A Secure HDFS Client Example

最新推荐文章于 2022-04-03 11:23:48 发布
最新推荐文章于 2022-04-03 11:23:48 发布
阅读量447 收藏
点赞数
分类专栏: hadoop-hdfs

Original Page: http://henning.kropponline.de/2016/02/14/a-secure-hdfs-client-example/

It takes about 3 lines of Java code to write a simple HDFS client that can further be used to upload, read or list files. Here is an example:

Configuration conf = new Configuration();
conf.set("fs.defaultFS","hdfs://one.hdp:8020");
FileSystem fs = FileSystem.get(conf);

This file system API gives the developer a generic interface to (any supported) file system depending on the protocol being use, in this case hdfs. This is enough to alter data on the Hadoop Distributed Filesystem, for example to list all the files under the root folder:

FileStatus[] fsStatus = fs.listStatus(new Path("/"));
for(int i = 0; i < fsStatus.length; i++){
   System.out.println(fsStatus[i].getPath().toString());
}

For a secured environment this is not enough, because you would need to consider these further aspects:

  1. A secure protocol
  2. Authentication with Kerberos
  3. Impersonation (proxy user), if designed as a service

What we discuss here for a sample HDFS client can in variance also be applied to other Hadoop clients.

A Secure HDFS Protocol

One way to secure the communication between clients and Hadoop services in general is to use SSL encryption for all RPC calls. This does have a sever impact on the overall cluster performance in general. To avoid this and still ensure a secure communication it can be enough to just encrypt HTTP endpoints. If doing so swebhdfs (SSL+webhdfs) can be used as the protocol. Example:

Configuration conf = new Configuration();
conf.set("fs.defaultFS","swebhdfs://one.hdp:50470");
FileSystem fs = FileSystem.get(conf);


Authentication with Kerberos

A secure client would need to use Kerberos, which is the only authentication method currently supported by Hadoop. Kerberos does require very thoughtful configuration but rewards it’s users with an almost completely transparent authentication implementation that simply works.

Making use of Kerberos authentication in Java is provided by the Java Authentication and Authorization Service (JAAS) which is a pluggable authentication method similar to PAM supporting multiple authentication methods. In this case the authentication method being used is GSS-API for Kerberos.

For JAAS a proper configuration of GSS would be needed in addition to being in possession of proper credentials, obviously. Some credentials can be created with MIT Kerberos like this:

(as root)
$ kadmin.local -q "addprinc -pw hadoop hdfs-user" 
$ kadmin.local -q \
 "xst -norandkey -k /home/hdfs-user/hdfs-user.keytab hdfs-user@MYCORP.NET"

The last line is not necessarily needed as it creates us a so called keytab – basically an encrypted password of the user – that can be used for password less authentication for example for automated services. We will make use of that here as well.

Additionally we create a JAAS configuration, we can use for authentication:

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="hdfs-user@MYCORP.NET"
    useKeyTab=true
    keyTab="/home/hdfs-user/hdfs-user.keytab"
    storeKey=true;
};

We now have multiple ways to use authentication and here I will start with probably the most simple approach regarding required code changes:

1. Authentication with Keytab

Authentication web based access to HDFS with a keytab requires almost no code changes despite the use of (s)webhdfs protocol and change of authentication method:

conf.set("fs.defaultFS", "webhdfs://one.hdp:50070");
conf.set("hadoop.security.authentication", "kerberos");
 
FileSystem fs = FileSystem.get(conf);
FileStatus[] fsStatus = fs.listStatus(new Path("/"));
for(int i = 0; i < fsStatus.length; i++){
   System.out.println(fsStatus[i].getPath().toString());

The above is enough if executed in a JAAS context. Creating the secure context can be done be using the above JAAS and keytab.

