kerberos学习笔记

之所以搞kerberos，是因为我们一个项目是基于华为的fusioninsght开发的，华为的这套大数据平台处处有kerberos认证，搞得我很是懵逼，下面是我的学习参考资料。不要参考我的。你一定会懵逼的。我自己记着自己用的。
记住，如果用华为的fusioninght平台，zookeeper包要用华为自己的，要不然验证会不通过，血的教训。
1.kerberos认证原理
2.kerberos安装和常用命令并与cdh集成

以下是我的学习收获
1.想要获得认证有两种途径
第一种：通过kinit admin，输入用户密码，这种是通过shell命令
第二种：通过krb5.conf和keytab文件，这种一般是通过程序获得认证，代码如下init（）、login（）方法加在需要连接服务器某个服务（比如zookepeer）程序之前运行

  private static void login() throws IOException {
        if (User.isHBaseSecurityEnabled(conf)) {
            String userdir = System.getProperty("user.dir") +  File.separator + "conf" + File.separator;
            userName = "admin";
            userKeytabFile = userdir + "user.keytab";
            krb5File = userdir + "krb5.conf";

      /*
       * if need to connect zk, please provide jaas info about zk. of course,
       * you can do it as below:
       * System.setProperty("java.security.auth.login.config", confDirPath +
       * "jaas.conf"); but the demo can help you more : Note: if this process
       * will connect more than one zk cluster, the demo may be not proper. you
       * can contact us for more help
       */
            // System.out.println();
            LoginUtil.setJaasConf(ZOOKEEPER_DEFAULT_LOGIN_CONTEXT_NAME, userName, userKeytabFile);
            LoginUtil.setZookeeperServerPrincipal(ZOOKEEPER_SERVER_PRINCIPAL_KEY,
                    ZOOKEEPER_DEFAULT_SERVER_PRINCIPAL);
            LoginUtil.login(userName, userKeytabFile, krb5File, conf);


        }
    }

    private static void init() throws IOException {
        // Default load from conf directory
        conf = HBaseConfiguration.create();
        String userdir = System.getProperty("user.dir") + File.separator + "conf" + File.separator;
        conf.addResource(new Path(userdir + "core-site-dev.xml"));
        conf.addResource(new Path(userdir + "hdfs-site-dev.xml"));
        conf.addResource(new Path(userdir + "hbase-site-dev.xml"));
        conf.addResource(new Path(userdir + "hive-site-dev.xml"));


    }

还有一个LoginUtil.java类

package cn.tongdun.datacompute.biz.suppport;

import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.log4j.Logger;

import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import java.io.File;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;

public class LoginUtil {
   

  private static final Logger LOG = Logger.getLogger(LoginUtil.class);

  private static final String JAVA_SECURITY_KRB5_CONF_KEY = "java.security.krb5.conf";

  private static final String LOGIN_FAILED_CAUSE_PASSWORD_WRONG = "(wrong password) keytab file and user not match, you can kinit -k -t keytab user in client server to check";

  private static final String LOGIN_FAILED_CAUSE_TIME_WRONG = "(clock skew) time of local server and remote server not match, please check ntp to remote server";

  private static final String LOGIN_FAILED_CAUSE_AES256_WRONG = "(aes256 not support) aes256 not support by default jdk/jre, need copy local_policy.jar and US_export_policy.jar from remote server in path /opt/huawei/Bigdata/jdk/jre/lib/security";

  private static final String LOGIN_FAILED_CAUSE_PRINCIPAL_WRONG = "(no rule) principal format not support by default, need add property hadoop.security.auth_to_local(in core-site.xml) value RULE:[1:$1] RULE:[2:$1]";

  private static final String LOGIN_FAILED_CAUSE_TIME_OUT = "(time out) can not connect to kdc server or there is fire wall in the network";

  private static final boolean IS_IBM_JDK = System.getProperty("java.vendor").contains("IBM");
  private static final boolean IS_WINDOWS_OS = System.getProperty("os.name").toLowerCase()
      .contains("wind