如何使用WildFly连接到受Kerberos保护的Apache Phoenix数据源? [英] How to connect to a Kerberos-secured Apache Phoenix data source with WildFly?

问题描述

我最近花了几周的时间来尝试使WildFly成功连接到以Kerberized的Apache Phoenix数据源.有关如何执行此操作的文档数量非常有限，但是现在我已经破解了，可以共享.

I have recently spent several weeks trying to get WildFly to successfully connect to a Kerberized Apache Phoenix data source. There is a surprisingly limited amount of documentation on how to do this, but now that I have cracked it, I'm sharing.

环境:

• WildFly 9+.等效的JBoss版本也可以使用(但未经测试). WildFly 8不包含必需的org.jboss.security.negotiation.KerberosLoginModule类(但是您可以对其进行修改，请参见

• WildFly 9+. An equivalent JBoss version should also work (but untested). WildFly 8 does not contain the required org.jboss.security.negotiation.KerberosLoginModule class (but you can hack it, see Kerberos sql server datasource in Wildfly 8.2). I used WildFly 10.1.0.Final, and used a standalone deployment.
• Apache Phoenix 4.2.0.2.2.4.10. I have not tested any other version.
• Kerberos v5. My KDC is running on Windows Active Directory, but this should not make a noticable difference.
• My Hadoop environment is a HortonWorks version, and maintained by Ambari. Ambari ensures that all of the configuration files and Kerberos implementation settings are correct.

推荐答案

首先，您需要向WildFly的standalone.xml添加系统属性以指定Kerberos配置文件的位置:

Firstly, you'll want to add a system property to WildFly's standalone.xml to specify the location of the Kerberos configuration file:

...
</extensions>

<system-properties>
    <property name="java.security.krb5.conf" value="/path/to/krb5.conf"/>
</system-properties>
...

在这里，我将不讨论krb5.conf文件的格式，因为它取决于您自己的Kerberos实现.重要的是它包含KDC的默认域和网络位置.在Linux上，通常可以在/etc/krb5.conf或/etc/security/krb5.conf上找到它.如果您在Windows上运行WildFly，请确保在路径中使用正斜杠，例如"C:/Source/krb5.conf"

I'm not going to go into the format of the krb5.conf file here, as it is dependent on your own implementation of Kerberos. What is important is that it contains the default realm and network location of the KDC. On Linux you can normally find it at /etc/krb5.conf or /etc/security/krb5.conf. If you're running WildFly on Windows, then make sure you use forward-slashes in your path, e.g. "C:/Source/krb5.conf"

第二，向standalone.xml添加两个新的安全域-一个被ZooKeeper使用的名为客户端"的域，另一个被WildFly使用的称为主机"的域.不要问我为什么(给我造成了极大的痛苦)，但是客户端"安全域的名称​​必须与服务器上Zookeeper的JAAS客户端配置文件中定义的名称匹配.如果您已使用Ambari进行设置，则默认名称为客户端".还要注意，您不能简单地将jaas.config文件作为系统属性来提供，必须在此处进行定义:

Secondly, add two new security domains to standalone.xml - one called "Client" which is used by ZooKeeper, and another called "host", which is used by WildFly. Do not ask me why (it caused me so much pain) but the name of the "Client" security domain must match that defined in Zookeeper's JAAS client configuration file on the server. If you've set up with Ambari, "Client" is the default name. Also note that you cannot simply provide a jaas.config file as a system property, you must define it here:

<security-domain name="Client" cache-type="default">
    <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
        <module-option name="useTicketCache" value="true"/>
        <module-option name="debug" value="true"/>
    </login-module>
</security-domain>
<security-domain name="host" cache-type="default">
    <login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation">
        <module-option name="useTicketCache" value="true"/>
        <module-option name="debug" value="true"/>
        <module-option name="refreshKrb5Config" value="true"/>
        <module-option name="addGSSCredential" value="true"/>
    </login-module>
</security-domain>

模块选项将根据您的实现而有所不同.我从默认的Java票证缓存中获取票证，该Java票证缓存在JRE的java.security文件中定义，但是如果需要，您可以在此处提供密钥表.请注意，将storeKey设置为true会破坏我的实现.有关所有选项，请查看Java文档.请注意，每个安全域使用不同的登录模块:这并非偶然-Phoenix不知道如何使用org.jboss...版本.

The module options will vary depending on your implementation. I'm getting my tickets from the default Java ticket cache, which is defined in the java.security file of your JRE, but you can supply a keytab here if you want. Note that setting storeKey to true broke my implementation. Check the Java documentation for all of the options. Note that each security domain uses a different login module: this is not by accident - Phoenix does not know how to use the org.jboss... version.

