hadoop KerberosUtil 做Kerberos认证
网上找了一下,自己写了个KerberosUtil工具类,测试过可以用。
注意这个不是 org.apache.hadoop.security.authentication.util.KerberosUtil类。
public class KerberosUtil { /** * 通过Kerberos认证用户的,注意keytabPath为本地路径不是HDFS路径 * @param conf * @param user user为运行jar的hadoop用户 * @param keytabPath * @throws IOException */ public static void AuthenByKerberos(Configuration conf,String user,String keytabPath) throws IOException{ UserGroupInformation.setConfiguration(conf); if(! UserGroupInformation.isSecurityEnabled()) return; UserGroupInformation.getCurrentUser().setAuthenticationMethod(AuthenticationMethod.KERBEROS); UserGroupInformation.loginUserFromKeytab(user,keytabPath); } /** * 通过Kerberos认证用户的,注意keytabPath为本地路径不是HDFS路径 * @param conf * @param keytabPath * @throws IOException */ public static void AuthenByKerberos(Configuration conf,String keytabPath) throws IOException{ String user=UserGroupInformation.getLoginUser().getUserName(); AuthenByKerberos(conf,user,keytabPath); } }
其实网上用的SecurityUtil.login()登录验证,源码中也是调用 UserGroupInformation.loginUserFromKeytab(),只不过多做了一些处理。
下面是login()方法的源码。
/** * Login as a principal specified in config. Substitute $host in user's Kerberos principal * name with hostname. If non-secure mode - return. If no keytab available - * bail out with an exception * * @param conf * conf to use * @param keytabFileKey * the key to look for keytab file in conf * @param userNameKey * the key to look for user's Kerberos principal name in conf * @param hostname * hostname to use for substitution * @throws IOException if the config doesn't specify a keytab */ @InterfaceAudience.Public @InterfaceStability.Evolving public static void login(final Configuration conf, final String keytabFileKey, final String userNameKey, String hostname) throws IOException { if(! UserGroupInformation.isSecurityEnabled()) return; String keytabFilename = conf.get(keytabFileKey); if (keytabFilename == null || keytabFilename.length() == 0) { throw new IOException("Running in secure mode, but config doesn't have a keytab"); } String principalConfig = conf.get(userNameKey, System .getProperty("user.name")); String principalName = SecurityUtil.getServerPrincipal(principalConfig, hostname); UserGroupInformation.loginUserFromKeytab(principalName, keytabFilename); }
另:在linux 的shell窗口做认证命令kinit -kt /home/..../cluster_keytab/fileName.keytab userName (写自己的认证文件和用户名)