Multi-Instance Authentication in Mutual Trust Scenarios
Description
When multiple clusters in different security modes need to access each other's resources, the administrator can set up a mutual trust system so that users of external systems can use the system. The usage range of users in each system is called a domain. Each Manager system must have a unique domain name. Cross-Manager access means users to be used across domains. For details about how to configure mutual trust between clusters, see Managing Mutual Trust Relationships Between Managers.
As a user that meets the cross-domain access requirements, you can use the keytab and principal files for Kerberos security authentication obtained from one Manager system and the client configuration files of multiple Manager systems to access and invoke the HBase service of multiple clusters after one authentication login in the multi-cluster mutual trust scenario.
The following code snippets belong to the TestMultipleLogin class in the com.huawei.bigdata.hbase.examples package of the hbase-example sample project.
- Code authentication
List<String> confDirectorys = new ArrayList<>(); List<Configuration> confs = new LinkedList<>(); try { // conf directory confDirectorys.add("hadoopDomain");[1] confDirectorys.add("hadoop1Domain");[2] for (String confDir : confDirectorys) { confs.add(init(confDir));[3] } login(confs.get(0), confDirectorys.get(0));[4] } catch (IOException e) { LOG.error("Failed to login because ", e); return; }
[1] hadoopDomain indicates the name of the directory for storing user credentials and the configuration file of a cluster. The relative path of the directory is hbase-example/src/main/resources/hadoopDomain, which can be changed as required.
[2] hadoop1Domain is the name of the directory for storing the configuration file of the other cluster. The relative path of the directory is hbase-example/src/main/resources/hadoop1Domain, which can be changed as required.
[3] Initialize the conf objects in sequence.
[4] Perform login authentication.
- Initialization configuration
private static Configuration init(String confDirectoryName) throws IOException { // Default load from conf directory Configuration conf = HBaseConfiguration.create(); //In Windows environment String userdir = TestMain.class.getClassLoader().getResource(confDirectoryName).getPath() + File.separator; //In Linux environment //String userdir = System.getProperty("user.dir") + File.separator + confDirectoryName + File.separator; conf.addResource(new Path(userdir + "core-site.xml"), false); conf.addResource(new Path(userdir + "hdfs-site.xml"), false); conf.addResource(new Path(userdir + "hbase-site.xml"), false); return conf; }
- Security login
Set userName to the actual username based on the actual situation, for example, developuser.
private static void login(Configuration conf, String confDir) throwsIOException { if (User.isHBaseSecurityEnabled(conf)) { userName = " developuser "; //In Windows environment String userdir = TestMain.class.getClassLoader().getResource(confDir).getPath() + File.separator; //In Linux environment //String userdir = System.getProperty("user.dir") + File.separator + confDir + File.separator; userKeytabFile = userdir + "user.keytab"; krb5File = userdir + "krb5.conf"; /* * if need to connect zk, please provide jaas info about zk. of course, * you can do it as below: * System.setProperty("java.security.auth.login.config",confDirPath + * "jaas.conf"); but the demo can help you more : Note: if this process * will connect more than one zk cluster, the demo may be not proper. you * can contact us for more help */ LoginUtil.setJaasConf(ZOOKEEPER_DEFAULT_LOGIN_CONTEXT_NAME, userName,userKeytabFile); LoginUtil.login(userName, userKeytabFile, krb5File, conf); } }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.