问题
I want to use Oozie with a Java Action which needs to use Kerberos. I have my keytab in HDFS. How could I say that the file is in HDFS?
Configuration conf = new Configuration();
conf.set("hadoop.security.authentication", "Kerberos");
UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(kerberosPrincipal, kerberosKeytab);
I have tried with a path like hdfs://xxxx:8020/tmp/myKeytab.keytab and I set conf.set("fs.defaultFS", "hdfs://server:8020"); as well but it doesn't work.
回答1:
Hadoop delegation tokens work only for YARN and HDFS, and they expire after 7 days. For all other services -- especially HBase (via ZooKeeper), HiveServer2 (directly or via ZooKeeper), Hive Metastore (inside Hive CLI) -- you need to authenticate directly. For long-running services, you need to re-authenticate periodically to renew the delegation token (if you rely on Slider, it does that automatically for you)
Option 1: ask Oozie to generate the appropriate <credential> for your Action. I wish it really worked out-of-the-box and/or that it was better documented -- Hive works like a charm; not so with HBase; never tried Hive2 so I can't be sure.
Option 2: ask Oozie to download your custom keytab file from HDFS (you took care of restricting access to that keytab, didn't you???) to the CWD of your Launcher container with a <file> option, then generate your credentials all by yourself.
With a Java action it will be option 2.
来源:https://stackoverflow.com/questions/35459726/load-a-keytab-from-hdfs