Preparing for Security Authentication

Scenarios

In a cluster with the security mode enabled, the components must be mutually authenticated before communicating with each other to ensure communication security.

When submitting MapReduce applications, users need to communicate with Yarn and HDFS. Code for security authentication needs to be written into the MapReduce application to be submitted to ensure that MapReduce can work properly.

Two security authentication modes are available:

• CLI authentication:

  Before submitting and running the MapReduce application, run the following command on the MapReduce client to obtain authentication:

  kinit Component service user

• Authentication by adding codes:

  Authenticate in the application by obtaining principal and keytab files of the client.

MapReduce Security Authentication Code

Currently, the LoginUtil class is invoked for security authentication in a unified manner.

In the code of the FemaleInfoCollector class in the com.huawei.bigdata.mapreduce.examples package of the MapReduce sample project, test@<System domain name>, user.keytab, and krb5.conf are used as examples. During actual operations, ensure that the keytab and krb5.conf files of the corresponding account have been stored in the conf directory. The secure login method is as follows:

public static final String PRINCIPAL= "test@<System domain name >";
public static final String KEYTAB = FemaleInfoCollector.class.getClassLoader().getResource("user.keytab").getPath();
public static final String KRB = FemaleInfoCollector.class.getClassLoader().getResource("krb5.conf").getPath();
...
// Security login
LoginUtil.login(PRINCIPAL, KEYTAB, KRB, conf);

• test: indicates the name of the user created in User Information for Cluster Authentication, for example, developuser.
• System domain name: Log in to FusionInsight Manager, choose System > Permission > Domain and Mutual Trust, and view the value of Local Domain, which is the current system domain name.