后,在admin的页面设置了hive的连接地址,但是一直提示如下的错误。
完全无法访问hive的错误
- 经过深入的分析,再结合查看了/etc/ranger/<Service Name>查看到policy为空,可以判断出是由于plugin无法到ranger admin上下载policy到本地,进而导致所有的用户都没有权限访问hive。
- 由于Ranger admin是部署在kerberos环境,那么从plugin这边发起应该是一个SPNEGO请求,不然就会在日志中一直显示如下所示的401错误:
{"httpStatusCode":401,"statusCode":401,"msgDesc":"Authentication Failed"}
- 其它更加详细的描述请看下列的两个issue,描述基本上完全一致,但是都解决不了问题。
问题处理
- 方案1
- 由于无法下载policy,那么整个部署全流程处于完全阻塞的状态,为了有所突破,我打算通过改代码的方式来绕过这个问题。
- 经测试如果在非kerberos http鉴权的情况下,plugin是可以下载到policy的。由于plugin下载policy其实鉴权与否对admin都构成不太大的威胁,所以总体影响应该是可控的。
- 按照下面的代码修改后,重新打包并部署。自此policy能顺利下载ranger admin的policy。
- 代码修改 (org.apache.ranger.admin.client.RangerAdminRESTClient)
//新增了是否使用安全模式的标志位(false表示不关闭认证)
private boolean useSecureModeForPolicyDownload = false;
//新增一般认证方法
protected boolean shouldUseSecureMode(UserGroupInformation user) {
return useSecureModeForPolicyDownload && user != null &&
UserGroupInformation.isSecurityEnabled();
}
//将此类中全部关于鉴权的进行修改
boolean isSecureMode = user != null && UserGroupInformation.isSecurityEnabled();
//改为
boolean isSecureMode = shouldUseSecureMode(user);
- 方案2
- 经过其它的分析后,发现ranger admin能部署在kerberos环境下也是需要依赖某个principal的,因此可以通过下面的java 程序去试探出ranger用的哪个后,通过它去定期,并注意一下的事项。
- 本java程序的作用是测试client principal 访问开启了kerberos http鉴权的server url是否能通。
- Main.java是为程序的主方法,主要是做相关的principal和keytab的定义。
- RequestKerberosUrlUtils.java是主要的测试方法,包括了请求kdc进行验证获取TGT ticker 和 构建SPNEGO请求。
- 特别注意!!这里请求的服务端的hostname一定要和principal的角色名一样(principal组成:用户名/角色@realm域),并配置好相关的hosts,千万不能用ip访问(切记kerberos规则都是用域名的)
package com.xxxxxx.kantlin.kerberos;
import org.apache.commons.io.IOUtils;
import org.apache.http.HttpResponse;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
public class Main {
public static void main(String[] args) {
params();
}
public static void params() {
//client principal!最好和service principal的一致
String user = "xxxxxx/hive2@<realm>";
//client的keytab文件,没有的话先kinit一下
String keytab = "C:\\\\Users\\\\xxxxx\\\\Desktop\\\\keytab\\\\hive2.keytab";
//kerberos krb5文件(ps:一般机器上都有,找不到的话执行命令:find / -name krb5.conf)
String krb5Location = "C:\\Users\\xxxxx\\Desktop\\keytab\\krb5.conf";
try {
//此处的true为将kerberos设置为debug模式,将打印更多详细日志
RequestKerberosUrlUtils restTest = new RequestKerberosUrlUtils(user, keytab, krb5Location, true);
//此处为开启了kerberos http认证的ranger admin 为例,url中带secure表示运行在高安全模式
//特别重要!!这里请求的hostname一定要和principal的FQDN(hive2)一样,并配置好相关的hosts,千万不能用ip(切记kerberos都是域名)
String url_liststatus = "http://hive2:6080/service/plugins/secure/policies/download/hive2";
HttpResponse response = restTest.callRestUrl(url_liststatus, user);
InputStream is = response.getEntity().getContent();
System.out.println("Status code " + response.getStatusLine().getStatusCode());
System.out.println("message is :" + Arrays.deepToString(response.getAllHeaders()));
System.out.println("string:\n" + new String(IOUtils.toByteArray(is), StandardCharsets.UTF_8));
} catch (Exception exp) {
exp.printStackTrace();
}
}
}
package com.xxxxxx.kantlin.kerberos;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.serializer.SerializerFeature;
import org.apache.http.HttpResponse;
import org.apache.http.auth.AuthSchemeProvider;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.Credentials;
import org.apache.http.client.HttpClient;
