从.net应用程序访问的Kerberos保护webhdfs（控制台） [英] Accessing kerberos protected webhdfs from .Net Application(console)

问题描述

我无法访问从浏览器WebHDFS由于Kerberos安全。 ？谁能帮我这个

下面是浏览器中的错误HTTP：//****.****/webhdfs/v1/prod/ ？snapshot_rpx /存档OP = LISTSTATUS&放大器; user.name = US

HTTP错误401

问题，访问/ webhdfs / V1 /生产/ snapshot_rpx /存档。原因：需要验证

净因提出请求到这个URL代码

  HttpWebRequest的HTTP =（HttpWebRequest的）WebRequest.Create（requestUri）; 
 http.Timeout =超时; 
 http.ContentType的contentType =; 
 
串responseData =的String.Empty;使用
（WebResponse的响应= http.GetResponse（））
 {
流流= response.GetResponseStream（）; 
 StreamReader的SR =新的StreamReader（流）; 
 responseData = sr.ReadToEnd（）; 
} 
 
返回responseData; 
  

解决方案

很抱歉的延迟反应。阿帕奇诺克斯实际上可能提供您正在寻找的解决方案。它屏蔽了REST客户端的Hadoop集群本身是如何保护的细节。群集可以从固定到不安全的一时兴起去和客户端将身份验证到诺克斯网关以同样的方式。

现在的问题是，你想究竟是如何进行身份验证诺克斯。典型的方法是通过HTTP基本认证根据LDAP（可能是AD）。然而有其他身份验证/联合会提供商允许其他机制也是如此。

基于头preauth目录SSO提供者是一个体面的方式去为Web应用程序类型的用例。请参阅：的http：//诺克斯.apache.org /书籍/诺克斯-0-7-0 /用户guide.html＃预验证+ SSO +提供商

再加上SSL相互认证（的http：// knox.apache.org/books/knox-0-7-0/user-guide.html#Mutual+Authentication+with+SSL ）申请和Apache诺克斯之间，这是充分利用作为诺克斯的作用的有效途径Hadoop的一个值得信赖的代理，联合建立了您的应用程序的身份。

即将v0.8.0版本引入了更多的SSO机制以及

Hadoop的REST客户不应该需要了解Hadoop集群时的Hadoop的灵活性允许服务，以移动或安全这么多的细节以不同的方式，所有的客户突破被使能。在每一个浏览器强制SPNEGO是许多表演塞。阿帕奇诺克斯解决在REST API开发者/消费者已经习惯的工作方式这些问题。

I'm unable to access WebHDFS from browser due to Kerberos security. Can anyone help me with this?

Below is the error in browser for "http://****.****/webhdfs/v1/prod/snapshot_rpx/archive?op=LISTSTATUS&user.name=us"

HTTP ERROR 401

Problem accessing /webhdfs/v1/prod/snapshot_rpx/archive. Reason: Authentication required

.Net code for making a request to this URL

HttpWebRequest http = (HttpWebRequest)WebRequest.Create(requestUri);
    http.Timeout = timeout;
    http.ContentType = contentType;

    string responseData = string.Empty;
    using (WebResponse response = http.GetResponse())
    {
        Stream stream = response.GetResponseStream();
        StreamReader sr = new StreamReader(stream);
        responseData = sr.ReadToEnd();
    }

    return responseData;

解决方案

Sorry for the delayed response. Apache Knox may actually provide the solution that you are looking for. It shields the REST clients from the details of how the Hadoop cluster itself is secured. The cluster can go from secured to unsecured on a whim and the clients will authenticated to the Knox Gateway the same way.

The question is how exactly that you would like to authenticate to Knox. The typical way is through HTTP Basic Auth against LDAP (which could be AD). There are however other authentication/federation providers to allow for other mechanisms as well.

The Header based preauth SSO provider is a decent way to go for web app type usecases. See: http://knox.apache.org/books/knox-0-7-0/user-guide.html#Preauthenticated+SSO+Provider

Coupled with SSL mutual authentication (http://knox.apache.org/books/knox-0-7-0/user-guide.html#Mutual+Authentication+with+SSL) between the application and Apache Knox this is an effective way to leverage Knox's role as a trusted proxy for Hadoop to federate the identity established in your application.

The upcoming v0.8.0 release introduces more SSO mechanisms as well.

Hadoop REST clients shouldn't need to know so many details about the Hadoop cluster that when the flexibility of Hadoop allows services to move or security to be enabled in different ways that all of the clients break. Forcing SPNEGO on every browser is a show stopper for many. Apache Knox addresses these issues in a way that REST API developers/consumers are accustomed to working.

这篇关于从.net应用程序访问的Kerberos保护webhdfs（控制台）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！