java -Djava.security.auth.login.config=/home/hdfs-user/jaas.conf \
-Djava.security.krb5.conf=/etc/krb5.conf \
-Djavax.security.auth.useSubjectCredsOnly=false \
-cp "./hdfs-sample-1.0-SNAPSHOT.jar:/usr/hdp/current/hadoop-client/lib/*:/usr/hdp/current/hadoop-hdfs-client/*:/usr/hdp/current/hadoop-client/*"  \
hdfs.sample.HdfsMain
 
webhdfs://one.hdp:50070/app-logs
webhdfs://one.hdp:50070/apps
webhdfs://one.hdp:50070/ats
webhdfs://one.hdp:50070/hdp
webhdfs://one.hdp:50070/mapred
webhdfs://one.hdp:50070/mr-history
webhdfs://one.hdp:50070/tmp
webhdfs://one.hdp:50070/user

2. Using UserGroupInformation

For authentication in Hadoop there exists a wrapper class around a JAAS Subject to provide methods for user login. The UserGroupInformationwrapper without a specific setup uses the system security context, in case of Kerberos this exist in the ticket cache (klist shows the existing security context of a user). This is demonstrated under “With Existing Security Context” below. Further a custom security context can be used for login, either with by using a keytab file or even with credentials. Both approaches are also demonstrated here under “Providing Credentials from Login” and “Via Keytab”.

With Existing Security Context

First we would need to authenticate and make sure we have a proper security context:

$ kinit 
Password for hdfs-user@MYCORP.NET: 
$ klist
Ticket cache: FILE:/tmp/krb5cc_1013
Default principal: hdfs-user@MYCORP.NET
 
Valid starting       Expires              Service principal
02/14/2016 14:54:32  02/15/2016 14:54:32  krbtgt/MYCORP.NET@MYCORP.NET

With this the following can HDFS client implementation can be used in a secured environment:

Configuration conf = new Configuration();
conf.set("fs.defaultFS", "hdfs://one.hdp:8020");
conf.set("hadoop.security.authentication", "kerberos");
 
UserGroupInformation.setConfiguration(conf);
// Subject is taken from current user context
UserGroupInformation.loginUserFromSubject(null);
 
FileSystem fs = FileSystem.get(conf);
FileStatus[] fsStatus = fs.listStatus(new Path("/"));
 
for(int i = 0; i <= fsStatus.length; i++){
  System.out.println(fsStatus[i].getPath().toString());
}

Creating the JAAS context during run-time the client could be executed like this:

java -cp "./hdfs-sample-1.0-SNAPSHOT.jar:/usr/hdp/current/hadoop-client/lib/*:/usr/hdp/current/hadoop-hdfs-client/*:/usr/hdp/current/hadoop-client/*"  \
hdfs.sample.HdfsMain


hdfs://one.hdp:8020/app-logs
hdfs://one.hdp:8020/apps
hdfs://one.hdp:8020/ats
hdfs://one.hdp:8020/hdp
hdfs://one.hdp:8020/mapred
hdfs://one.hdp:8020/mr-history
hdfs://one.hdp:8020/tmp
hdfs://one.hdp:8020/user

Providing Credentials from Login

Providing login credentials at execution requires the creation of ajavax.security.auth.Subject with username and password. This means that we will have to use the GSS-API to do a kinit like this:

private static String username = "hdfs-user";
private static char[] password = "hadoop".toCharArray();
public static LoginContext kinit() throws LoginException {
  LoginContext lc = new LoginContext(HdfsMain.class.getSimpleName(), new CallbackHandler() {
  public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    for(Callback c : callbacks){
      if(c instanceof NameCallback)
        ((NameCallback) c).setName(username);
      if(c instanceof PasswordCallback)
        ((PasswordCallback) c).setPassword(password);
    }
 }});
 lc.login();
 return lc;
}

We still have to configure the JAAS login module referenced by the name that we provide in the above implementation. The name applied in the example above is set to be HdfsMain.class.getSimpleName(), so our module configuration should look like this:

HdfsMain {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;
};

Having this in place we can now login with username and password:

Configuration conf = new Configuration();
conf.set("fs.defaultFS", "hdfs://one.hdp:8020");
conf.set("hadoop.security.authentication", "kerberos");
UserGroupInformation.setConfiguration(conf);

LoginContext lc = kinit();
UserGroupInformation.loginUserFromSubject(lc.getSubject());

FileSystem fs = FileSystem.get(conf);
FileStatus[] fsStatus = fs.listStatus(new Path("/"));

for(int i = 0; i < fsStatus.length; i++){
  System.out.println(fsStatus[i].getPath().toString());
}

Via Keytab

In the first part we injected the security context via the JAAS security context ( -Djava.security.auth.login.config=/home/hdfs-user/jaas.conf) configuring keytab authentication. We can also achieve this using JAAS security wrapper UserGroupInformation provided by Hadoop.

UserGroupInformation.setConfiguration(conf);
        UserGroupInformation.loginUserFromKeytab("hdfs-user@MYCORP.NET", "/home/hdfs-user/hdfs-user.keytab");

The complete code being used:

Configuration conf = new Configuration();
conf.set("fs.defaultFS", "hdfs://one.hdp:8020");
conf.set("hadoop.security.authentication", "kerberos");

UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab("hdfs-user@MYCORP.NET", 
   "/home/hdfs-user/hdfs-user.keytab");

FileSystem fs = FileSystem.get(conf);
FileStatus[] fsStatus = fs.listStatus(new Path("/"));
for(int i = 0; i < fsStatus.length; i++){
  System.out.println(fsStatus[i].getPath().toString());
}

Please note that it is not required to configure the JAAS context, as we are using UserGroupInformation:

$ klist
klist: Credentials cache file '/tmp/krb5cc_1013' not found
$ java -cp "./hdfs-sample-1.0-SNAPSHOT.jar:/usr/hdp/current/hadoop-client/lib/*:/usr/hdp/current/hadoop-hdfs-client/*:/usr/hdp/current/hadoop-client/*"  hdfs.sample.HdfsMain
hdfs://one.hdp:8020/app-logs
hdfs://one.hdp:8020/apps
hdfs://one.hdp:8020/ats
hdfs://one.hdp:8020/hdp
hdfs://one.hdp:8020/mapred
hdfs://one.hdp:8020/mr-history
hdfs://one.hdp:8020/tmp
hdfs://one.hdp:8020/user

Impersonation

A last aspect when writing clients for a secure HDP cluster is the proxy user setting especially if you are designing a service implementation. The proxy user functionality enables services to access resources on the cluster on behalf of another user. Hence the service is impersonating the user.

A good example of such a service is the HiveServer2. The HS2 recieves SQL requests and creates an execution plan using a execution engine like MapReduce, Tez, or Spark. The plan is being executed on the cluster on behalf of the user doing the SQL request.

Of course it is important to be in control of who is able to impersonate whom and from where. This can be configured by adding a proxyuser config to Hadoop:

hadoop.proxyuser.{{service_user_name}}.groups
hadoop.proxuyser.{{service_user_name}}.hosts

If for example we have a Tomcat service running on host web.mycorp.netthe following example configuration would enable the service to impersonate users in the group web-users from host web.mycorp.net.

hadoop.proxyuser.tomcat.groups=web-users
hadoop.proxyuser.tomcat.hosts=web.mycorp.net

It is important to make sure service are not able to impersonate hdfs or other service account that have special privileges. Only trusted services should be added to the proxyuser setup.

Clients can also use the UserGroupInformation class to impersonate other users. With the doAs implementation can be wrapped into the context of the user to be impersonated.

// system/service user able to proxy
UserGroupInformation proxyUser = UserGroupInformation.getCurrentUser();
// user = user to impersonate
UserGroupInformation ugi = UserGroupInformation.createProxyUser(user, proxyUser);
try {
  fsStatus = ugi.doAs(new PrivilegedExceptionAction<FileStatus[]>() {
    public FileStatus[] run() throws IOException {
      return FileSystem.get(conf).listStatus(p);
    }
  });
} catch (InterruptedException e) { e.printStackTrace(); }

Here the user parameter defines the user (as String) in which context the call should be executed. The proxyUser is the current service or system user running the client. Be aware of the fact that not in all circumstances the proxyUser might be equal to UserGroupInformation.getCurrentUser().

