zoukankan      html  css  js  c++  java
  • hadoop KerberosUtil 做Kerberos认证

    网上找了一下,自己写了个KerberosUtil工具类,测试过可以用。

    注意这个不是 org.apache.hadoop.security.authentication.util.KerberosUtil类。

    public class KerberosUtil {
        
        /**
         * 通过Kerberos认证用户的,注意keytabPath为本地路径不是HDFS路径
         * @param conf
         * @param user  user为运行jar的hadoop用户
         * @param keytabPath
         * @throws IOException
         */
        public static void AuthenByKerberos(Configuration conf,String user,String keytabPath) throws IOException{
            UserGroupInformation.setConfiguration(conf);
             if(! UserGroupInformation.isSecurityEnabled()) 
                  return;
            UserGroupInformation.getCurrentUser().setAuthenticationMethod(AuthenticationMethod.KERBEROS);
            UserGroupInformation.loginUserFromKeytab(user,keytabPath);
        }
        
        /**
         * 通过Kerberos认证用户的,注意keytabPath为本地路径不是HDFS路径
         * @param conf
         * @param keytabPath
         * @throws IOException
         */
        public static void AuthenByKerberos(Configuration conf,String keytabPath) throws IOException{
            String user=UserGroupInformation.getLoginUser().getUserName();
            AuthenByKerberos(conf,user,keytabPath);
        }
    }

    其实网上用的SecurityUtil.login()登录验证,源码中也是调用 UserGroupInformation.loginUserFromKeytab(),只不过多做了一些处理。

    下面是login()方法的源码。

      /**
       * Login as a principal specified in config. Substitute $host in user's Kerberos principal 
       * name with hostname. If non-secure mode - return. If no keytab available -
       * bail out with an exception
       * 
       * @param conf
       *          conf to use
       * @param keytabFileKey
       *          the key to look for keytab file in conf
       * @param userNameKey
       *          the key to look for user's Kerberos principal name in conf
       * @param hostname
       *          hostname to use for substitution
       * @throws IOException if the config doesn't specify a keytab
       */
      @InterfaceAudience.Public
      @InterfaceStability.Evolving
      public static void login(final Configuration conf,
          final String keytabFileKey, final String userNameKey, String hostname)
          throws IOException {
        
        if(! UserGroupInformation.isSecurityEnabled()) 
          return;
        
        String keytabFilename = conf.get(keytabFileKey);
        if (keytabFilename == null || keytabFilename.length() == 0) {
          throw new IOException("Running in secure mode, but config doesn't have a keytab");
        }
    
        String principalConfig = conf.get(userNameKey, System
            .getProperty("user.name"));
        String principalName = SecurityUtil.getServerPrincipal(principalConfig,
            hostname);
        UserGroupInformation.loginUserFromKeytab(principalName, keytabFilename);
      }

    另:在linux 的shell窗口做认证命令kinit -kt /home/..../cluster_keytab/fileName.keytab   userName   (写自己的认证文件和用户名)

  • 相关阅读:
    创建视图与触发器
    Ubuntu 安装JDK
    Ubuntu maven 配置
    Ubuntu Navicat for MySQL安装以及破解方案
    jquery input 选择器
    eclipse maven编译项目
    Eclipse @override报错
    jQuery Ajax 实例 ($.ajax、$.post、$.get)
    如何防止表单重复提交(转)
    用bit字段来判断性别等
  • 原文地址:https://www.cnblogs.com/yanghaolie/p/9082517.html
Copyright © 2011-2022 走看看