MapReduce服务 MRS-MRS组件应用安全认证说明:Kerberos认证代码示例

时间：2025-02-12 15:00:33

MapReduce服务 MRS

Kerberos认证代码示例

package com.huawei.bigdata.hdfs.examples;import java.io.IOException;import org.apache.hadoop.conf.Configuration;import org.apache.hadoop.fs.FileStatus;import org.apache.hadoop.fs.FileSystem;import org.apache.hadoop.fs.Path;import org.apache.hadoop.security.UserGroupInformation;public class KerberosTest {    private static String PATH_TO_HDFS_SITE_XML = KerberosTest.class.getClassLoader().getResource("hdfs-site.xml")            .getPath();    private static String PATH_TO_CORE_SITE_XML = KerberosTest.class.getClassLoader().getResource("core-site.xml")            .getPath();    private static String PATH_TO_KEYTAB = KerberosTest.class.getClassLoader().getResource("user.keytab").getPath();    private static String PATH_TO_KRB5_CONF = KerberosTest.class.getClassLoader().getResource("krb5.conf").getPath();    private static String PRNCIPAL_NAME = "develop";    private FileSystem fs;    private Configuration conf;        /**     * initialize Configuration     */    private void initConf() {        conf = new Configuration();                // add configuration files        conf.addResource(new Path(PATH_TO_HDFS_SITE_XML));        conf.addResource(new Path(PATH_TO_CORE_SITE_XML));    }        /**     * login Kerberos to get TGT, if the cluster is in security mode     * @throws IOException if login is failed     */    private void login() throws IOException {               // not security mode, just return        if (! "kerberos".equalsIgnoreCase(conf.get("hadoop.security.authentication"))) {            return;        }                //security mode        System.setProperty("java.security.krb5.conf", PATH_TO_KRB5_CONF);                UserGroupInformation.setConfiguration(conf);        UserGroupInformation.loginUserFromKeytab(PRNCIPAL_NAME, PATH_TO_KEYTAB);            }        /**     * initialize FileSystem, and get ST from Kerberos     * @throws IOException     */    private void initFileSystem() throws IOException {        fs = FileSystem.get(conf);    }        /**     * An example to access the HDFS     * @throws IOException     */    private void doSth() throws IOException {        Path path = new Path("/tmp");        FileStatus fStatus = fs.getFileStatus(path);        System.out.println("Status of " + path + " is " + fStatus);        //other thing    }    public static void main(String[] args) throws Exception {        KerberosTest test = new KerberosTest();        test.initConf();        test.login();        test.initFileSystem();        test.doSth();           }}

Kerberos认证时需要配置Kerberos认证所需要的文件参数，主要包含keytab文件路径、Kerberos认证的用户名称、Kerberos认证所需要的客户端配置“krb5.conf”文件。
login()方法为调用hadoop的接口执行Kerberos认证，生成TGT票据。
doSth()方法调用hadoop的接口访问文件系统，此时底层RPC会自动携带TGT去Kerberos认证，生成ST票据。
以上代码可在安全模式下的HDFS二次开发样例工程中创建KerberosTest.java，运行并查看调测结果，具体操作过程请参考HDFS开发指南（安全模式）。

上一篇：MapReduce服务 MRS-MRS组件应用安全认证说明:安全认证基本概念

下一篇：MapReduce服务 MRS-MRS组件应用安全认证说明:Kerberos认证说明