从HDFS加载密钥表 [英] Load a keytab from HDFS

问题描述

我想将Oozie与需要使用Kerberos的Java Action一起使用. 我在HDFS中有我的密钥表.我怎么能说该文件在HDFS中?

I want to use Oozie with a Java Action which needs to use Kerberos. I have my keytab in HDFS. How could I say that the file is in HDFS?

 Configuration conf = new Configuration();
 conf.set("hadoop.security.authentication", "Kerberos");     
 UserGroupInformation.setConfiguration(conf);
 UserGroupInformation.loginUserFromKeytab(kerberosPrincipal, kerberosKeytab);

我尝试使用hdfs://xxxx:8020/tmp/myKeytab.keytab之类的路径，并且也设置了conf.set("fs.defaultFS", "hdfs://server:8020");，但它不起作用.

I have tried with a path like hdfs://xxxx:8020/tmp/myKeytab.keytab and I set conf.set("fs.defaultFS", "hdfs://server:8020"); as well but it doesn't work.

推荐答案

Hadoop委托令牌仅适用于YARN和HDFS，它们将在7天后过期.对于所有其他服务-特别是HBase(通过ZooKeeper)，HiveServer2(直接或通过ZooKeeper)，Hive Metastore(在Hive CLI内)，您需要直接进行身份验证.对于长期运行的服务，您需要定期重新进行身份验证以续订委托令牌(如果您依靠Slider，它将自动为您执行此操作)

Hadoop delegation tokens work only for YARN and HDFS, and they expire after 7 days. For all other services -- especially HBase (via ZooKeeper), HiveServer2 (directly or via ZooKeeper), Hive Metastore (inside Hive CLI) -- you need to authenticate directly. For long-running services, you need to re-authenticate periodically to renew the delegation token (if you rely on Slider, it does that automatically for you)

选项1 :请Oozie为您的操作生成相应的<credential>.我希望它确实可以开箱即用，并且/或者希望它能更好地记录下来. HBase并非如此；从未尝试过Hive2，所以我不确定.

Option 1: ask Oozie to generate the appropriate <credential> for your Action. I wish it really worked out-of-the-box and/or that it was better documented -- Hive works like a charm; not so with HBase; never tried Hive2 so I can't be sure.

选项2 :让Oozie从HDFS 下载您的自定义密钥表文件(您已经限制了对该密钥表的访问，不是吗?)带有<file>选项的Launcher容器的CWD，然后全部由您自己生成凭据.

Option 2: ask Oozie to download your custom keytab file from HDFS (you took care of restricting access to that keytab, didn't you???) to the CWD of your Launcher container with a <file> option, then generate your credentials all by yourself.

使用Java操作将成为选项2.

With a Java action it will be option 2.

这篇关于从HDFS加载密钥表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！