This is an automated email from the ASF dual-hosted git repository.
benjobs pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/incubator-streampark.git
The following commit(s) were added to refs/heads/dev by this push:
new bceed8e48 [improve] keberos auth improve (#2834)
bceed8e48 is described below
commit bceed8e48b5d76e84e354886d1cc5f19f007ec8d
Author: zhoulii <[email protected]>
AuthorDate: Fri Jul 7 10:07:47 2023 +0800
[improve] keberos auth improve (#2834)
Co-authored-by: zhoulii <[email protected]>
---
.../conf/streampark-console-config/kerberos.yml | 4 --
.../streampark/common/util/HadoopUtils.scala | 64 ++++++++++++----------
.../src/main/resources/kerberos.yml | 4 --
3 files changed, 35 insertions(+), 37 deletions(-)
diff --git a/deploy/helm/streampark/conf/streampark-console-config/kerberos.yml
b/deploy/helm/streampark/conf/streampark-console-config/kerberos.yml
index 6a5e0ccab..002d0071c 100755
--- a/deploy/helm/streampark/conf/streampark-console-config/kerberos.yml
+++ b/deploy/helm/streampark/conf/streampark-console-config/kerberos.yml
@@ -24,7 +24,3 @@ security:
principal:
krb5:
keytab:
-java:
- security:
- krb5:
- conf:
diff --git
a/streampark-common/src/main/scala/org/apache/streampark/common/util/HadoopUtils.scala
b/streampark-common/src/main/scala/org/apache/streampark/common/util/HadoopUtils.scala
index fe104c295..7616952b8 100644
---
a/streampark-common/src/main/scala/org/apache/streampark/common/util/HadoopUtils.scala
+++
b/streampark-common/src/main/scala/org/apache/streampark/common/util/HadoopUtils.scala
@@ -61,12 +61,6 @@ object HadoopUtils extends Logger {
lazy val hadoopUserName: String =
InternalConfigHolder.get(CommonConfig.STREAMPARK_HADOOP_USER_NAME)
- private[this] lazy val debugKerberos =
- kerberosConf.getOrElse(KEY_SECURITY_KERBEROS_DEBUG, "false")
-
- private[this] lazy val configurationCache: util.Map[String, Configuration] =
- new ConcurrentHashMap[String, Configuration]()
-
private[this] lazy val kerberosConf: Map[String, String] =
SystemPropertyUtils.get(ConfigConst.KEY_APP_HOME, null) match {
case null =>
@@ -81,16 +75,30 @@ object HadoopUtils extends Logger {
} else null
}
+ private[this] lazy val kerberosDebug =
+ kerberosConf.getOrElse(KEY_SECURITY_KERBEROS_DEBUG, "false")
+
+ private[this] lazy val kerberosEnable =
+ kerberosConf.getOrElse(KEY_SECURITY_KERBEROS_ENABLE, "false").toBoolean
+
+ private[this] lazy val kerberosPrincipal =
+ kerberosConf.getOrElse(KEY_SECURITY_KERBEROS_PRINCIPAL, "").trim
+
+ private[this] lazy val kerberosKeytab =
+ kerberosConf.getOrElse(KEY_SECURITY_KERBEROS_KEYTAB, "").trim
+
+ private[this] lazy val kerberosKrb5 =
+ kerberosConf.getOrElse(KEY_SECURITY_KERBEROS_KRB5_CONF, "")
+
+ private[this] lazy val configurationCache: util.Map[String, Configuration] =
+ new ConcurrentHashMap[String, Configuration]()
+
def getUgi(): UserGroupInformation = {
if (ugi == null) {
- ugi = {
- val enableString =
kerberosConf.getOrElse(KEY_SECURITY_KERBEROS_ENABLE, "false")
- val kerberosEnable = Try(enableString.trim.toBoolean).getOrElse(false)
- if (kerberosEnable) {
- kerberosLogin()
- } else {
- UserGroupInformation.createRemoteUser(hadoopUserName)
- }
+ ugi = if (kerberosEnable) {
+ getKerberosUGI()
+ } else {
+ UserGroupInformation.createRemoteUser(hadoopUserName)
}
}
ugi
@@ -187,30 +195,28 @@ object HadoopUtils extends Logger {
ugi = null
}
- private[this] def kerberosLogin(): UserGroupInformation = {
+ private[this] def getKerberosUGI(): UserGroupInformation = {
logInfo("kerberos login starting....")
- val principal = kerberosConf.getOrElse(KEY_SECURITY_KERBEROS_PRINCIPAL,
"").trim
- val keytab = kerberosConf.getOrElse(KEY_SECURITY_KERBEROS_KEYTAB, "").trim
+
require(
- principal.nonEmpty && keytab.nonEmpty,
+ kerberosPrincipal.nonEmpty && kerberosKeytab.nonEmpty,
s"$KEY_SECURITY_KERBEROS_PRINCIPAL and $KEY_SECURITY_KERBEROS_KEYTAB
must not be empty")
- val krb5 = kerberosConf
- .getOrElse(
- KEY_SECURITY_KERBEROS_KRB5_CONF,
- kerberosConf.getOrElse(KEY_JAVA_SECURITY_KRB5_CONF, ""))
- .trim
+ System.setProperty("javax.security.auth.useSubjectCredsOnly", "false")
- if (krb5.nonEmpty) {
- System.setProperty("java.security.krb5.conf", krb5)
- System.setProperty("java.security.krb5.conf.path", krb5)
+ if (kerberosKrb5.nonEmpty) {
+ System.setProperty("java.security.krb5.conf", kerberosKrb5)
+ System.setProperty("java.security.krb5.conf.path", kerberosKrb5)
}
- System.setProperty("sun.security.spnego.debug", debugKerberos)
- System.setProperty("sun.security.krb5.debug", debugKerberos)
+
+ System.setProperty("sun.security.spnego.debug", kerberosDebug)
+ System.setProperty("sun.security.krb5.debug", kerberosDebug)
hadoopConf.set(KEY_HADOOP_SECURITY_AUTHENTICATION, KEY_KERBEROS)
+
Try {
UserGroupInformation.setConfiguration(hadoopConf)
- val ugi =
UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, keytab)
+ val ugi =
+
UserGroupInformation.loginUserFromKeytabAndReturnUGI(kerberosPrincipal,
kerberosKeytab)
UserGroupInformation.setLoginUser(ugi)
logInfo("kerberos authentication successful")
ugi
diff --git
a/streampark-console/streampark-console-service/src/main/resources/kerberos.yml
b/streampark-console/streampark-console-service/src/main/resources/kerberos.yml
index 6a5e0ccab..002d0071c 100644
---
a/streampark-console/streampark-console-service/src/main/resources/kerberos.yml
+++
b/streampark-console/streampark-console-service/src/main/resources/kerberos.yml
@@ -24,7 +24,3 @@ security:
principal:
krb5:
keytab:
-java:
- security:
- krb5:
- conf:
