首页 > 技术文章 > java程序中获取kerberos登陆hadoop

zyfd 2018-12-14 14:51 原文


一般我们在使用kbs登陆hadoop服务时都直接在shell中调用kinit命令来获取凭证,这种方式简单直接,只要获取一次凭证之后都可以在该会话过程中重复访问。但是这种方式一个明显的问题就是如果在本次shell中会间隔调用不同的java程序,而这些程序需要访问不同权限的问题,需要在访问前调用各自的ktab文件获得授权。这中场景下情况会变得非常复杂,这时如果把kbs认证的过程移到java程序中就会简单很多,每个java程序中获取各自的凭证,及时多个进程同时运行也不会产生相互影响。我这里介绍两种java中获取kbs凭证的方法,分别使用 org.apache.hadoop.security.SecurityUtil 和 org.apache.hadoop.security.UserGroupInformation 两个类实现。

一、    使用ktab文件简单登录方式



      * 尝试使用kerberos认证登录hfs


      *       conf: 配置,其中带有keytab相关配置属性

      *       keytab_KEY: 表示conf中代表keytab文件属性的键值

      *       principal_KEY: 表示conf中代表principal属性的键值

      * @throws IOException


     static void tryKerberosLogin(Configuration conf, String keytab_KEY, String principal_KEY) throws IOException {

          boolean useSec = true;

          LOG.info("Hadoop Security enabled: " + useSec);

          if (!useSec) {



          try {


               Class c = Class.forName("org.apache.hadoop.security.SecurityUtil");

               // get method login(Configuration, String, String);


               Method m = c.getMethod("login", Configuration.class, String.class,


               m.invoke(null, conf,  keytab_KEY, principal_KEY);

               LOG.info("successfully authenticated with keytab");

          } catch (Exception e) {


                         "Flume failed when attempting to authenticate with keytab "

                                   + SimpleConfiguration.get().getKerberosKeytab()

                                   + " and principal '"

                                   + SimpleConfiguration.get().getKerberosPrincipal()

                                   + "'", e);

















public  FileSystem getFileSystem(Configuration conf) {

               String KEYFILE_key = "flume.security.kerberos.keytab";

               String PRINCIPAL_key = "flume.security.kerberos.principal";


               try {

                    // 尝试用kerberos登录

                    tryKerberosLogin(conf, KEYFILE_key, PRINCIPAL_key);

                    // 获取一个hdfs实例

                    instance = FileSystem.get( conf);

               } catch (IOException e) {

                    LOG.error("try getFileSystem fail()", e);

               } catch (URISyntaxException e) {

                    LOG.error("try getFileSystem fail()", e);



          return instance;


二、    通过UserGroupInformation获取代理用户方式

  package com.netease.backend.bigdata.wa.jobs;


import java.io.IOException;


import org.apache.hadoop.conf.Configuration;

import org.apache.hadoop.fs.Path;

import org.apache.hadoop.security.UserGroupInformation;

import org.apache.log4j.Logger;

import org.hsqldb.lib.StringUtil;


import com.netease.backend.bigdata.wa.core.ConfKeys;



 * 代理用户信息认证工具


 * @author zhouliangwei



public class ProxyUGI {


     private static Logger LOG = Logger.getLogger(ProxyUGI.class);


     private static UserGroupInformation instance = null;


      * 从Configuration中获取代理用户的相关配置,并获取UserGroupInformation

      * @return

      * @throws IOException


     public synchronized static UserGroupInformation getProxyUGI(Configuration conf) {

          if (instance != null)

               return instance;

          try {

               String username = conf.get(ConfKeys.MR_USER_NAME, "");

               String proxyPrincipal = conf.get(ConfKeys.WDA_PROXY_PRINCIPAL, "");

               String proxyKtab = conf.get(ConfKeys.WDA_PROXY_KEYTAB, "");

               if (StringUtil.isEmpty(username)

                         || StringUtil.isEmpty(proxyPrincipal)

                         || StringUtil.isEmpty(proxyKtab)) {

                    LOG.warn("config properties: ["

                              + ConfKeys.MR_USER_NAME

                              + ", "

                              + ConfKeys.WDA_PROXY_PRINCIPAL

                              + ", "

                              + ConfKeys.WDA_PROXY_KEYTAB

                              + "] in config file './conf/wda-core.xml' must be set!, quite use proxy mechanism");

                    return null;


               instance = UserGroupInformation.createProxyUser(username,


                                   proxyPrincipal, proxyKtab));

          } catch (IOException ex) {

               //just ignore;


          return instance;





public static void main(final String[] args) throws Exception {

          UserGroupInformation ugi = ProxyUGI.getProxyUGI();

          if (ugi != null) {

               ugi.doAs(new PrivilegedExceptionAction<EventJobClient>() {

                    public EventJobClient run() throws Exception {

                         EventJobClient mr = new EventJobClient();

                         int code = ToolRunner.run(mr, args);


                         return mr;




          } else {

               int exitCode = ToolRunner.run(new EventJobClient(), args);





【推荐】 Spring 属性配置
【推荐】 致传统企业朋友:不够痛就别微服务,有坑 (1)
【推荐】 一文带你了解 Raft 一致性协议的关键点