Further Readings

  1. Wire Encryption in Hadoop
  2. Difference between trustStore and keyStore in Java – SSL
  3. Kerberos and Hadoop
  4. Kerberos (Protocol)
  5. Java Authentication and Authorization Service
  6. GSS-API/Kerberos v5 Authentication
  7. JAAS Login Configuration File

houzhizhen
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Hadoop伪分布式一(HDFS
afei001
02-27 175
伪分布式环境——一个服务器上运行多个进程 1.修改配置文件core-site.xml [root@server ~]# cd hadoop/hadoop-2.7.3/ [root@server hadoop-2.7.3]# cd etc/hadoop/ [root@server hadoop]# ls capacity-scheduler.xml kms-env.sh configura...
实时查询引擎 - 构建于HDFS之上的Greenplum: HAWQ
简单如阿甘
11-22 6531
HAWQ 是什么? 如果你知道Greenplum是什么,那么你就能很简单的明白HAWQ是什么。Greenplum是一个关系型的分布式MPP数据库,同样运行于X86架构的基础之上,具有查询、加载效率高,支持TB/PB级大数据量的OLAP应用, Greenplum的所有数据都存储于系统本地文件系统中。而HAWQ的最大改变就是将本地文件系统存储更换为了HDFS,成功的搭上了大数据库的班车。
HdfsClient-在本地开发环境使用Java远程连接操作HDFS
super_man_1995的博客
06-30 1426
一、pom.xml配置 <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apac
Hadoop笔记:HDFS读官方文档
japson的专栏
05-27 1377
大数据笔记:HDFS读官方文档 标签: 大数据 大数据笔记:HDFS读官方文档 介绍 NameNode and DataNodes HDFS架构及其内部 NameNode和Data的作用 命名空间和副本 命名空间 副本机制 副本存放策略 介绍 The Hadoop Distributed File System (HDFS) is a distribut...
安全HDFS客户端初始化方式
有志者事竟成
03-26 1683
转自:https://community.hortonworks.com/articles/56702/a-secure-hdfs-client-example.htmlShort Description:Explaining the creation of a secure HDFS client in JavaArticleIt takes about 3 lines of Java code...
HDFS初探
solumin的博客
04-18 372
http://192.168.1.179:8088 YARN http://192.168.1.179:50070 HDFS java -classpath /workplace/Test Error: Could not find or load main class workspace.HDFSExample.Test 解决 修改/etc/profile export CLASSPA...
Hadoop:HDFS基础编程
Yummy的博客
04-08 458
目录 具体流程: 1.在Linux中安装Eclipse 2.创建Eclipse项目 3.编写java程序 4.启动Hadoop 5.执行Eclispse中的HDFSFileIfExist.java文件 6.将java工程带出成jar包,直接通过终端命令执行 7.关闭Hadoop 具体流程: 1.在Linux中安装Eclipse 请查阅:Hadoop:Linux中安装Eclipse 2.创建Eclipse项目 (1)启动Eclipse,系统默认工作空间是“/home/hadoop..
hdfs配置sasl模式
lovebomei的博客
04-19 6308
因为DataNode数据传输协议不使用Hadoop RPC框架,DataNode必须使用由dfs.datanode.address和dfs.datanode.http.address指定的特权端口进行身份验证。此身份验证基于以下假设:攻击者将无法在DataNode主机上获得root权限。 以root用户身份执行hdfs datanode命令时,服务器进程首先绑定特权端口,然后删除特权并以HADO...
Linux环境下HDFS安装
xiaohu21的博客
08-15 3063
Linux环境下Hadoop集群安装 1.安装环境 VMWare15.x centos7.x hadoop 3.2.1 2.第一台虚拟机基础配置 2.1 先安装好一台linux虚拟机,并且设置好宿主windows的ip地址,VMWare中虚拟交换机的地址(宿主windows和虚拟交换机的ip地址必须同一网段,并且宿主windows的网关ip需要设置为虚拟交换机的ip地址)。 2.2设置好这台虚拟linux的配置,包括主机名(/etc/hosname)、ip地址/网关/子网掩码/DNS1等信息(/et
Hadoop学习笔记—HDFS
weixin_38166318的博客
04-03 387
[TOC] 上一份工作主要负责大数据平台的建设,在这个过程中积累了一些Hadoop生态组件的搭建和使用笔记,由于时间关系,不打算去修改其中的错别字和排版问题,直接释出原始笔记。 搭建安装 三个核心组件 一个hadoop基本集群,牵涉三个组件: hdfs 负责分布式的文件存储 yarn 负责分布式的资源管理 mr 负责分布式计算安装 配置环境变量 配置etc/hadoop/hadoop-env.sh、etc/hadoop/hadoop-env.sh、etc/hadoop/yarn-env.sh 这三个脚
