Help Center> MapReduce Service> Developer Guide (Normal_3.x)> HBase Development Guide (Security Mode)> Environment Preparation> Preparing for Security Authentication> HBase Service Data Read/Write Example Security Authentication (Multi-Cluster Mutual Trust Scenario)
Updated on 2023-08-31 GMT+08:00
View PDF

HBase Service Data Read/Write Example Security Authentication (Multi-Cluster Mutual Trust Scenario)

Description

When multiple clusters in different security modes need to access each other's resources, the administrator can set up a mutual trust system so that users of external systems can use the system. The usage range of users in each system is called a domain. Each Manager system must have a unique domain name. Cross-Manager access means users to be used across domains. For details about how to configure mutual trust between clusters, see Managing Mutual Trust Relationships Between Managers.

As a user that meets the cross-domain access requirements, you can use the keytab and principal files for Kerberos security authentication obtained from one Manager system and the client configuration files of multiple Manager systems to access and invoke the HBase service of multiple clusters after one authentication login in the multi-cluster mutual trust scenario.

The following code snippets belong to the TestMultipleLogin class in the com.huawei.bigdata.hbase.examples package of the hbase-example sample project.

  • Code authentication
    List<String> confDirectorys = new ArrayList<>(); 
         List<Configuration> confs = new LinkedList<>(); 
         try { 
             // conf directory 
             confDirectorys.add("hadoopDomain");[1] 
             confDirectorys.add("hadoop1Domain");[2] 
   
             for (String confDir : confDirectorys) { 
                 confs.add(init(confDir));[3] 
             } 
   
             login(confs.get(0), confDirectorys.get(0));[4] 
         } catch (IOException e) { 
             LOG.error("Failed to login because ", e); 
             return; 
         }

    [1] hadoopDomain indicates the name of the directory for storing user credentials and the configuration file of a cluster. The relative path of the directory is hbase-example/src/main/resources/hadoopDomain, which can be changed as required.

    [2] hadoop1Domain is the name of the directory for storing the configuration file of the other cluster. The relative path of the directory is hbase-example/src/main/resources/hadoop1Domain, which can be changed as required.

    [3] Initialize the conf objects in sequence.

    [4] Perform login authentication.

  • Initialization configuration
    private static Configuration init(String confDirectoryName) throws IOException {
        // Default load from conf directory
        Configuration conf = HBaseConfiguration.create();
        //In Windows environment
        String userdir = TestMain.class.getClassLoader().getResource(confDirectoryName).getPath() + File.separator;
        //In Linux environment
        //String userdir = System.getProperty("user.dir") + File.separator + confDirectoryName + File.separator;
        conf.addResource(new Path(userdir + "core-site.xml"), false);
        conf.addResource(new Path(userdir + "hdfs-site.xml"), false);
        conf.addResource(new Path(userdir + "hbase-site.xml"), false);
        return conf;
}

Prerequisites

You have obtained the configuration file and authentication file required for running the sample project. For details, see Preparing the Configuration Files of the Running Environment.

Configuring Secure Login

Change userName in the TestMultipleLogin class in the com.huawei.bigdata.hbase.examples package of the hbase-example sample project to the actual user name, for example, developuser. 
private static void login(Configuration conf, String confDir) throwsIOException {      

        if (User.isHBaseSecurityEnabled(conf)) {
           userName = " developuser ";

           //In Windows environment
           String userdir = TestMain.class.getClassLoader().getResource(confDir).getPath() + File.separator;
           //In Linux environment
           //String userdir = System.getProperty("user.dir") + File.separator + confDir + File.separator;

           userKeytabFile = userdir + "user.keytab";
           krb5File = userdir + "krb5.conf";

           /*  

            * if need to connect zk, please provide jaas info about zk. of course,
            * you can do it as below:
            * System.setProperty("java.security.auth.login.config",confDirPath +
            * "jaas.conf"); but the demo can help you more : Note: if this process
            * will connect more than one zk cluster, the demo may be not proper. you
            * can contact us for more help
            */

            LoginUtil.setJaasConf(ZOOKEEPER_DEFAULT_LOGIN_CONTEXT_NAME, userName,userKeytabFile);
            LoginUtil.login(userName, userKeytabFile, krb5File, conf);
        }
}