Kerberos

Kerberos authentication

Scenario 1 HDFS storage

If the hadoop cluster is used, such as the file used to store the result set

# Result set logs and other file paths, used to store the result set files of the Job wds.linkis.filesystem.hdfs.root.path(linkis.properties)
HDFS_USER_ROOT_PATH=hdfs:///tmp/linkis

And kerberos authentication is enabled, corresponding kerberos configuration is required

Modify the corresponding configuration of linkis.properties as follows

#Whether the kerberos authentication mode is enabled
wds.linkis.keytab.enable=true
#keytab places the directory, which stores the files of username.keytab of multiple users
wds.linkis.keytab.file=/appcom/keytab/
#Whether to bring principle client authentication, the default value is false
wds.linkis.keytab.host.enabled=false
#principle authentication needs to bring the client IP
wds.linkis.keytab.host=127.0.0.1

Restart the service after modification

Scenario 2 HDFS storage kerberos proxy authentication

Hadoop2.0 version began to support the ProxyUser mechanism. The meaning is to use the user authentication information of User A to access the hadoop cluster in the name of User B. For the server, it is considered that User B is accessing the cluster at this time, and the corresponding authentication of access requests (including the permissions of the HDFS file system and the permissions of YARN submitting task queues) is performed by User B. User A is considered a superuser.

The main difference from Scenario 1 is that it can solve the problem that each user needs to generate a keytab file. If kerberos proxy authentication is set, the proxy user's keytab file can be used for authentication. Modify the corresponding configuration of linkis.properties as follows

#Whether the kerberos authentication mode is enabled
wds.linkis.keytab.enable=true
#keytab places the directory, which stores the files of username.keytab of multiple users
wds.linkis.keytab.file=/appcom/keytab/
#Whether to bring principle client authentication, the default value is false
wds.linkis.keytab.host.enabled=false
#principle authentication needs to bring the client IP
wds.linkis.keytab.host=127.0.0.1

#Enable kerberos proxy authentication
wds.linkis.keytab.proxyuser.enable=true

#Use superuser to verify user authentication information
wds.linkis.keytab.proxyuser.superuser=hadoop

Restart the service after modification

Scenario 3 Queue manager checks yarn resource information

Will access the REST API interface provided by Yarn to provide ResourceManager If the ResourceManager of yarn has enabled kerberos authentication, you need to configure kerberos-related authentication information

Database table linkis_cg_rm_external_resource_provider Insert yarn data information

INSERT INTO `linkis_cg_rm_external_resource_provider`
(`resource_type`, `name`, `labels`, `config`) VALUES
('Yarn', 'default', NULL,
'
     {
         "rmWebAddress": "http://xx.xx.xx.xx:8088",
         "hadoopVersion": "2.7.2",
         "authorEnable": false,
         "user":"hadoop","pwd":"123456",
         "kerberosEnable":@YARN_KERBEROS_ENABLE,
         "principalName": "@YARN_PRINCIPAL_NAME",
         "keytabPath": "@YARN_KEYTAB_PATH"
         "krb5Path": "@YARN_KRB5_PATH"
     }
'
);

After the update, because the cache is used in the program, if you want to take effect immediately, you need to restart the linkis-cg-linkismanager service

sh sbin/linkis-daemon.sh restart cg-linkismanager

Scenario 4 The hive data source in the data source function

If the hive data source that needs to be connected and the corresponding hive cluster environment has kerberos authentication enabled, you need to upload the kerberos and keytab authentication file information when configuring the cluster environment.