Updated on 2022-08-16 GMT+08:00

Preparing Authentication Mechanism Code

Scenario

In a secure cluster environment, components must perform mutual authentication before communicating with each other to ensure communication security.

In some cases, Oozie needs to communicate with Hadoop and Hive when users develop Oozie applications. Codes for security authentication need to be written into the Oozie applications to ensure that the applications can work properly.

Two security authentication modes are available:

  • Command line authentication:

    Before running the Oozie applications, run the following command on the Oozie client to obtain authentication:

    kinit Component service user

  • Code authentication (Kerberos security authentication):

    You can contact the administrator to create and obtain keytab and krb5.conf files used for Kerberos security authentication. For details, see the sample codes.

    The sample codes invoke the LoginUtil class for security authentication and support the Oracle JAVA platform and the IBM JAVA platform.

    Set userName to the actual user name based on the actual situation, for example, developuser.

        private static void login(String keytabFilePath, String krb5FilePath, String user) throws IOException {
            Configuration conf = new Configuration();
            conf.set(KERBEROS_PRINCIPAL, user);
            conf.set(KEYTAB_FILE, keytabFilePath);
            conf.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
            conf.set(HADOOP_SECURITY_AUTHORIZATION, "true");
    
            /*
             * if need to connect zk, please provide jaas info about zk. of course,
             * you can do it as below:
             * System.setProperty("java.security.auth.login.config", confDirPath +
             * "jaas.conf"); but the demo can help you more : Note: if this process
             * will connect more than one zk cluster, the demo may be not proper. you
             * can contact us for more help
             */
            LoginUtil.setJaasConf(ZOOKEEPER_DEFAULT_LOGIN_CONTEXT_NAME, user, keytabFilePath);
            LoginUtil.setZookeeperServerPrincipal(ZOOKEEPER_DEFAULT_SERVER_PRINCIPAL);
            LoginUtil.login(user, keytabFilePath, krb5FilePath, conf);
        }