Ranger通过keberos认证安装Hive插件

在普通hadoop集群下网上已经有很多讲解，一般参考官方wiki就可以，整体安装也比较简单，这里可以参考。但是在安全集群中，需要通过keberos认证进行策略同步等使用，遇见主要有两个问题：1.策略同步失败；2.测试连接失败；下面提供自己遇见过后的处理方式。

策略同步失败

如果在install.properties中配置的ranger地址为http://...应该不会有这个问题，如果是https，则需要在策略同步时restClient中塞入用户信息；具体代码在RangerRestClient.java中，需要mUsername和mPassword分别有值，hive下：即是使用的hive用户名及其keytab认证文件的地址作为mPassword

hive测试连接失败

java通过keberos连接hive一般如下：

    String hiveUserName = "test_hive";//kerberos认证的用户principal名称
    String hiveKeytab = ".../xxxxx.keytab";//用户的keytab认证文件
    String krbconf = ".../krb5.conf";//kerberos5的配置文件
 
    System.setProperty("java.security.krb5.conf", krbconf);
    Configuration conf = new Configuration();
    conf.set("hadoop.security.authentication", "Kerberos");
    UserGroupInformation.setConfiguration(conf);
    UserGroupInformation.loginUserFromKeytab(hiveUserName, hiveKeytab);

查阅ranger连接处理核心类：SecureClientLogin，其调用函数：

public synchronized static Subject loginUserFromKeytab(String user, String path, String nameRules) throws IOException {
        try {
            Subject subject = new Subject();
            SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
            LoginContext login = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);
            KerberosName.setRules(nameRules);
            subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));
            login.logout();
            login.login();
            return login.getSubject();
        } catch (LoginException le) {
            throw new IOException("Login failure for " + user + " from keytab " + path, le);
        }
    }

如上ranger源码可以看出并无krb.conf设置，因此在这里重载了这个login逻辑如下：

public synchronized static Subject loginUserFromKeytab(String user, String path, String nameRules, String krb5Conf) throws IOException {
        try {
            Subject subject = new Subject();
            SecureClientLoginConfiguration loginConf = new SecureClientLoginConfiguration(true, user, path);
            loginConf.setConfiguration(new ZKSignerSecretProvider.JaasConfiguration("Client", user, path));
            if (!StringUtil.isEmpty(krb5Conf)) {
                System.setProperty("java.security.krb5.conf", krb5Conf);
            }
            System.setProperty("zookeeper.server.principal", "zookeeper/hadoop");
            LoginContext login = new LoginContext("hadoop-keytab-kerberos", subject, null, loginConf);
            KerberosName.setRules(nameRules);
            subject.getPrincipals().add(new User(user, AuthenticationMethod.KERBEROS, login));
            login.logout();
            login.login();
            return login.getSubject();
        } catch (LoginException le) {
            throw new IOException("Login failure for " + user + " from keytab " + path, le);
        }
    }

调整BaseClient login调用出代码：

 protected void login() {
...
    if(StringUtils.isEmpty(lookupPrincipal) || StringUtils.isEmpty(lookupKeytab)){
         if (userName == null) {
            throw createException("Unable to find login username for hadoop environment, [" + serviceName + "]", null);
         }
         String keyTabFile = configHolder.getKeyTabFile();
         if (keyTabFile != null) {
             if ( configHolder.isKerberosAuthentication() ) {
                 LOG.info("Init Login: security enabled, using username/keytab");

                 loginSubject = SecureClientLogin.loginUserFromKeytab(userName, keyTabFile, nameRules,
                                 connectionProperties.get("java.security.krb5.conf"));
                 }
                 else {
                     LOG.info("Init Login: using username");
                     loginSubject = SecureClientLogin.login(userName);
                     }
                 }
...

service连接界面配置：

testConnection.PNG

在keytabfile和java.security.krb5.conf中指定相关配置地址即可；

Ranger通过keberos认证安装Hive插件

策略同步失败

hive测试连接失败

你可能感兴趣的:(Ranger通过keberos认证安装Hive插件)