zoukankan      html  css  js  c++  java
  • hadoop KerberosUtil 做Kerberos认证

    网上找了一下,自己写了个KerberosUtil工具类,测试过可以用。

    注意这个不是 org.apache.hadoop.security.authentication.util.KerberosUtil类。

    public class KerberosUtil {
        
        /**
         * 通过Kerberos认证用户的,注意keytabPath为本地路径不是HDFS路径
         * @param conf
         * @param user  user为运行jar的hadoop用户
         * @param keytabPath
         * @throws IOException
         */
        public static void AuthenByKerberos(Configuration conf,String user,String keytabPath) throws IOException{
            UserGroupInformation.setConfiguration(conf);
             if(! UserGroupInformation.isSecurityEnabled()) 
                  return;
            UserGroupInformation.getCurrentUser().setAuthenticationMethod(AuthenticationMethod.KERBEROS);
            UserGroupInformation.loginUserFromKeytab(user,keytabPath);
        }
        
        /**
         * 通过Kerberos认证用户的,注意keytabPath为本地路径不是HDFS路径
         * @param conf
         * @param keytabPath
         * @throws IOException
         */
        public static void AuthenByKerberos(Configuration conf,String keytabPath) throws IOException{
            String user=UserGroupInformation.getLoginUser().getUserName();
            AuthenByKerberos(conf,user,keytabPath);
        }
    }

    其实网上用的SecurityUtil.login()登录验证,源码中也是调用 UserGroupInformation.loginUserFromKeytab(),只不过多做了一些处理。

    下面是login()方法的源码。

      /**
       * Login as a principal specified in config. Substitute $host in user's Kerberos principal 
       * name with hostname. If non-secure mode - return. If no keytab available -
       * bail out with an exception
       * 
       * @param conf
       *          conf to use
       * @param keytabFileKey
       *          the key to look for keytab file in conf
       * @param userNameKey
       *          the key to look for user's Kerberos principal name in conf
       * @param hostname
       *          hostname to use for substitution
       * @throws IOException if the config doesn't specify a keytab
       */
      @InterfaceAudience.Public
      @InterfaceStability.Evolving
      public static void login(final Configuration conf,
          final String keytabFileKey, final String userNameKey, String hostname)
          throws IOException {
        
        if(! UserGroupInformation.isSecurityEnabled()) 
          return;
        
        String keytabFilename = conf.get(keytabFileKey);
        if (keytabFilename == null || keytabFilename.length() == 0) {
          throw new IOException("Running in secure mode, but config doesn't have a keytab");
        }
    
        String principalConfig = conf.get(userNameKey, System
            .getProperty("user.name"));
        String principalName = SecurityUtil.getServerPrincipal(principalConfig,
            hostname);
        UserGroupInformation.loginUserFromKeytab(principalName, keytabFilename);
      }

    另:在linux 的shell窗口做认证命令kinit -kt /home/..../cluster_keytab/fileName.keytab   userName   (写自己的认证文件和用户名)

  • 相关阅读:
    HDU 4611 Balls Rearrangement 数学
    Educational Codeforces Round 11 D. Number of Parallelograms 暴力
    Knockout.Js官网学习(简介)
    Entity Framework 关系约束配置
    Entity Framework Fluent API
    Entity Framework DataAnnotations
    Entity Framework 系统约定配置
    Entity Framework 自动生成CodeFirst代码
    Entity Framework CodeFirst数据迁移
    Entity Framework CodeFirst尝试
  • 原文地址:https://www.cnblogs.com/yanghaolie/p/9082517.html
Copyright © 2011-2022 走看看