CDH Kerberos权限问题 org.apache.hadoop.security.accesscontrolexception: client cannot
漫游学海之旅
06-18 2688
问题 CDH集群配置Kerberos后,执行 hdfs dfs -ls / 出现错误 原因分析 客户端没有授权tickets Client cannot authenticate via:[TOKEN, KERBEROS] 解决办法 查找本地keytab文件,keytab文件,一般CDH已经新建了很多keytab文件 find / -name *hdfs.keytab -exec ls -l {} \; 根据查找的文件 选择一个正常的keytab文件,文件大小不能为0,否则会出错 “Unsupp
Hadoop UserGroupInformation 的那些 login
wujun8的专栏
09-24 1万+
loginUserFromSubject loginUserFromKeytab getUGIFromTicketCache ugi password keytab ticket -Djava.security.krb5.conf="$APP_HOME"/_krb/krb5.conf hive No groups bug
Hadoop UserGroupInformation详解
gezooo的专栏
04-03 6890
hadoop UserGroupInformation研究了很多次,每次都是朦朦胧胧,这一次花了一些力气,终于是搞明白了。 下面大概了解下面Java的认证相关框架 JAAS 认证和授权框架,只要负责用户的认证和权限。 SASL client 和 server之间认证的框架 GSS 是sasl的一个provider,也就是实现了sasl框架 参考JAAS/GSS-API/SASL/Kerberos简介 | NoSQL漫谈 网上关于high level介绍的还比较多,可以搜索一些,但是要真正理解Us
在进行HDFS实践时遇到的问题:
weixin_46029055的博客
10-08 888
1.目录操作时报错: 报错结果: WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform... using builtin-java classes where applicable 解决办法:如何解决WARN util.NativeCodeLoader: Unable to load native-hadoop library for your platform..._涛..
hdfs客户端实例(kerberos+simple)
tian的博客
07-04 6005
1.非安全模式 在非安全模式下,访问hdfs文件系统的客户端代码如下: package ntci.hadoop.hdfs.test; import org.apache.hadoop.classification.InterfaceAudience; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop...
hadoop2.6 UserGroupInformation 获取用户名
亚瑟的守护的专栏
12-30 6768
Hadoop的客户端是通过FileSystem类操作hdfs的。 FileSystem.get()方法获取FileSystem对象。 public static FileSystem get(final URI uri, final Configuration conf, final String user) throws IOException, InterruptedE
关于JAVA程序的kerbose认证的一些事儿
KeithChen's的博客
12-01 1654
概况 我们这边用的是key + password 的 kerbose 认证. 在JAVA程序下也遇到一些关于 kerbose 认证绕不过的坑. 认证的代码 //认证返回一个UserGroupInformation,认证成功的User public static UserGroupInformation login(){ Configuration conf = new Co
hadoop hdfs dfs 命令讲解
热门推荐
梁小明的博客
05-23 5万+
hdfs dfs命令 appendToFile Usage: hdfs dfs -appendToFile  ...  追加一个或者多个文件到hdfs制定文件中.也可以从命令行读取输入. · hdfs dfs -appendToFile localfile /user/hadoop/hadoopfile · hdfs dfs -appendToFile localfile1 localf
hadoop example---异常记录(待解决)
shuhuai007的专栏
09-29 5807
用的是hadoop.0.20.2,在命令行执行如下命令:  bin/hadoop jar hadoop-*-examples.jar aggregatewordcount wordcount aggregatewordcount_output 1 textinputformat 在执行任务的时候抛出java.lang.RuntimeException: 11/09/29 15:56:21
hdfs client
最新发布
04-24
HDFS Client是用于与HDFS进行交互的客户端库或工具。 HDFS Client提供了一组API和命令行工具,用于在HDFS上执行各种操作,如文件的读取、写入、删除、重命名等。通过HDFS Client,用户可以通过编程方式或命令行方式...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值