Load a keytab from HDFS

情到浓时终转凉″ 提交于 2020-07-20 03:43:08

问题


I want to use Oozie with a Java Action which needs to use Kerberos. I have my keytab in HDFS. How could I say that the file is in HDFS?

 Configuration conf = new Configuration();
 conf.set("hadoop.security.authentication", "Kerberos");     
 UserGroupInformation.setConfiguration(conf);
 UserGroupInformation.loginUserFromKeytab(kerberosPrincipal, kerberosKeytab);

I have tried with a path like hdfs://xxxx:8020/tmp/myKeytab.keytab and I set conf.set("fs.defaultFS", "hdfs://server:8020"); as well but it doesn't work.


回答1:


Hadoop delegation tokens work only for YARN and HDFS, and they expire after 7 days. For all other services -- especially HBase (via ZooKeeper), HiveServer2 (directly or via ZooKeeper), Hive Metastore (inside Hive CLI) -- you need to authenticate directly. For long-running services, you need to re-authenticate periodically to renew the delegation token (if you rely on Slider, it does that automatically for you)

Option 1: ask Oozie to generate the appropriate <credential> for your Action. I wish it really worked out-of-the-box and/or that it was better documented -- Hive works like a charm; not so with HBase; never tried Hive2 so I can't be sure.

Option 2: ask Oozie to download your custom keytab file from HDFS (you took care of restricting access to that keytab, didn't you???) to the CWD of your Launcher container with a <file> option, then generate your credentials all by yourself.

With a Java action it will be option 2.



来源:https://stackoverflow.com/questions/35459726/load-a-keytab-from-hdfs

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!