import org.apache.http.client.config.AuthSchemes;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.config.Lookup;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.impl.auth.SPNegoSchemeFactory;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Set;
public class RequestKerberosUrlUtils {
private String principal;
private String keyTabLocation;
public RequestKerberosUrlUtils() {
}
public RequestKerberosUrlUtils(String principal, String keyTabLocation) {
super();
this.principal = principal;
this.keyTabLocation = keyTabLocation;
}
public RequestKerberosUrlUtils(String principal, String keyTabLocation, boolean isDebug) {
this(principal, keyTabLocation);
if (isDebug) {
System.setProperty("sun.security.spnego.debug", "true");
System.setProperty("sun.security.krb5.debug", "true");
}
}
public RequestKerberosUrlUtils(String principal, String keyTabLocation, String krb5Location, boolean isDebug) {
this(principal, keyTabLocation, isDebug);
System.setProperty("java.security.krb5.conf", krb5Location);
}
private static HttpClient buildSpengoHttpClient() {
HttpClientBuilder builder = HttpClientBuilder.create();
Lookup<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider>create().
register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true)).build();
builder.setDefaultAuthSchemeRegistry(authSchemeRegistry);
BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(new AuthScope(null, -1, null), new Credentials() {
@Override
public Principal getUserPrincipal() {
return null;
}
@Override
public String getPassword() {
return null;
}
});
builder.setDefaultCredentialsProvider(credentialsProvider);
CloseableHttpClient httpClient = builder.build();
return httpClient;
}
public HttpResponse callRestUrl(final String url, final String userId) {
System.out.println(String.format("Calling KerberosHttpClient %s %s %s", this.principal, this.keyTabLocation, url));
Configuration config = new Configuration() {
@SuppressWarnings("serial")
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, new HashMap<String, Object>() {
{
//Krb5 in GSS API needs to be refreshed so it does not throw the error
//Specified version of key is not available
put("useTicketCache", "false");
put("useKeyTab", "true");
put("keyTab", keyTabLocation);
put("refreshKrb5Config", "true");
put("principal", principal);
put("storeKey", "true");
put("doNotPrompt", "true");
put("isInitiator", "true");
put("debug", "true");
}
})};
}
};
Set<Principal> princ = new HashSet<Principal>(1);
princ.add(new KerberosPrincipal(userId));
Subject sub = new Subject(false, princ, new HashSet<Object>(), new HashSet<Object>());
try {
//指定认证模块为Krb5Login
LoginContext lc = new LoginContext("Krb5Login", sub, null, config);
//请求kdc进行client身份认证,如果能通过的话,则可以从TGT获取ticker作为后面二次访问时Authorization: Negotiate的基础
lc.login();
//无报错则表示client身份认证通过,此时可以在Subject对象中看到已经获取了kerberos的ticker
Subject serviceSubject = lc.getSubject();
return Subject.doAs(serviceSubject, new PrivilegedAction<HttpResponse>() {
HttpResponse httpResponse = null;
@Override
public HttpResponse run() {
try {
HttpUriRequest request = new HttpGet(url);
//根据刚刚获取的kerberos的ticker构建Spengo请求,会经历一次401后再带上Negotiate二次请求
HttpClient spnegoHttpClient = buildSpengoHttpClient();
//返回的为二次响应后的结果
httpResponse = spnegoHttpClient.execute(request);
return httpResponse;
} catch (IOException ioe) {
ioe.printStackTrace();
}
return httpResponse;
}
});
} catch (Exception le) {
le.printStackTrace();
}
return null;
}
}
网友评论