现在，您需要为WildFly提供phoenix-<version>-client.jar中的org.apache.phoenix.jdbc.PhoenixDriver类.在WildFly目录下创建以下目录树:

Now you need to provide WildFly with the org.apache.phoenix.jdbc.PhoenixDriver class in phoenix-<version>-client.jar. Create the following directory tree under the WildFly directory:

/modules/system/layers/base/org/apache/phoenix/main/

在main目录中，粘贴您可以在服务器上找到的phoenix--client.jar(例如/usr/hdp/<version>/phoenix/client/bin)并创建一个module.xml文件:

In the main directory, paste the phoenix--client.jar which you can find on the server (e.g. /usr/hdp/<version>/phoenix/client/bin) and create a module.xml file:

<?xml version="1.0" ?>

<module xmlns="urn:jboss:module:1.1" name="org.apache.phoenix">

    <resources>
        <resource-root path="phoenix-<version>-client.jar">
            <filter>
                <exclude-set>
                    <path name="javax" />
                    <path name="org/xml" />
                    <path name="org/w3c/dom" />
                    <path name="org/w3c/sax" />
                    <path name="javax/xml/parsers" />
                    <path name="com/sun/org/apache/xerces/internal/jaxp" />
                    <path name="org/apache/xerces/jaxp" />
                    <path name="com/sun/jersey/core/impl/provider/xml" />
                </exclude-set>
            </filter>
        </resource-root>
        <resource-root path=".">
        </resource-root>
    </resources>

    <dependencies>
        <module name="javax.api"/>
        <module name="sun.jdk"/>
        <module name="org.apache.log4j"/>
        <module name="javax.transaction.api"/>
        <module name="org.apache.commons.logging"/>
    </dependencies>
</module>

您还需要将服务器上的hbase-site.xml和core-site.xml粘贴到main目录中.这些通常位于/usr/hdp/<version>/hbase/conf和/usr/hdp/<version>/hadoop/conf中.如果不添加这些内容，则会出现很多无益的ZooKeeper getMaster错误！如果希望驱动程序登录到WildFly所在的位置，则还应该在main目录中创建一个log4j.xml文件.您可以在网络上的其他地方找到示例. <resource-root path="."></resource-root>元素是由WildFly部署时将这些xml文件添加到类路径中的

You also need to paste the hbase-site.xml and core-site.xml from the server into the main directory. These are typically located in /usr/hdp/<version>/hbase/conf and /usr/hdp/<version>/hadoop/conf. If you don't add these, you will get a lot of unhelpful ZooKeeper getMaster errors! If you want the driver to log to the same place as WildFly, then you should also create a log4j.xml file in the main directory. You can find an example elsewhere on the web. The <resource-root path="."></resource-root> element is what adds those xml files to the classpath when deployed by WildFly.

最后，在<subsystem xmlns="urn:jboss:domain:datasources:2.0">部分中添加新的数据源和驱动程序.您可以使用CLI或通过直接编辑standalone.xml来做到这一点，我做了后者:

Finally, add a new datasource and driver in the <subsystem xmlns="urn:jboss:domain:datasources:2.0"> section. You can do this with the CLI or by directly editing standalone.xml, I did the latter:

<datasource jndi-name="java:jboss/datasources/PhoenixDS" pool-name="PhoenixDS" enabled="true" use-java-context="true">
    <connection-url>jdbc:phoenix:first.quorumserver.fqdn,second.quorumserver.fqdn:2181/hbase-secure</connection-url>
    <connection-property name="phoenix.connection.autoCommit">true</connection-property>
    <driver>phoenix</driver>
    <validation>
        <check-valid-connection-sql>SELECT 1 FROM SYSTEM.CATALOG LIMIT 1</check-valid-connection-sql>
    </validation>
    <security>
        <security-domain>host</security-domain>
    </security>
</datasource>
<drivers>
    <driver name="phoenix" module="org.apache.phoenix">
        <xa-datasource-class>org.apache.phoenix.jdbc.PhoenixDriver</xa-datasource-class>
    </driver>
</drivers>

重要的是，用适合您的环境的正确的ZooKeeper仲裁字符串替换first.quorumserver.fqdn,second.quorumserver.fqdn.您可以在HBase配置目录hbase.zookeeper.quorum的hbase-site.xml中找到此文件. 您不需要在连接URL字符串中添加Kerberos信息！

It's important that you replace first.quorumserver.fqdn,second.quorumserver.fqdn with the correct ZooKeeper quorum string for your environment. You can find this in hbase-site.xml in the HBase configuration directory: hbase.zookeeper.quorum. You don't need to add Kerberos information to the connection URL string!

tl; dr

• 确保hbase-site.xml和core-site.xml在您的类路径中.
• 请确保您有一个<security-domain>，其名称是ZooKeeper期望的名称(可能是客户端")，并且使用了com.sun.security.auth.module.Krb5LoginModule.
• Phoenix连接URL 必须包含整个ZooKeeper仲裁.您不能错过一台服务器！确保它与hbase-site.xml中的值匹配.

• Make sure that hbase-site.xml and core-site.xml are in your classpath.
• Make sure that you have a <security-domain> with a name that ZooKeeper expects (probably "Client"), that uses the com.sun.security.auth.module.Krb5LoginModule.
• The Phoenix connection URL must contain the entire ZooKeeper quorum. You can't miss one server out! Make sure it matches the value in hbase-site.xml.

参考:

• 使用Kerberos进行数据源身份验证

• Using Kerberos for Datasource Authentication
• Phoenix data source configuration by Mark S

这篇关于如何使用WildFly连接到受Kerberos保护的Apache Phoenix数据源?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！